HIPAA covered entities (including health care providers and health plans) and their business associates must be mindful of HIPAA compliance when working with other entities even when that other entity is not a business associate. Often, vendors have access to an organization’s premises or information systems which may result in incidental access to protected health information (PHI). For example, a cleaning service may have access to a medical records room or an IT support vendor may have remote access to employee workstations. While such incidental access to PHI does not make the vendor a business associate, an organization must ensure that its PHI is protected and that it complies with HIPAA. This webinar will address:
· Strategies for dealing with non-business associate vendors;
· Best practices to protect your organization; and
· Development of policies and model contract language.
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...Compliancy Group
At some point, nearly all HIPAA covered entities and business associates must enter into business associate agreements (BAAs). Far too often though, entities commit one of two errors when doing so - they either sign a BAA “as is” without careful consideration of its terms or they negotiate each and every item in the agreement. The first error may result in significant costs and liability, and the second wastes time and money. This webinar will address the terms and conditions of BAAs that require your attention, and which ones you shouldn’t lose any sleep over. The webinar will give both covered entities and business associates the tools they need to identify and address BAA risks, while protecting their business and saving time and money.
Shipman & Goodwin LLP attorneys have negotiated thousands of BAAs for small providers, Fortune 500 companies and everyone in between.
1. The document discusses the growing problem of identity theft and the various types including drivers license theft, medical identity theft, financial identity theft, and social security identity theft.
2. It emphasizes the importance of protecting personal information and outlines laws like FACTA, HIPAA, and Gramm-Leach-Bliley that regulate how organizations must protect consumer data.
3. The document argues that providing identity theft protection services to employees can help mitigate damages for companies by reducing the time employees spend restoring their identities and acting as an early warning system for potential data breaches.
eFolder Partner Chat Webinar — HIPAA Policies and Best Practices from a PartnereFolder
The document discusses HIPAA compliance for managed service providers (MSPs). It summarizes a presentation given by eFolder to dmi Networking, an MSP, about HIPAA policies and best practices. The presentation covers what HIPAA is, why MSPs must comply, administrative, physical and technical safeguards required, business associate agreements (BAAs), how to work towards compliance, and answers questions from dmi Networking.
HIPAA compliance template suites should have these features: Immediate online delivery, Editable MS word format, regularly updated and must be created by industry experts. This pdf contains almost all basic & advance information about the HIPAA compliance templates suite and also give a fair idea regarding software tool and courses cost. http://goo.gl/fR53x4
Business Associates: How to differentiate your organization using HIPAA compl...Compliancy Group
Vendors that provide services to health care providers and health insurers are under increasing pressure to protect confidential patient/member information and certify compliance with HIPAA. These “business associates” must comply with numerous data privacy and security requirements under HIPAA and state law, and their ability to do so is often a key factor health care companies use when selecting a vendor. To stand out and make the sale, business associates need to be able to demonstrate robust HIPAA compliance and sufficient policies, procedures and protocols to protect their client’s sensitive data. This webinar will address what business associates need to do to comply with HIPAA and how to differentiate your organization from the competition using HIPAA compliance.
Presenter: William J. Roberts, Shipman & Goodwin LLP
Keeping Control: Data Security and Vendor ManagementPaige Rasid
This document discusses strategies for organizations to manage risks associated with non-business associate vendors. It recommends that organizations implement organizational policies, conduct due diligence on vendors, and enter into confidentiality agreements. Specific policies are suggested around data access, premises access, and incidental data use or disclosure. Due diligence may involve vendor screening and obtaining privacy assurances. Confidentiality agreements should address data use, compliance with laws and policies, incident reporting, reimbursement for incidents, and indemnification. Proper management of non-business associate vendors can help organizations address privacy risks beyond those regulated by HIPAA.
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINEDCompliancy Group
The document summarizes common myths about HIPAA regulations. It discusses 20 myths across several categories, including general myths, business associate myths, and health IT myths. Each myth is stated and then explained to clarify the true requirements of HIPAA. The document aims to debunk misconceptions about what HIPAA does and does not regulate regarding the privacy and security of protected health information.
This document discusses various topics related to nursing practice and the law. It covers different types of laws including statutory law, common law, and administrative law. It also discusses legal concepts such as negligence, malpractice, informed consent, and standards of care. Specific laws that can affect nursing practice like the Patient Self-Determination Act and HIPAA are explained. Tips for nurses to avoid legal issues and stay out of court are provided. The document also covers licensure, the NCLEX exam, and end-of-life legal considerations.
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...Compliancy Group
At some point, nearly all HIPAA covered entities and business associates must enter into business associate agreements (BAAs). Far too often though, entities commit one of two errors when doing so - they either sign a BAA “as is” without careful consideration of its terms or they negotiate each and every item in the agreement. The first error may result in significant costs and liability, and the second wastes time and money. This webinar will address the terms and conditions of BAAs that require your attention, and which ones you shouldn’t lose any sleep over. The webinar will give both covered entities and business associates the tools they need to identify and address BAA risks, while protecting their business and saving time and money.
Shipman & Goodwin LLP attorneys have negotiated thousands of BAAs for small providers, Fortune 500 companies and everyone in between.
1. The document discusses the growing problem of identity theft and the various types including drivers license theft, medical identity theft, financial identity theft, and social security identity theft.
2. It emphasizes the importance of protecting personal information and outlines laws like FACTA, HIPAA, and Gramm-Leach-Bliley that regulate how organizations must protect consumer data.
3. The document argues that providing identity theft protection services to employees can help mitigate damages for companies by reducing the time employees spend restoring their identities and acting as an early warning system for potential data breaches.
eFolder Partner Chat Webinar — HIPAA Policies and Best Practices from a PartnereFolder
The document discusses HIPAA compliance for managed service providers (MSPs). It summarizes a presentation given by eFolder to dmi Networking, an MSP, about HIPAA policies and best practices. The presentation covers what HIPAA is, why MSPs must comply, administrative, physical and technical safeguards required, business associate agreements (BAAs), how to work towards compliance, and answers questions from dmi Networking.
HIPAA compliance template suites should have these features: Immediate online delivery, Editable MS word format, regularly updated and must be created by industry experts. This pdf contains almost all basic & advance information about the HIPAA compliance templates suite and also give a fair idea regarding software tool and courses cost. http://goo.gl/fR53x4
Business Associates: How to differentiate your organization using HIPAA compl...Compliancy Group
Vendors that provide services to health care providers and health insurers are under increasing pressure to protect confidential patient/member information and certify compliance with HIPAA. These “business associates” must comply with numerous data privacy and security requirements under HIPAA and state law, and their ability to do so is often a key factor health care companies use when selecting a vendor. To stand out and make the sale, business associates need to be able to demonstrate robust HIPAA compliance and sufficient policies, procedures and protocols to protect their client’s sensitive data. This webinar will address what business associates need to do to comply with HIPAA and how to differentiate your organization from the competition using HIPAA compliance.
Presenter: William J. Roberts, Shipman & Goodwin LLP
Keeping Control: Data Security and Vendor ManagementPaige Rasid
This document discusses strategies for organizations to manage risks associated with non-business associate vendors. It recommends that organizations implement organizational policies, conduct due diligence on vendors, and enter into confidentiality agreements. Specific policies are suggested around data access, premises access, and incidental data use or disclosure. Due diligence may involve vendor screening and obtaining privacy assurances. Confidentiality agreements should address data use, compliance with laws and policies, incident reporting, reimbursement for incidents, and indemnification. Proper management of non-business associate vendors can help organizations address privacy risks beyond those regulated by HIPAA.
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINEDCompliancy Group
The document summarizes common myths about HIPAA regulations. It discusses 20 myths across several categories, including general myths, business associate myths, and health IT myths. Each myth is stated and then explained to clarify the true requirements of HIPAA. The document aims to debunk misconceptions about what HIPAA does and does not regulate regarding the privacy and security of protected health information.
This document discusses various topics related to nursing practice and the law. It covers different types of laws including statutory law, common law, and administrative law. It also discusses legal concepts such as negligence, malpractice, informed consent, and standards of care. Specific laws that can affect nursing practice like the Patient Self-Determination Act and HIPAA are explained. Tips for nurses to avoid legal issues and stay out of court are provided. The document also covers licensure, the NCLEX exam, and end-of-life legal considerations.
This white paper discusses how the HIPAA Omnibus Rule expanded regulations for protecting patient health information (PHI) and how businesses can ensure compliance. It explains that the rule now covers business associates that handle PHI for covered entities like healthcare providers. Carbonite's cloud backup solutions are designed to meet HIPAA requirements by encrypting, securing, and allowing emergency access to PHI. The paper outlines Carbonite's administrative, physical, and technical safeguards for complying with HIPAA privacy and security standards.
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
HIPAA compliance for Business Associates has become critical as you deal with medical professionals. During this webinar we will explain the law and what Business Associates need to know and do and how to differentiate your firm to acquire new and maintain current clients.
In this webinar, we will discuss:
-The steps on how to become HIPAA compliant as a Business Associate
-What an effective BAA should include
-How to help existing and new healthcare clients with compliance
-Why it is important to differentiate yourself as HIPAA compliant
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013RightScale
Speaker: Phil Cox - Director of Security and Compliance, RightScale
On January 25, 2013, the U.S. Department of Health and Human Services (HHS) released the final implementing regulations for many provisions of the HITECH Act (Health Insurance Technology for Economic and Clinical Health Act), often referred to as the Omnibus Rule. Many organizations have based their architectures and implementations on previous proposed and interim regulations, some of which are no longer valid. Anyone falling under HIPAA requirements is required to meet these new definitive compliance requirements by September 23, 2013. This talk will discuss the parts of the Omnibus rule that affect the cloud landscape, and how you can successfully deploy a HIPAA-compliant application in the public cloud.
The healthcare industry faces an escalating threat from cybercriminals, with Business Associates (BAs) increasingly becoming their prime target. These attacks can expose millions of patients' Protected Health Information (PHI), leading to severe repercussions for both CEs and BAs. In this blog, we will delve into the crucial steps that are often overlooked but easy to follow, enabling CEs and BAs to protect themselves against the costs and reputational damage caused by HIPAA violations.
The interconnected nature of HIPAA compliance means that any weak link in the chain can have severe consequences for both CEs and BAs. To protect against data breaches and potential HIPAA violations, both parties must diligently fulfill their responsibilities and obtain "satisfactory assurances" from each other and their subcontractors. By following these simple yet often overlooked steps, CEs and BAs can bolster their defenses, safeguard patient data, and preserve their reputations in the face of growing cyber threats. Remember, compliance is an ongoing journey, and staying vigilant is key to maintaining the integrity of the healthcare ecosystem.
Register,
https://conferencepanel.com/conference/hipaa-business-associate-compliance-and-dangers
White Paper distributed at our May 2018 meeting of the Chicago Technology For Value-Based Healthcare Meetup Group - https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/
The document summarizes key implications of the HIPAA Omnibus Rule for organizations that are considered Business Associates. It defines Business Associates and subcontractors as those who create, receive, maintain or transmit protected health information on behalf of covered entities or other business associates. The Omnibus Rule directly regulates business associates and subcontractors under HIPAA, requiring compliance with security and privacy rules. It expands the definition of a breach and penalties for noncompliance, potentially making it more likely organizations will need to notify individuals of breaches. The document provides examples of types of organizations now defined as Business Associates and outlines compliance requirements.
HIPAA Business Associate Responsibilities – What They Are?Conference Panel
The HIPAA Business Associate Responsibilities will review the regulations for Business Associates while discussing their covered entities. To satisfy the clients’ requirements for adequate assurances of good practices, Business Associates may be asked to provide a simple contract, third-party reviews, and assessments of HIPAA compliance. You will be able to examine types of HIPAA entities, such as Hybrid entities, Affiliated Covered Entities, and Organized Health Care Arrangements.
The HIPAA Business Associates Responsibilities ensure good privacy and security compliance practices in the business. Whether your organization is a Business Associate or a Covered Entity that hires HIPAA Business Associates, you have significant obligations in compliance that you overlook at your peril.
With this webinar, say a ‘NO’ to penalties and understand your actions!
A HIPAA violation could cost your company up to $50,000 per offense.
HR Workplace and HNI have teamed up to bring you an overview of HIPAA (the Health Insurance Portability and Accountability Act), outlining the main components, and identifying who is covered by the Act to make sure you aren't hit with a noncompliance fee.
We will examine the privacy provisions under HIPAA as they relate to protected health information (PHI) and also give your employees and business associates the tools to recognize the key provisions of HIPAA, how their organizations are affected by HIPAA, and how the privacy rules impact them.
M&A Post-Closing Disputes: Commonly disputed financial statement accountsDeloitte United States
Gain insights into which financial statement accounts often lead to post-closing disputes between the parties to mergers and acquisitions transactions in this thought-provoking Dash on-demand webcast, presented by Jen Larson and Brian Lappen of Deloitte Financial Advisory Services LLP - Learn more:
http://www.deloitte.com/view/en_US/us/Services/Financial-Advisory-Services/Litigation-Dispute-Financial-Advisory/7c8c01f0ed5fb110VgnVCM100000ba42f00aRCRD.htm
HIPAA Compliance and Security in a Mobile WorldRyan Snell
With healthcare regulations evolving to account for the explosion of mobile devices (BYOD) being used at work, HIPAA compliance is critical for all healthcare organizations who are facing security breaches and hefty fines.
Michelle Caswell, Senior Director of Legal & Compliance at Clearwater Compliance, reviews HIPAA, violations and effective compliance. Having worked as a HIPAA Investigator at the Office for Civil Rights, Michelle brings first-hand understanding and passion to the discussion, focusing on the future of HIPAA and how BYOD solutions affect healthcare organizations’ compliance and patient record safety.
1) CPAs and other financial professionals are now considered fiduciaries under new regulations, requiring them to put their clients' interests first.
2) Record keeping is crucial to demonstrate that all work was conducted within compliance guidelines, including documenting all client meetings and the process for insurance transactions.
3) A lawsuit awarded $14.2 million to a plaintiff after two reputable firms provided dramatically different calculations for life insurance premiums to maintain the same benefits, illustrating the risks of relying on common industry practices. Proper application of prudent investor principles could have avoided litigation.
The Basics of Protecting PHI - Best Practices When Working with Business Asso...Endeavor Management
Ultimately, transparency and explicit conversations about HIPAA compliance are critical for protecting patient information. Healthcare professionals should feel encouraged to ask specific questions about how PHI will be stored and managed to ensure compliance. This white paper outlines several tips in working with your vendors regarding the proper handling of PHI. Based on Gelb’s experience, we have outlined several tips (and perhaps requirements) for your projects moving forward.
The Ultimate Guide to Choosing the Right Medical Billing Agency.pdfmedquikhelathsolutio
In the ever-complex healthcare landscape, navigating the world of medical billing can be a daunting task. Reimbursement rates are constantly changing, insurance regulations are intricate, and ensuring accurate claim submissions is paramount for financial stability.
Vendor company overview-sample report 2020Kyle Hamwey
The document describes One Pass Access, a business relationship management solution that connects healthcare providers with vendors. It allows vendors to create a global corporate profile visible to healthcare customers, manage departmental users and representative accounts, and view current customers and opportunities. Maintaining accurate and complete profiles can help vendors engage with customers, lower risks, and replace various spending categories with One Pass Access's all-inclusive system. The company aims to fully support vendors in engaging with current and potential healthcare customers through its services.
Managing HIPAA Business Associate Relationships - April 24, 2018 Dan Wellisch
This is the April presentation of the Chicago Technology for Value-Based Healthcare Meetup Group - https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/
New health plan identifier & certifucation requirements for self insured plansPatti Goldfarb, CSA
The ACA and HIPAA require self-insured health plans to obtain and use a 10-digit health plan identifier (HPID) for certain electronic transactions by set deadlines. Large plans must get an HPID by November 2014 and certify compliance by December 2015, while small plans have until November 2015 and an additional 365 days to certify. Failure to comply may result in penalties per covered individual. Employers should identify applicable plans, obtain HPID numbers according to size, and update third party agreements to require HPID use by November 2016.
ComplianceOnline PPT Format 2015 SEC’s New Whistleblower Rules 5.12.2015Craig Taggart MBA
This document is a presentation about the SEC's new whistleblower rules and their implications for compliance programs. It discusses key changes to the whistleblower rules, elements of an effective training program, how to mitigate retaliation claims, and guidance for potential whistleblowers. The presentation covers topics such as qui tam suits, internal reporting procedures, evaluating whistleblower tips, and international whistleblowing trends. It aims to help organizations develop useful information from whistleblowers while avoiding legal risks.
This document is an investor deck for HealthyAlways.com, which provides a one-stop patient engagement solution connecting patients with doctors. It outlines HealthyAlways.com's vision to be a trusted source for patients to ask doctors questions and refer to their expertise. The document discusses HealthyAlways.com's products and services, target markets, team, progress to date with over 100 registered doctors, and financial projections based on annual subscriptions from doctors and partnerships with hospitals and pharmaceutical companies.
The Small Company Clinical Study Sponsor -- Roles & Duties Vis-à-vis LiabilityMichael Swit
September 24, 2014 presentation to the Outsourcing in Clinical Trials: Southern California Conference, sponsored by Arena Conferences, focusing on:
* Clarifying exactly what you are responsible for and what you made be held accountable for
* Analyzing degrees of liability between bigger and smaller companies
* Ensuring that you are enforcing compliance from your outsourcing partners to avoid repercussions on yourselves
* Determining aspects of your trial management that you should retain in-house as a minimum so as to avoid liability issues
* Explaining to funders why quality and risk-assessments are a necessary expenditure above the cheapest options
Healthcare IT thought leadership and practice managers continually seek ways to foster a culture of alertness when it comes to HIPAA compliance. They have the dual challenge of staying on the right side of federal regulators and stopping would-be hackers. This is especially true given the potential impact a data breach can have on their organization’s reputation and bottom line. By reflecting on 2015, it becomes clear that covered entities and business associates alike will continue to prepare to mitigate the threat of cyber-attacks and the planned ramp up of OCR Phase 2 Audits.
HIPAA compliance Tune-up for 2016 is the topic of this webinar – which will be focused on mitigation strategies Covered Entities and BA’s alike can take to minimize the risk of data breach or actions prompting an OCR Audit.
The HIPAA Security Rule sets out strict guidelines for Covered Entities to maintain electronic records of their protected health information.
Fortunately, Omnibus allows Covered Entities to share access to their ePHI to third-party experts called Business Associates, and specifically identifies cloud service providers as viable options. This webinar will review how to leverage the cloud to safeguard your organization’s ePHI, including:
· What HIPAA requires.
· How to the assess your current protection level.
· Bridging the gap between your protection level and HIPAA requirements
More Related Content
Similar to HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Practices
This white paper discusses how the HIPAA Omnibus Rule expanded regulations for protecting patient health information (PHI) and how businesses can ensure compliance. It explains that the rule now covers business associates that handle PHI for covered entities like healthcare providers. Carbonite's cloud backup solutions are designed to meet HIPAA requirements by encrypting, securing, and allowing emergency access to PHI. The paper outlines Carbonite's administrative, physical, and technical safeguards for complying with HIPAA privacy and security standards.
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
HIPAA compliance for Business Associates has become critical as you deal with medical professionals. During this webinar we will explain the law and what Business Associates need to know and do and how to differentiate your firm to acquire new and maintain current clients.
In this webinar, we will discuss:
-The steps on how to become HIPAA compliant as a Business Associate
-What an effective BAA should include
-How to help existing and new healthcare clients with compliance
-Why it is important to differentiate yourself as HIPAA compliant
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013RightScale
Speaker: Phil Cox - Director of Security and Compliance, RightScale
On January 25, 2013, the U.S. Department of Health and Human Services (HHS) released the final implementing regulations for many provisions of the HITECH Act (Health Insurance Technology for Economic and Clinical Health Act), often referred to as the Omnibus Rule. Many organizations have based their architectures and implementations on previous proposed and interim regulations, some of which are no longer valid. Anyone falling under HIPAA requirements is required to meet these new definitive compliance requirements by September 23, 2013. This talk will discuss the parts of the Omnibus rule that affect the cloud landscape, and how you can successfully deploy a HIPAA-compliant application in the public cloud.
The healthcare industry faces an escalating threat from cybercriminals, with Business Associates (BAs) increasingly becoming their prime target. These attacks can expose millions of patients' Protected Health Information (PHI), leading to severe repercussions for both CEs and BAs. In this blog, we will delve into the crucial steps that are often overlooked but easy to follow, enabling CEs and BAs to protect themselves against the costs and reputational damage caused by HIPAA violations.
The interconnected nature of HIPAA compliance means that any weak link in the chain can have severe consequences for both CEs and BAs. To protect against data breaches and potential HIPAA violations, both parties must diligently fulfill their responsibilities and obtain "satisfactory assurances" from each other and their subcontractors. By following these simple yet often overlooked steps, CEs and BAs can bolster their defenses, safeguard patient data, and preserve their reputations in the face of growing cyber threats. Remember, compliance is an ongoing journey, and staying vigilant is key to maintaining the integrity of the healthcare ecosystem.
Register,
https://conferencepanel.com/conference/hipaa-business-associate-compliance-and-dangers
White Paper distributed at our May 2018 meeting of the Chicago Technology For Value-Based Healthcare Meetup Group - https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/
The document summarizes key implications of the HIPAA Omnibus Rule for organizations that are considered Business Associates. It defines Business Associates and subcontractors as those who create, receive, maintain or transmit protected health information on behalf of covered entities or other business associates. The Omnibus Rule directly regulates business associates and subcontractors under HIPAA, requiring compliance with security and privacy rules. It expands the definition of a breach and penalties for noncompliance, potentially making it more likely organizations will need to notify individuals of breaches. The document provides examples of types of organizations now defined as Business Associates and outlines compliance requirements.
HIPAA Business Associate Responsibilities – What They Are?Conference Panel
The HIPAA Business Associate Responsibilities will review the regulations for Business Associates while discussing their covered entities. To satisfy the clients’ requirements for adequate assurances of good practices, Business Associates may be asked to provide a simple contract, third-party reviews, and assessments of HIPAA compliance. You will be able to examine types of HIPAA entities, such as Hybrid entities, Affiliated Covered Entities, and Organized Health Care Arrangements.
The HIPAA Business Associates Responsibilities ensure good privacy and security compliance practices in the business. Whether your organization is a Business Associate or a Covered Entity that hires HIPAA Business Associates, you have significant obligations in compliance that you overlook at your peril.
With this webinar, say a ‘NO’ to penalties and understand your actions!
A HIPAA violation could cost your company up to $50,000 per offense.
HR Workplace and HNI have teamed up to bring you an overview of HIPAA (the Health Insurance Portability and Accountability Act), outlining the main components, and identifying who is covered by the Act to make sure you aren't hit with a noncompliance fee.
We will examine the privacy provisions under HIPAA as they relate to protected health information (PHI) and also give your employees and business associates the tools to recognize the key provisions of HIPAA, how their organizations are affected by HIPAA, and how the privacy rules impact them.
M&A Post-Closing Disputes: Commonly disputed financial statement accountsDeloitte United States
Gain insights into which financial statement accounts often lead to post-closing disputes between the parties to mergers and acquisitions transactions in this thought-provoking Dash on-demand webcast, presented by Jen Larson and Brian Lappen of Deloitte Financial Advisory Services LLP - Learn more:
http://www.deloitte.com/view/en_US/us/Services/Financial-Advisory-Services/Litigation-Dispute-Financial-Advisory/7c8c01f0ed5fb110VgnVCM100000ba42f00aRCRD.htm
HIPAA Compliance and Security in a Mobile WorldRyan Snell
With healthcare regulations evolving to account for the explosion of mobile devices (BYOD) being used at work, HIPAA compliance is critical for all healthcare organizations who are facing security breaches and hefty fines.
Michelle Caswell, Senior Director of Legal & Compliance at Clearwater Compliance, reviews HIPAA, violations and effective compliance. Having worked as a HIPAA Investigator at the Office for Civil Rights, Michelle brings first-hand understanding and passion to the discussion, focusing on the future of HIPAA and how BYOD solutions affect healthcare organizations’ compliance and patient record safety.
1) CPAs and other financial professionals are now considered fiduciaries under new regulations, requiring them to put their clients' interests first.
2) Record keeping is crucial to demonstrate that all work was conducted within compliance guidelines, including documenting all client meetings and the process for insurance transactions.
3) A lawsuit awarded $14.2 million to a plaintiff after two reputable firms provided dramatically different calculations for life insurance premiums to maintain the same benefits, illustrating the risks of relying on common industry practices. Proper application of prudent investor principles could have avoided litigation.
The Basics of Protecting PHI - Best Practices When Working with Business Asso...Endeavor Management
Ultimately, transparency and explicit conversations about HIPAA compliance are critical for protecting patient information. Healthcare professionals should feel encouraged to ask specific questions about how PHI will be stored and managed to ensure compliance. This white paper outlines several tips in working with your vendors regarding the proper handling of PHI. Based on Gelb’s experience, we have outlined several tips (and perhaps requirements) for your projects moving forward.
The Ultimate Guide to Choosing the Right Medical Billing Agency.pdfmedquikhelathsolutio
In the ever-complex healthcare landscape, navigating the world of medical billing can be a daunting task. Reimbursement rates are constantly changing, insurance regulations are intricate, and ensuring accurate claim submissions is paramount for financial stability.
Vendor company overview-sample report 2020Kyle Hamwey
The document describes One Pass Access, a business relationship management solution that connects healthcare providers with vendors. It allows vendors to create a global corporate profile visible to healthcare customers, manage departmental users and representative accounts, and view current customers and opportunities. Maintaining accurate and complete profiles can help vendors engage with customers, lower risks, and replace various spending categories with One Pass Access's all-inclusive system. The company aims to fully support vendors in engaging with current and potential healthcare customers through its services.
Managing HIPAA Business Associate Relationships - April 24, 2018 Dan Wellisch
This is the April presentation of the Chicago Technology for Value-Based Healthcare Meetup Group - https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/
New health plan identifier & certifucation requirements for self insured plansPatti Goldfarb, CSA
The ACA and HIPAA require self-insured health plans to obtain and use a 10-digit health plan identifier (HPID) for certain electronic transactions by set deadlines. Large plans must get an HPID by November 2014 and certify compliance by December 2015, while small plans have until November 2015 and an additional 365 days to certify. Failure to comply may result in penalties per covered individual. Employers should identify applicable plans, obtain HPID numbers according to size, and update third party agreements to require HPID use by November 2016.
ComplianceOnline PPT Format 2015 SEC’s New Whistleblower Rules 5.12.2015Craig Taggart MBA
This document is a presentation about the SEC's new whistleblower rules and their implications for compliance programs. It discusses key changes to the whistleblower rules, elements of an effective training program, how to mitigate retaliation claims, and guidance for potential whistleblowers. The presentation covers topics such as qui tam suits, internal reporting procedures, evaluating whistleblower tips, and international whistleblowing trends. It aims to help organizations develop useful information from whistleblowers while avoiding legal risks.
This document is an investor deck for HealthyAlways.com, which provides a one-stop patient engagement solution connecting patients with doctors. It outlines HealthyAlways.com's vision to be a trusted source for patients to ask doctors questions and refer to their expertise. The document discusses HealthyAlways.com's products and services, target markets, team, progress to date with over 100 registered doctors, and financial projections based on annual subscriptions from doctors and partnerships with hospitals and pharmaceutical companies.
The Small Company Clinical Study Sponsor -- Roles & Duties Vis-à-vis LiabilityMichael Swit
September 24, 2014 presentation to the Outsourcing in Clinical Trials: Southern California Conference, sponsored by Arena Conferences, focusing on:
* Clarifying exactly what you are responsible for and what you made be held accountable for
* Analyzing degrees of liability between bigger and smaller companies
* Ensuring that you are enforcing compliance from your outsourcing partners to avoid repercussions on yourselves
* Determining aspects of your trial management that you should retain in-house as a minimum so as to avoid liability issues
* Explaining to funders why quality and risk-assessments are a necessary expenditure above the cheapest options
Healthcare IT thought leadership and practice managers continually seek ways to foster a culture of alertness when it comes to HIPAA compliance. They have the dual challenge of staying on the right side of federal regulators and stopping would-be hackers. This is especially true given the potential impact a data breach can have on their organization’s reputation and bottom line. By reflecting on 2015, it becomes clear that covered entities and business associates alike will continue to prepare to mitigate the threat of cyber-attacks and the planned ramp up of OCR Phase 2 Audits.
HIPAA compliance Tune-up for 2016 is the topic of this webinar – which will be focused on mitigation strategies Covered Entities and BA’s alike can take to minimize the risk of data breach or actions prompting an OCR Audit.
The HIPAA Security Rule sets out strict guidelines for Covered Entities to maintain electronic records of their protected health information.
Fortunately, Omnibus allows Covered Entities to share access to their ePHI to third-party experts called Business Associates, and specifically identifies cloud service providers as viable options. This webinar will review how to leverage the cloud to safeguard your organization’s ePHI, including:
· What HIPAA requires.
· How to the assess your current protection level.
· Bridging the gap between your protection level and HIPAA requirements
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
Since Omnibus started in 2013 Business Associates (BA) have scrambled to understand and adhere to the Federal Regulation. Though Omnibus alone was a reason for Business Associates to become compliant many realized that compliance could help differentiate their offerings. Helping the company retain and acquire new clients. Compliance is helping many BA’s open new revenue streams while increasing brand stickiness.
With the plethora of non-compliant Business Associates, Covered Entities are realizing that the best option for them is to choose a BA that is compliant to reduce their risk.
Have you ever felt confused by HIPAA’s complex regulations? Even if you are well versed in the laws, there are still many headache inducing intricacies. In this webinar, an experienced HIPAA auditor will highlight the basics of HIPAA, its regulations, what you need to know about it, and how it may affect you, especially with a new wave of HHS audits looming. The webinar is designed for HIPAA novices and experts alike, and all questions are encouraged in this interactive session.
How to prepare for OCR's upcoming phase 2 auditsCompliancy Group
Covered entities and business associates are on their toes awaiting the Phase 2 Audits from OCR. In this webinar we are highlighting the key points of what the OCR is looking for and how you should prepare. With the phase 2 audits being focused on the main sources of non-compliance in the Phase 1 Audits this could be the the webinar that saves your business!
Preparing for the unexpected in your medical practiceCompliancy Group
In the blink of an eye… it could all change. If you’re unprepared, a catastrophic event has the power to bring down your entire office. Learn about the best tax status for your business (HINT: it may not be what you think!), following Locum Tenens rules by the insurance companies, preparing for life insurance trusts, ensuring partnerships are not dissolved … and MORE!
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...Compliancy Group
How many electronic devices used in your organization store electronic Protected Health Information (ePHI)? If you work in a healthcare setting, this is not easily answered. While there has been considerable attention paid to ePHI stored on computers and networked servers, and recent attention given to portable devices like tablets and cell phones, one class of ePHI bearing technology remains rather mysterious – medical devices. This webinar shines a light on medical device data storage and introduces ePHI breach risks in direct patient care, clinical lab, and medical imaging settings. A brief case study for each setting will be presented.
HIPAA compliance is mandatory for over 7 million covered entities and business associates. However, 70% are not currently compliant. The document outlines the HIPAA compliance requirements including conducting a risk assessment and illustrating corrective actions, having business associate agreements, and preparing for audits by updating policies and training. It notes that both covered entities and business associates will be audited under more strict protocols going forward. A four step compliance plan is suggested starting with conducting a gap analysis, creating a remediation plan, proving deficiencies were addressed, and maintaining ongoing compliance.
So you finally completed the implementation of your EHR, now you are HIPAA compliant right? Sadly this is far from truth. Meaningful Use and HIPAA though containing some of the same requirements (Core Measure 9 and 15) are far from the same. Learn in this webinar the differences in HITECH Meaningful Use and HIPAA and how to help your organization satisfy both.
How to Increase Your Profits Using Patient Payments on File, Recurring and On...Compliancy Group
With the rise of High Deductible Insurance Plans and increased practice revenue coming directly from your patient receivables, it is extremely important for you to manage your patient receivables with a different mindset. Find out new ways to utilize billing options to reduce collection costs, increase profits and shorten the revenue cycle.
CardChoice International is the trusted advisor to both the American Medical Billing Association and the Practice Management Institute, and has partnered with healthcare organizations, to educate their members on the best methods for revenue cycle management.
Why a Risk Assessment is NOT Enough for HIPAA ComplianceCompliancy Group
A common misconception is that “A risk assessment makes me HIPAA compliant” Sadly this thought can cost your practice more than taking no action at all. A risk assessment is a requirement for HITECH under Meaningful Use Core Measure 15, but it does NOT make you HIPAA compliant. Furthermore it can enter you into the section of willful neglect and open your organization into the next level of fines.
Join industry experts to find out how you achieve Meaningful Use, HITECH and HIPAA compliance while protecting your practice. Don’t miss this webinar, it could be the biggest message you receive all year!
The must have tools to address your HIPAA compliance challengeCompliancy Group
A panel of experts from the companies that were chosen as “5 Key tools to help your organization achieve HIPAA compliance” In this webinar we will highlight ways for you and your organization to use tools to help make the task of HIPAA compliance easier and more effective.
Panelist:
Bob Grant ex HIPAA auditor and CCO of Compliancy Group LLC
Andy Nieto, Health IT Strategist at DataMotion
April Sage Director of Healthcare IT at Online Tech
Asaf Cidon CEO and co-founder of Sookasa
Daryl Glover Exec VP Strategic Initiatives of qliqSOFT
What you need to know about Meaningful Use 2 & interoperabilityCompliancy Group
Does this describe you?
·You are constantly challenged to stay abreast of the latest information on EHR integration and HIE interoperability, Meaningful Use stages, the Direct Project, clinician and patient portals, just to name a few.
·You walk a fine line between adopting health information technology for the good it can bring patient outcomes…….and for the good incentive dollars it can mean to your organization.
·You play a key role in ensuring your organization can attest for meaningful use.
Join Andy Nieto, Health IT Strategist at DataMotion where he’ll explain the key role that interoperability plays in Meaningful Use Stage 2 attestation including:
- What does interoperability really mean
- Why you can’t ignore interoperability
- How to achieve interoperability and make it meaningful
- What you need in order to attest
Attend this hard hitting session where Rebecca Wiedmeyer, President of Vela Consulting Group will share her experiences helping hundreds of covered entities understand and address MU 2. In addition she will provide answers to the complexity of addressing ICD 10.
Panelists:
Rebecca Wiedmeyer, President of Vela Consulting Group
Moderator:
Marc Haskelson, President, The Compliancy Group LLC.
U.S. legislation such as the Affordable Care Act, HIPAA and HITECH outline rules governing the appropriate use of personal health information (PHI). Unfortunately, current technologies do not adequately monitor PHI use. In particular, while electronic medical records (EMR) systems maintain detailed audit logs that record each access to PHI, the logs contain too many accesses for compliance officers to practically monitor, putting PHI at risk. In this talk I will present the explanation-based auditing system, which aims to filter appropriate accesses from the audit log so compliance officers can focus their efforts on suspicious behavior. The underlying premise of the system is that most appropriate accesses to medical records occur for valid clinical or operational reasons in the process of treating a patient, while inappropriate accesses do not. I will discuss how explanations for accesses (1) capture these clinical and operational reasons, (2) can be mined directly from the EMR database, (3) can be enhanced by filling-in frequently missing types of data, and (4) can drastically reduce the auditing burden.
Spurred to action by HITECH, the U.S. Department of Health and Human Services has started to enforce HIPAA regulations through a series of random audits. In 2014 the audits are expected to extend to Business Associates. In this session, attorney Richard Wagner will cover the five crucial steps that Covered Entities and Business Associates alike will need to take now to survive an unexpected audit.
Where security and privacy meet partnering tips for CSOs and privacy/complian...Compliancy Group
This webinar will identifying challenges in both the privacy and security offices, explaining the necessities of working together, and identify mutual goals, both within their departments and in the context of the rest of the business. It will include solutions and suggestions for working together and case studies/examples showing common mistakes as well as success stories of privacy and IT offices working together.
Panelists:
Gant Redmon, General Counsel and VP of Business Development, Co3 Systems
How to Make a Field Mandatory in Odoo 17Celine George
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPRAHUL
This Dissertation explores the particular circumstances of Mirzapur, a region located in the
core of India. Mirzapur, with its varied terrains and abundant biodiversity, offers an optimal
environment for investigating the changes in vegetation cover dynamics. Our study utilizes
advanced technologies such as GIS (Geographic Information Systems) and Remote sensing to
analyze the transformations that have taken place over the course of a decade.
The complex relationship between human activities and the environment has been the focus
of extensive research and worry. As the global community grapples with swift urbanization,
population expansion, and economic progress, the effects on natural ecosystems are becoming
more evident. A crucial element of this impact is the alteration of vegetation cover, which plays a
significant role in maintaining the ecological equilibrium of our planet.Land serves as the foundation for all human activities and provides the necessary materials for
these activities. As the most crucial natural resource, its utilization by humans results in different
'Land uses,' which are determined by both human activities and the physical characteristics of the
land.
The utilization of land is impacted by human needs and environmental factors. In countries
like India, rapid population growth and the emphasis on extensive resource exploitation can lead
to significant land degradation, adversely affecting the region's land cover.
Therefore, human intervention has significantly influenced land use patterns over many
centuries, evolving its structure over time and space. In the present era, these changes have
accelerated due to factors such as agriculture and urbanization. Information regarding land use and
cover is essential for various planning and management tasks related to the Earth's surface,
providing crucial environmental data for scientific, resource management, policy purposes, and
diverse human activities.
Accurate understanding of land use and cover is imperative for the development planning
of any area. Consequently, a wide range of professionals, including earth system scientists, land
and water managers, and urban planners, are interested in obtaining data on land use and cover
changes, conversion trends, and other related patterns. The spatial dimensions of land use and
cover support policymakers and scientists in making well-informed decisions, as alterations in
these patterns indicate shifts in economic and social conditions. Monitoring such changes with the
help of Advanced technologies like Remote Sensing and Geographic Information Systems is
crucial for coordinated efforts across different administrative levels. Advanced technologies like
Remote Sensing and Geographic Information Systems
9
Changes in vegetation cover refer to variations in the distribution, composition, and overall
structure of plant communities across different temporal and spatial scales. These changes can
occur natural.
This document provides an overview of wound healing, its functions, stages, mechanisms, factors affecting it, and complications.
A wound is a break in the integrity of the skin or tissues, which may be associated with disruption of the structure and function.
Healing is the body’s response to injury in an attempt to restore normal structure and functions.
Healing can occur in two ways: Regeneration and Repair
There are 4 phases of wound healing: hemostasis, inflammation, proliferation, and remodeling. This document also describes the mechanism of wound healing. Factors that affect healing include infection, uncontrolled diabetes, poor nutrition, age, anemia, the presence of foreign bodies, etc.
Complications of wound healing like infection, hyperpigmentation of scar, contractures, and keloid formation.
Strategies for Effective Upskilling is a presentation by Chinwendu Peace in a Your Skill Boost Masterclass organisation by the Excellence Foundation for South Sudan on 08th and 09th June 2024 from 1 PM to 3 PM on each day.
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.
Leveraging Generative AI to Drive Nonprofit InnovationTechSoup
In this webinar, participants learned how to utilize Generative AI to streamline operations and elevate member engagement. Amazon Web Service experts provided a customer specific use cases and dived into low/no-code tools that are quick and easy to deploy through Amazon Web Service (AWS.)
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...Diana Rendina
Librarians are leading the way in creating future-ready citizens – now we need to update our spaces to match. In this session, attendees will get inspiration for transforming their library spaces. You’ll learn how to survey students and patrons, create a focus group, and use design thinking to brainstorm ideas for your space. We’ll discuss budget friendly ways to change your space as well as how to find funding. No matter where you’re at, you’ll find ideas for reimagining your space in this session.
2. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
About HIPAA
• HIPAA is a federal law that governs the use, disclosure and
safeguarding of individually identifiable health information.
• One of many state and federal laws that govern information
held by health care providers and health plans. Others include:
v Substance abuse confidentiality regulations; and
v State personal information laws.
2
3. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
When Does HIPAA Apply?
• HIPAA applies to most health care providers and health plans (“covered
entities”) and certain third parties who use PHI to provide services for or
on behalf of the covered entity (“business associates”).
v Business associates often include attorneys, consultants, IT firms,
shredding companies and other vendors.
• Exceptions may include:
v health care services provided by schools or colleges/universities; or
v certain health care providers that are cash-only.
3
4. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
What Information Does
HIPAA Protect?
• HIPAA applies to and protects “protected health information”, usually
referred to as “PHI.”
• PHI is health information about a patient created or received by health care
providers and health plans. PHI includes information:
v Sent or stored in any form (written, verbal or electronic);
v That identifies the patient or can be used to identify the patient; and
v That generally is about a patient’s past, present and/or future treatment,
health status or payment of services.
• In other words: PHI is any health information that can lead to the identity
of the individual or the contents of the information can be used to make a
reasonable assumption as the individual’s identity.
4
6. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Identifying Business Associates
• Any individual or organization that either:
v Creates, receives, maintains, or transmits PHI on behalf of a covered entity for
a function or activity regulated under HIPAA, such as claims processing or
administration, data analysis, processing or administration, utilization review,
quality assurance, patient safety activities, billing, benefit management,
practice management, or repricing; or
v Provides legal, actuarial, accounting, consulting, data aggregation,
management, administrative, accreditation, or financial services to or for a
covered entity, if the service involves the disclosure of PHI.
• Those who store or otherwise maintain PHI.
• Certain data transmission services.
• Certain personal health record vendors.
• Subcontractors.
6
7. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Identifying Business Associates
• Who is not a business associate?
v Workforce members.
v Parties receiving PHI through litigation proceedings.
v Recipients of PHI disclosed when required or permitted by law, such as
disclosures to law enforcement or state agencies.
v Typically, cleaning/food services.
• Managing Business Associates
v Keep a file of all business associate agreements – make sure they are
executed and kept current.
v Periodically review vendors to see if any business associate agreements
are missing.
7
8. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Data Transmission Services
• Data Transmission Services
v Business associates include health information organizations and e-
prescribing gateways.
v To qualify as a business associate, the data transmission service must
have “routine” access to the PHI it is transmitting.
v The “conduit exception” – if an entity is simply acting as a pass-
through with no routine access, not a business associate.
► Examples include telephone company, UPS and courier services.
8
9. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Personal Health Record Vendors
• Personal Health Record vendors may be a business associate.
v Not all vendors of personal health records will be your business
associate.
v Fact-specific determination.
v Key: If you are hiring a vendor to provide a personal health record
service for your patients, the vendor is likely a business associate.
9
10. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Entities that “Maintain” PHI
• The definition of business associate includes entities which “maintain” PHI on
behalf of a covered entity, even if the entity does not access or view the PHI.
v Includes paper record and cloud storage firms.
v Whether the vendor accesses your PHI is irrelevant.
• Entities that “temporarily” maintain or store PHI.
v If the conduit exception applies, no business associate relationship (i.e. UPS or
an internet service provider temporarily storing PHI while transmitting it, while
not routinely accessing it).
v Otherwise, temporary storage would create a business associate relationship
(e.g. a shredding company which temporarily maintains PHI prior to shredding
it).
10
11. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Subcontractors
• The definition of “business associate” includes subcontractors that create,
receive, maintain, or transmit PHI on behalf of a business associate.
v Excludes workforce members.
v Examples:
► Hospital engages a consulting firm to advise the hospital on quality
and patient safety issues, and provides PHI to the consulting firm as
part of the engagement.
► Consulting firm in turn provides the PHI to a third party copy
center, off-site shredding firm and cloud storage email platform.
• HIPAA applies to all downstream subcontractors in the same manner as it
applies to the business associates that directly contract with covered
entities.
11
12. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Vicarious Liability
• A covered entity may be liable for the acts or omissions of its business
associates, and a business associate may be liable for the acts or omissions
of its subcontractors.
• When are you liable?
v You may be liable if the business associate/subcontractor is your
“agent”.
v No bright line rules for when a business associate/subcontractor is an
agent – facts and circumstances approach.
v Key factor: If you can control the business associate’s or
subcontractor’s conduct, the business associate or subcontractor is
likely your agent.
12
13. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Vicarious Liability
• Reducing Your Exposure:
v Attempt to structure vendor relationships to avoid vicarious liability.
v Consider how much ability to control a business associate’s or
subcontractor’s acts you need (if any).
v Agreements should be narrowly tailored to specific tasks and
obligations.
v Language saying “not an agent” is insufficient.
v Do you really need to disclose PHI?
13
15. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Vicarious Liability
• Reducing Your Exposure (cont.)
v Consider conducting due diligence prior to contracting with business
associates.
v Don’t assume the business associate complies with HIPAA.
v Consider requesting to see copies of HIPAA policies and procedures.
v Consider security review and audits.
• Note: Do you have the time, money and resources to take the above
actions? If not, consider a more modest approach, such as a vendor
questionnaire.
15
16. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Business Associate Agreements
• The business associate agreement or “BAA” is the agreement entered into
between the covered entity and the business associate to govern the
business associate’s creation, use, maintenance and disclosure of PHI.
• Typically a separate agreement that applies to one or more underlying
agreements, such as service contracts.
v May also be an addendum or embedded in the body of the service
agreement.
v Generally, a best practice is to have only one business associate
agreement between one covered entity and one business associate to
govern all agreements and relationships between the parties.
16
17. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Business Associate Agreements
• HIPAA requires business associate agreements to address:
v Compliance with the Security Rule;
v Compliance with the Privacy Rule (as applicable);
v Reporting breaches of unsecured PHI;
v Business associate’s subcontractors must agree to the same restrictions and
conditions that apply to the business associate;
v Impermissible uses and disclosures;
v Access to electronic PHI;
v Required disclosures to the U.S. Department of Health and Human Services
for the purpose of determining business associate’s compliance with HIPAA;
and
v Limiting disclosures to the minimum necessary.
17
18. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Subcontractor Agreements
• Business associates must enter into agreements with each of their
subcontractors that receive or have access to PHI.
v May be called business associate agreements or HIPAA subcontractor
agreements.
• Negotiation Points:
v Ensure that the subcontractor agreement allows the business associate
to comply the obligations it owes to the covered entity.
v Business associate should retain right to amend subcontractor
agreement in the event the business associate with the covered entity
changes.
v Clarify who is responsible for a breach or HIPAA violation by the
subcontractor.
18
19. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Key Terms and Provisions
• When drafting, reviewing and negotiating business associate agreements, one
should be focused on certain key terms. While all parts of the agreement are
important, these are the terms that are most likely to affect the parties’ liability and
obligations:
v Breach notification and mitigation
v Cooperation
v Indemnification
v Insurance
v De-Identification
v Security Safeguards
v Change of Law
19
20. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
General Considerations
• Develop your own form business associate agreement.
v Worth the exercise to determine what you want in the agreement and
what your risk profile is.
v Try to start with your own form and negotiate from there.
• When negotiating a business associate agreement, your goal should be to
protect your organization – not to argue/win on every point.
v In other words, stay focused and don’t over-lawyer.
v Recognize your bargaining power and market position and be realistic
in what you can achieve.
20
22. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Breach Notification
• HIPAA requires covered entities to notify affected individuals of a breach
of their unsecured (i.e. unencypted) PHI.
v Notifications may also be necessary to the media or government
regulators.
v States may have their own notification requirements, such as to an
Attorney General or consumer protection department.
v Notifications must be made as soon as practicable but within no more
than 60 days of discovery.
• HIPAA requires a business associate to notify a covered entity of a breach
of unsecured PHI as soon as practicable but within no more than 60 days of
discovery.
22
23. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Breach Notification
• Negotiation Points:
v While up to 60 days is permitted by law, regulators will not look fondly
upon covered entities who give their business associates that much time
– push for a shorter maximum reporting time frame.
v If a business associate is concerned about producing a list of affected
individuals within a very short time frame (e.g. 3 days), consider a
bifurcated obligation – tell the covered entity of the breach first, and
give the covered entity the necessary information later.
v Make the business associate responsible for receiving timely reports
from its subcontractors.
v Consider state laws that may require quicker breach reporting,
particularly when Social Security numbers are involved.
23
24. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Breach Mitigation
• In addition to breach reporting, many covered entities expect more from their
business associates. In other words, if the business associate caused the problem,
they own the problem.
• Consider:
v Require business associate to take reasonable steps to mitigate any potential
harm from the breach, including such steps as the covered entity may
reasonably require.
v Include specific actions the business associate must take, such as attempt to
retrieve any lost or stolen information or operate (or arrange for) a call center
through which affected individuals can have their questions answered.
v Require the business associate to make its records, personnel and advisors
available to the covered entity for purposes of the covered entity completing its
investigation of the breach.
24
25. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Cooperation
• Investigations.
v When under investigation by an Attorney General, the Office for Civil Rights,
or another state or federal agency, cooperation by the business associate is
often vital.
v Include a provision in the BAA that requires the business associate to
participate in the investigation and provide the information the covered entity
needs. If the investigation is due to an act or omission of business associate,
business associate’s cooperation should be at its cost and expense. Otherwise,
covered entity typically is required to reimburse the business associate for its
costs.
• Access to Books, Records and Policies.
v At times, a covered entity may want to conduct “due diligence” on a business
associate to verify compliance with the BAA or HIPAA. To do so, business
associate should be required to make relevant books, records and policies
available to the covered entity on a confidential basis.
25
26. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Indemnification
• Indemnification is the concept through which the party at fault makes the
other party whole; in other words, the breaching party will pay the costs,
expenses, fines and losses the non-breaching party incurs as a result of the
breaching party’s act or omission.
• While many underlying agreements will address indemnification, it is often
best to specifically address indemnification in the business associate
agreement and how it applies to the use and disclosure of PHI.
• Goal: to not incur costs or damages due to the act or omission of the other
party. Costs and damages typically are incurred under a business associate
agreement with respect to data breaches and HIPAA violations.
26
27. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Indemnification
• Negotiating Points:
v Business associate should be responsible for all costs the covered entity
incurs due to a breach or violation of law/the BAA. If the business
associate refuses such a “blank check,” the indemnification clause
should specify the costs for which the business associate will be
responsible (e.g. attorney fees, notification costs).
v Caps? Many business associates will want a cap or a limitation on their
liability. While often reasonable, seek to tie the cap to the amount of
PHI or the risk profile of the arrangement. Also consider linking
indemnification to insurance (to be discussed later on).
v Be careful about limitations on liability contained in the underlying
agreement.
27
28. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Mutual Indemnification
• Often, one party will propose replacing a standard indemnification clause
with “mutual indemnification.” This means that each party will indemnify
the other, typically for the same costs and damages.
• Negotiating Points:
v Mutual indemnification is generally more beneficial to the covered
entity than the business associate because in a business associate
relationship, the covered entity is more likely to be the one seeking to
recover costs or damages.
v In a business associate agreement, the business associate is the party
more likely to violate the agreement because they have more
obligations under the agreement.
28
29. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Breach Reimbursement
• When indemnification is not on the table, or is unnecessarily delaying
negotiations, consider breach reimbursement as an alternative.
v Focusing business associate liability on breach reimbursement benefits
the business associate by limiting the scope of potential liability, and
the covered entity by protecting it against its greatest monetary risk.
v Consider:
► Caps - tied to insurance?
► Identifying specific costs to be reimbursed (e.g. call center?
attorney fees?).
► Reimburse for subcontractor breaches.
29
30. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Dealing with Sovereign Immunity
• Sovereign immunity is the legal rule that an individual or entity may not
sue or file a claim against a government agency or official unless the
government consents to being sued.
v This rule applies in some, but not all, states.
v May include state agencies or state educational facilities.
• Result is that if you contract with a state agency with sovereign immunity
and the state agency is your business associate, and the state agency then
loses a laptop with the names and Social Security numbers of 10,000 of
your patients, you may have an exceedingly difficult time trying to get the
state agency to indemnify or reimburse you for your costs.
• Negotiating Point: Have the state agency assume responsibility for any
breach response, notification and mitigation.
30
31. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Insurance
• An indemnification clause is valuable only to the extent the indemnifying
party can pay what is owed. Given the high, and increasing costs, of data
breaches and HIPAA violations, covered entities often feel more secure
knowing that a business associate has appropriate insurance to cover
indemnification obligations.
• Negotiating Points:
v Generally speaking, insurance is more important when dealing with a
small, financially insecure business associate than a large, established
company (e.g. a one-person start-up vs. large public company).
v Not just any insurance will do – traditional liability and malpractice
policies won’t cover breaches – require cyber liability insurance.
31
33. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Insurance
• Negotiating Points (cont.)
v Establish minimum insurance limits that the business associate must maintain
throughout the term of the business associate agreement.
► Consider tail coverage – some breaches are discovered only after the
arrangement ends.
v Don’t limit your indemnification to the insurance coverage – insurance doesn’t
cover everything and you still want to be made whole regardless of the scope of
the applicable insurance policy.
► Consider a bifurcated cap – covered costs paid by, and to the maximum
amount of, insurance; other costs paid out of pocket.
► Note: Insurance typically does not cover fines or penalties.
v How much to require? Depends upon the amount of PHI, the risk profile of the
arrangement, and the bargaining positions of the parties.
33
34. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
De-Identification of PHI
• De-identification is the process by which certain identifiers are removed
from PHI so that the subject of the PHI can no longer be identified.
• Many vendors seek a right to de-identify PHI they receive to use for their
own purposes, such as research or quality improvement.
• When vendors first started doing this, covered entities often sought to
prevent de-identification in the business associate agreements. However, it
has become much more common and largely accepted.
• Negotiating Points:
v Require that any de-identification be performed in accordance with
HIPAA.
v Require covered entity identifiers to also be removed.
v Hold the business associate responsible for improper de-identification.
34
35. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Security Safeguards
• Review what type and how much information you are providing to a
business associate – given the risk profile of the PHI being provided,
should the covered entity require any particular safeguards to be employed
by the business associate?
• Consider the following:
v Mandate encryption when PHI is emailed or stored.
v Mandate confidentiality agreements with business associate employees
with access to the PHI.
v Mandate adherence to any applicable state laws or standards.
v Prohibit storage of PHI on personal devices or servers.
35
36. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Change of Law
• HIPAA and its implementing regulations, as is true with many health care laws, are
routinely being amended, revised and re-interpreted. Because of this, an
arrangement that is legal today may become questionable, more risky, or even
illegal tomorrow.
• To address this concern, consider the following:
v Covered entity retains the right to amend the business associate agreement in
the event of a change in law.
v Covered entity may do this unilaterally (preferred) or in consultation with the
business associate. Failure to agree to a timely and satisfactory amendment
would terminate the business associate agreement and the underlying
agreement.
v Negotiating Tip: Don’t be held hostage by the other party – ensure an ability to
modify or get out of an agreement should it become illegal or questionable.
36
37. www.shipmangoodwin.com @SGHealthLaw
Copyright 2015
Where Do BAA Negotiations
Go Awry?
• Negotiators often spend considerable time and effort on BAA terms which,
while important, may not be a covered entity’s priorities. These may
include:
v Governing law – if unable to get your preferred state, defer to the
underlying agreement, go with Delaware or leave blank.
v Assignment – consider whether you care if the vendor gets bought out
or sold – are you interested in the person or the company?
v Individual rights – many vendors won’t have a “designated record set”
and won’t be subject to the individual rights provisions. Consider if the
provisions apply to the business associate arrangement prior to
negotiating.
37
38. HIPAA Education Series sponsored by:
www.compliancy-group.com
855.85 HIPAA (855.854.4722)
Copyright 2015
Compliance In 3 Steps!
The
Guard
Outside
Consultant
Manuals
or
Templates
Risk
Assessmen
Provider
Other
Compliance
Software