HIPAA Business Associate Compliance and Dangers

PRESENTED BY
PAUL R. HALES, J.D.
HIPAA
BUSINESS ASSOCIATE
COMPLIANCE
EDUCATIONAL WEBINAR
1
www.thehipaaetool.com Protecting Patient Privacy is our Job® © 2023 ET&C Group LLC

HIPAA Business Associate Compliance
2
What Are We Going to Cover?
HIPAA – Health Insurance Portability and Accountability Act
Alert – Important New Business Associate HIPAA Enforcement
HIPAA and Business Associates
Covered Entities & Business Associates
Entangled Responsibilities – Chain of Trust
Business Associate Agreements – Agency – Due Diligence
Business Associate Compliance
HIPAA Privacy, Breach Notification and Security Rules
Your Organization’s HIPAA Compliance Program

Health Insurance Portability and Accountability Act of 1996
3

Definitions
Covered Entity
Health Care Provider – Health Plan – Health Care Clearinghouse
Business Associate
On behalf of a Covered Entity
• Creates, Receives, Maintains or Transmits Protected Health Information
(PHI) for a function or activity regulated by the HIPAA Rules
• Provides Services involving disclosure of PHI from a Covered Entity or
from another Business Associate
Subcontractor Business Associate
On behalf of a Business Associate
• Creates, Receives, Maintains or Transmits PHI for function or activity
regulated by the HIPAA Rules
4

June 28, 2023
OCR Press Release – iHealth Solutions BA Investigation
iHealth Solutions Resolution Agreement and Corrective Action Plan
July 5, 2023 Blog – Lessons – OCR & iHealth Solutions
Risk Analysis and HIPAA Training
February 27, 2023 HHS Announcement
HHS Announces New Divisions Within the Office for Civil Rights to
Better Address Growing Need of Enforcement in Recent Years
5

OCR statement about iHealth Solutions & Business Associates
“HIPAA business associates must protect the privacy and security of the
health information they are entrusted with by HIPAA covered entities,”
said OCR Director Melanie Fontes Rainer.
iHealth Solutions Corrective Action Plan (CAP)
• Risk Analysis and Risk Management
• HIPAA Policies and Procedures including management of identified Risks
• Privacy Rule
• Security Rule
• Breach Notification Rule
• Workforce Training – Privacy, Security & Breach Notification Policies &
Procedures
• Owner or Officer Attestation verifying compliance with CAP
6

1996 HIPAA – Privacy & Security subtitle applies only to Covered Entities
2003 Privacy Rule – Makeshift Fix – Before disclosing PHI a Covered
Entity must contract with BA requiring BA to safeguard PHI
2005 Security Rule – also requires CE contract with BA to safeguard ePHI
2009 HITECH Act – Congress amends and strengthens HIPAA statute
Breach Notification Rule – New
2013
Emphasis on Enforcement – BAs now directly liable
Modifications including direct BA compliance finalized to
Privacy – Security - Breach Notification - Enforcement Rules
Brief Background – HIPAA Rules & Business Associates
How and When Business Associates became liable for HIPAA Compliance
7

2013 Security and Privacy Rule Modifications
HIPAA Security Rule
A Covered Entity or Business Associate must identify the Security Official to
develop and implement policies and procedures required by the Security Rule
for the Covered Entity or Business Associate
45 CFR § 164.308(a)(2)
HIPAA Privacy Rule
A Covered Entity must designate a Privacy Official to develop and implement
the policies and procedures to comply with the Privacy and Breach
Notification Rules
45 CFR 164.530(a)(1)(i)
45 CFR 164.530(i)(1)
8

Note:
A Covered Entity must:
• identify a Security Official to develop and implement its Security Rule
Policies and Procedures and
• designate a Privacy Official to develop and implement its Privacy and Breach
Notification Rule Policies and Procedures.
However,
Business Associates have no specially named official to develop and
implement their Privacy and Breach Notification Rule Policies and Procedures.
Confusion – Omissions – Violations
9

2013 OCR Guidance – 78 FR 5598, Jan. 25, 2013
Business Associates are directly liable under the HIPAA Rules for a failure
to provide breach notification to the covered entity
Breach Notification Rule
Breach means the acquisition, access, use, or disclosure of protected health
information in a manner not permitted under the Privacy Rule which
compromises the security or privacy of the protected health information.
45 CFR 164.402 “Breach”
Security Rule
Covered entities and business associates must … protect against any
reasonably anticipated uses or disclosures of electronic protected health
information that are not permitted or required under the Privacy Rule.
45 CFR 164.306(a)(3)
10

PHI Covered Entity
11
Business Associate
Subcontractor Business Associate 1
Business Associates – Covered Entities – PHI Chain of Trust
PHI Chain of Trust
Business Associate Agreement required at each link of Chain

A CE and a BA
A BA and a Sub-BA
A Sub-BA and a Sub-BA
CE
BA
Sub-BA1
Sub-BA 2
Sub-BA 3
CEs are not required to have
BAAs with Sub-BAs
Business Associates – Covered Entities – PHI Chain of Trust
PHI Chain of Trust
Business Associate Agreements are required between:
12

Business Associates – Covered Entities – Due Diligence
Enforcement Rule
Willful Neglect means conscious, intentional failure or reckless indifference to
the obligation to comply with the administrative simplification provision violated.
Enforcement Rule: 45 CFR 160.401 “Willful neglect”
The Secretary will investigate any complaint filed under this section when a
preliminary review of the facts indicates a possible violation due to willful
neglect.
Enforcement Rule: 45 CFR 160.306(c)(1)
The Secretary will conduct a compliance review to determine whether a covered
entity or business associate is complying with the applicable administrative
simplification provisions when a preliminary review of the facts indicates a
possible violation due to willful neglect.
Enforcement Rule: 45 CFR 160.308(a)
13

Business Associate HIPAA Compliance
Business Associates – Covered Entities – Due Diligence
Due Diligence
Business Associates
and
Subcontractor Business Associates
Important and Essential
“HIPAA Compliant”
14

Business Associate Privacy Rule Compliance
• A Business Associate may not use or disclose protected health
information in a manner that would violate the requirements of the
Privacy Rule, if done by a covered entity
• A Business Associate may use or disclose protected health information
only as permitted or required by its business associate contract or as
required by law
45 CFR 164.502(a)(3)
• A Business Associate is required to disclose protected health information
to HHS to investigate or determine the Business Associate's compliance
with the Privacy Rule
45 CFR 164.502(a)(4)(i)
15

Responsibility for Your Organization’s HIPAA Compliance Program
Senior Management is Responsible
• Delegate Authority to Compliance Officials
HIPAA Compliance Official
Explain – Teach – Laterally & Up
Your Audience
Senior Management
Compliance Colleagues
• Avoid Blame – Stick to Facts
• Present Opportunity
• Build Consensus
16

17
In conclusion we have covered
HIPAA – Health Insurance Portability and Accountability Act
Alert – Important New Business Associate HIPAA Enforcement
HIPAA and Business Associates
Covered Entities & Business Associates
Entangled Responsibilities – Chain of Trust
Business Associate Agreements – Agency – Due Diligence
Business Associate Compliance
HIPAA Privacy, Breach Notification and Security Rules
Your Organization’s HIPAA Compliance Program

Thank You
Paul Hales, J. D.
18
Register Now

HIPAA Business Associate Compliance and Dangers

More Related Content

Similar to HIPAA Business Associate Compliance and Dangers

More from Conference Panel

Recently uploaded

HIPAA Business Associate Compliance and Dangers