SlideShare a Scribd company logo

HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Practices

Compliancy Group
Compliancy Group

HIPAA covered entities (including health care providers and health plans) and their business associates must be mindful of HIPAA compliance when working with other entities even when that other entity is not a business associate. Often, vendors have access to an organization’s premises or information systems which may result in incidental access to protected health information (PHI). For example, a cleaning service may have access to a medical records room or an IT support vendor may have remote access to employee workstations. While such incidental access to PHI does not make the vendor a business associate, an organization must ensure that its PHI is protected and that it complies with HIPAA. This webinar will address:   ·         Strategies for dealing with non-business associate vendors; ·         Best practices to protect your organization; and ·         Development of policies and model contract language.

1 of 39
Download to read offline
www.shipmangoodwin.com HARTFORD | STAMFORD | GREENWICH | WASHINGTON, DC @SGHealthLaw Negotiating Business Associate Agreements February 19, 2015 William J. Roberts, Esq. © Shipman & Goodwin LLP 2015. All rights reserved. Copyright 2015
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 About HIPAA •  HIPAA is a federal law that governs the use, disclosure and safeguarding of individually identifiable health information. •  One of many state and federal laws that govern information held by health care providers and health plans. Others include: v  Substance abuse confidentiality regulations; and v  State personal information laws. 2
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 When Does HIPAA Apply? •  HIPAA applies to most health care providers and health plans (“covered entities”) and certain third parties who use PHI to provide services for or on behalf of the covered entity (“business associates”). v  Business associates often include attorneys, consultants, IT firms, shredding companies and other vendors. •  Exceptions may include: v  health care services provided by schools or colleges/universities; or v  certain health care providers that are cash-only. 3
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 What Information Does HIPAA Protect? •  HIPAA applies to and protects “protected health information”, usually referred to as “PHI.” •  PHI is health information about a patient created or received by health care providers and health plans. PHI includes information: v  Sent or stored in any form (written, verbal or electronic); v  That identifies the patient or can be used to identify the patient; and v  That generally is about a patient’s past, present and/or future treatment, health status or payment of services. •  In other words: PHI is any health information that can lead to the identity of the individual or the contents of the information can be used to make a reasonable assumption as the individual’s identity. 4
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 What Information Does HIPAA Protect? 5
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Identifying Business Associates •  Any individual or organization that either: v  Creates, receives, maintains, or transmits PHI on behalf of a covered entity for a function or activity regulated under HIPAA, such as claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, or repricing; or v  Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of PHI. •  Those who store or otherwise maintain PHI. •  Certain data transmission services. •  Certain personal health record vendors. •  Subcontractors. 6
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Identifying Business Associates •  Who is not a business associate? v  Workforce members. v  Parties receiving PHI through litigation proceedings. v  Recipients of PHI disclosed when required or permitted by law, such as disclosures to law enforcement or state agencies. v  Typically, cleaning/food services. •  Managing Business Associates v  Keep a file of all business associate agreements – make sure they are executed and kept current. v  Periodically review vendors to see if any business associate agreements are missing. 7
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Data Transmission Services •  Data Transmission Services v  Business associates include health information organizations and e- prescribing gateways. v  To qualify as a business associate, the data transmission service must have “routine” access to the PHI it is transmitting. v  The “conduit exception” – if an entity is simply acting as a pass- through with no routine access, not a business associate. ►  Examples include telephone company, UPS and courier services. 8
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Personal Health Record Vendors •  Personal Health Record vendors may be a business associate. v  Not all vendors of personal health records will be your business associate. v  Fact-specific determination. v  Key: If you are hiring a vendor to provide a personal health record service for your patients, the vendor is likely a business associate. 9
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Entities that “Maintain” PHI •  The definition of business associate includes entities which “maintain” PHI on behalf of a covered entity, even if the entity does not access or view the PHI. v  Includes paper record and cloud storage firms. v  Whether the vendor accesses your PHI is irrelevant. •  Entities that “temporarily” maintain or store PHI. v  If the conduit exception applies, no business associate relationship (i.e. UPS or an internet service provider temporarily storing PHI while transmitting it, while not routinely accessing it). v  Otherwise, temporary storage would create a business associate relationship (e.g. a shredding company which temporarily maintains PHI prior to shredding it). 10
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Subcontractors •  The definition of “business associate” includes subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate. v  Excludes workforce members. v  Examples: ►  Hospital engages a consulting firm to advise the hospital on quality and patient safety issues, and provides PHI to the consulting firm as part of the engagement. ►  Consulting firm in turn provides the PHI to a third party copy center, off-site shredding firm and cloud storage email platform. •  HIPAA applies to all downstream subcontractors in the same manner as it applies to the business associates that directly contract with covered entities. 11
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Vicarious Liability •  A covered entity may be liable for the acts or omissions of its business associates, and a business associate may be liable for the acts or omissions of its subcontractors. •  When are you liable? v  You may be liable if the business associate/subcontractor is your “agent”. v  No bright line rules for when a business associate/subcontractor is an agent – facts and circumstances approach. v  Key factor: If you can control the business associate’s or subcontractor’s conduct, the business associate or subcontractor is likely your agent. 12
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Vicarious Liability •  Reducing Your Exposure: v  Attempt to structure vendor relationships to avoid vicarious liability. v  Consider how much ability to control a business associate’s or subcontractor’s acts you need (if any). v  Agreements should be narrowly tailored to specific tasks and obligations. v  Language saying “not an agent” is insufficient. v  Do you really need to disclose PHI? 13
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Polling Question #1 14
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Vicarious Liability •  Reducing Your Exposure (cont.) v  Consider conducting due diligence prior to contracting with business associates. v  Don’t assume the business associate complies with HIPAA. v  Consider requesting to see copies of HIPAA policies and procedures. v  Consider security review and audits. •  Note: Do you have the time, money and resources to take the above actions? If not, consider a more modest approach, such as a vendor questionnaire. 15
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Business Associate Agreements •  The business associate agreement or “BAA” is the agreement entered into between the covered entity and the business associate to govern the business associate’s creation, use, maintenance and disclosure of PHI. •  Typically a separate agreement that applies to one or more underlying agreements, such as service contracts. v  May also be an addendum or embedded in the body of the service agreement. v  Generally, a best practice is to have only one business associate agreement between one covered entity and one business associate to govern all agreements and relationships between the parties. 16
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Business Associate Agreements •  HIPAA requires business associate agreements to address: v  Compliance with the Security Rule; v  Compliance with the Privacy Rule (as applicable); v  Reporting breaches of unsecured PHI; v  Business associate’s subcontractors must agree to the same restrictions and conditions that apply to the business associate; v  Impermissible uses and disclosures; v  Access to electronic PHI; v  Required disclosures to the U.S. Department of Health and Human Services for the purpose of determining business associate’s compliance with HIPAA; and v  Limiting disclosures to the minimum necessary. 17
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Subcontractor Agreements •  Business associates must enter into agreements with each of their subcontractors that receive or have access to PHI. v  May be called business associate agreements or HIPAA subcontractor agreements. •  Negotiation Points: v  Ensure that the subcontractor agreement allows the business associate to comply the obligations it owes to the covered entity. v  Business associate should retain right to amend subcontractor agreement in the event the business associate with the covered entity changes. v  Clarify who is responsible for a breach or HIPAA violation by the subcontractor. 18
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Key Terms and Provisions •  When drafting, reviewing and negotiating business associate agreements, one should be focused on certain key terms. While all parts of the agreement are important, these are the terms that are most likely to affect the parties’ liability and obligations: v  Breach notification and mitigation v  Cooperation v  Indemnification v  Insurance v  De-Identification v  Security Safeguards v  Change of Law 19
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 General Considerations •  Develop your own form business associate agreement. v  Worth the exercise to determine what you want in the agreement and what your risk profile is. v  Try to start with your own form and negotiate from there. •  When negotiating a business associate agreement, your goal should be to protect your organization – not to argue/win on every point. v  In other words, stay focused and don’t over-lawyer. v  Recognize your bargaining power and market position and be realistic in what you can achieve. 20
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Polling Question #2 21
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Breach Notification •  HIPAA requires covered entities to notify affected individuals of a breach of their unsecured (i.e. unencypted) PHI. v  Notifications may also be necessary to the media or government regulators. v  States may have their own notification requirements, such as to an Attorney General or consumer protection department. v  Notifications must be made as soon as practicable but within no more than 60 days of discovery. •  HIPAA requires a business associate to notify a covered entity of a breach of unsecured PHI as soon as practicable but within no more than 60 days of discovery. 22
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Breach Notification •  Negotiation Points: v  While up to 60 days is permitted by law, regulators will not look fondly upon covered entities who give their business associates that much time – push for a shorter maximum reporting time frame. v  If a business associate is concerned about producing a list of affected individuals within a very short time frame (e.g. 3 days), consider a bifurcated obligation – tell the covered entity of the breach first, and give the covered entity the necessary information later. v  Make the business associate responsible for receiving timely reports from its subcontractors. v  Consider state laws that may require quicker breach reporting, particularly when Social Security numbers are involved. 23
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Breach Mitigation •  In addition to breach reporting, many covered entities expect more from their business associates. In other words, if the business associate caused the problem, they own the problem. •  Consider: v  Require business associate to take reasonable steps to mitigate any potential harm from the breach, including such steps as the covered entity may reasonably require. v  Include specific actions the business associate must take, such as attempt to retrieve any lost or stolen information or operate (or arrange for) a call center through which affected individuals can have their questions answered. v  Require the business associate to make its records, personnel and advisors available to the covered entity for purposes of the covered entity completing its investigation of the breach. 24
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Cooperation •  Investigations. v  When under investigation by an Attorney General, the Office for Civil Rights, or another state or federal agency, cooperation by the business associate is often vital. v  Include a provision in the BAA that requires the business associate to participate in the investigation and provide the information the covered entity needs. If the investigation is due to an act or omission of business associate, business associate’s cooperation should be at its cost and expense. Otherwise, covered entity typically is required to reimburse the business associate for its costs. •  Access to Books, Records and Policies. v  At times, a covered entity may want to conduct “due diligence” on a business associate to verify compliance with the BAA or HIPAA. To do so, business associate should be required to make relevant books, records and policies available to the covered entity on a confidential basis. 25
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Indemnification •  Indemnification is the concept through which the party at fault makes the other party whole; in other words, the breaching party will pay the costs, expenses, fines and losses the non-breaching party incurs as a result of the breaching party’s act or omission. •  While many underlying agreements will address indemnification, it is often best to specifically address indemnification in the business associate agreement and how it applies to the use and disclosure of PHI. •  Goal: to not incur costs or damages due to the act or omission of the other party. Costs and damages typically are incurred under a business associate agreement with respect to data breaches and HIPAA violations. 26
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Indemnification •  Negotiating Points: v  Business associate should be responsible for all costs the covered entity incurs due to a breach or violation of law/the BAA. If the business associate refuses such a “blank check,” the indemnification clause should specify the costs for which the business associate will be responsible (e.g. attorney fees, notification costs). v  Caps? Many business associates will want a cap or a limitation on their liability. While often reasonable, seek to tie the cap to the amount of PHI or the risk profile of the arrangement. Also consider linking indemnification to insurance (to be discussed later on). v  Be careful about limitations on liability contained in the underlying agreement. 27
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Mutual Indemnification •  Often, one party will propose replacing a standard indemnification clause with “mutual indemnification.” This means that each party will indemnify the other, typically for the same costs and damages. •  Negotiating Points: v  Mutual indemnification is generally more beneficial to the covered entity than the business associate because in a business associate relationship, the covered entity is more likely to be the one seeking to recover costs or damages. v  In a business associate agreement, the business associate is the party more likely to violate the agreement because they have more obligations under the agreement. 28
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Breach Reimbursement •  When indemnification is not on the table, or is unnecessarily delaying negotiations, consider breach reimbursement as an alternative. v  Focusing business associate liability on breach reimbursement benefits the business associate by limiting the scope of potential liability, and the covered entity by protecting it against its greatest monetary risk. v  Consider: ►  Caps - tied to insurance? ►  Identifying specific costs to be reimbursed (e.g. call center? attorney fees?). ►  Reimburse for subcontractor breaches. 29
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Dealing with Sovereign Immunity •  Sovereign immunity is the legal rule that an individual or entity may not sue or file a claim against a government agency or official unless the government consents to being sued. v  This rule applies in some, but not all, states. v  May include state agencies or state educational facilities. •  Result is that if you contract with a state agency with sovereign immunity and the state agency is your business associate, and the state agency then loses a laptop with the names and Social Security numbers of 10,000 of your patients, you may have an exceedingly difficult time trying to get the state agency to indemnify or reimburse you for your costs. •  Negotiating Point: Have the state agency assume responsibility for any breach response, notification and mitigation. 30
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Insurance •  An indemnification clause is valuable only to the extent the indemnifying party can pay what is owed. Given the high, and increasing costs, of data breaches and HIPAA violations, covered entities often feel more secure knowing that a business associate has appropriate insurance to cover indemnification obligations. •  Negotiating Points: v  Generally speaking, insurance is more important when dealing with a small, financially insecure business associate than a large, established company (e.g. a one-person start-up vs. large public company). v  Not just any insurance will do – traditional liability and malpractice policies won’t cover breaches – require cyber liability insurance. 31
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Polling Question #3 32
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Insurance •  Negotiating Points (cont.) v  Establish minimum insurance limits that the business associate must maintain throughout the term of the business associate agreement. ►  Consider tail coverage – some breaches are discovered only after the arrangement ends. v  Don’t limit your indemnification to the insurance coverage – insurance doesn’t cover everything and you still want to be made whole regardless of the scope of the applicable insurance policy. ►  Consider a bifurcated cap – covered costs paid by, and to the maximum amount of, insurance; other costs paid out of pocket. ►  Note: Insurance typically does not cover fines or penalties. v  How much to require? Depends upon the amount of PHI, the risk profile of the arrangement, and the bargaining positions of the parties. 33
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 De-Identification of PHI •  De-identification is the process by which certain identifiers are removed from PHI so that the subject of the PHI can no longer be identified. •  Many vendors seek a right to de-identify PHI they receive to use for their own purposes, such as research or quality improvement. •  When vendors first started doing this, covered entities often sought to prevent de-identification in the business associate agreements. However, it has become much more common and largely accepted. •  Negotiating Points: v  Require that any de-identification be performed in accordance with HIPAA. v  Require covered entity identifiers to also be removed. v  Hold the business associate responsible for improper de-identification. 34
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Security Safeguards •  Review what type and how much information you are providing to a business associate – given the risk profile of the PHI being provided, should the covered entity require any particular safeguards to be employed by the business associate? •  Consider the following: v  Mandate encryption when PHI is emailed or stored. v  Mandate confidentiality agreements with business associate employees with access to the PHI. v  Mandate adherence to any applicable state laws or standards. v  Prohibit storage of PHI on personal devices or servers. 35
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Change of Law •  HIPAA and its implementing regulations, as is true with many health care laws, are routinely being amended, revised and re-interpreted. Because of this, an arrangement that is legal today may become questionable, more risky, or even illegal tomorrow. •  To address this concern, consider the following: v  Covered entity retains the right to amend the business associate agreement in the event of a change in law. v  Covered entity may do this unilaterally (preferred) or in consultation with the business associate. Failure to agree to a timely and satisfactory amendment would terminate the business associate agreement and the underlying agreement. v  Negotiating Tip: Don’t be held hostage by the other party – ensure an ability to modify or get out of an agreement should it become illegal or questionable. 36
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Where Do BAA Negotiations Go Awry? •  Negotiators often spend considerable time and effort on BAA terms which, while important, may not be a covered entity’s priorities. These may include: v  Governing law – if unable to get your preferred state, defer to the underlying agreement, go with Delaware or leave blank. v  Assignment – consider whether you care if the vendor gets bought out or sold – are you interested in the person or the company? v  Individual rights – many vendors won’t have a “designated record set” and won’t be subject to the individual rights provisions. Consider if the provisions apply to the business associate arrangement prior to negotiating. 37
HIPAA Education Series sponsored by: www.compliancy-group.com 855.85 HIPAA (855.854.4722) Copyright 2015 Compliance In 3 Steps! The Guard Outside Consultant Manuals or Templates Risk Assessmen Provider Other Compliance Software
www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Questions? 39

Recommended

How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
Compliancy Group
 
I D Theft Employee Presentation2
I D Theft Employee Presentation2I D Theft Employee Presentation2
I D Theft Employee Presentation2
Heather Smith
 
eFolder Partner Chat Webinar — HIPAA Policies and Best Practices from a Partner
eFolder Partner Chat Webinar — HIPAA Policies and Best Practices from a PartnereFolder Partner Chat Webinar — HIPAA Policies and Best Practices from a Partner
eFolder Partner Chat Webinar — HIPAA Policies and Best Practices from a Partner
eFolder
 
HIPAA Compliance Template Suites
HIPAA Compliance Template SuitesHIPAA Compliance Template Suites
HIPAA Compliance Template Suites
Matthew Crabtree
 
Business Associates: How to differentiate your organization using HIPAA compl...
Business Associates: How to differentiate your organization using HIPAA compl...Business Associates: How to differentiate your organization using HIPAA compl...
Business Associates: How to differentiate your organization using HIPAA compl...
Compliancy Group
 
Keeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor ManagementKeeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor Management
Paige Rasid
 
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINEDHIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
Compliancy Group
 
Copyright © 2015. F.A. Davis CompanyManagerChapter 2.docx
Copyright © 2015. F.A. Davis CompanyManagerChapter 2.docxCopyright © 2015. F.A. Davis CompanyManagerChapter 2.docx
Copyright © 2015. F.A. Davis CompanyManagerChapter 2.docx
vanesaburnand
 

Recommended

How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
How to Effectively Negotiate a Business Associate Agreement: What’s Importan...
Compliancy Group
 
I D Theft Employee Presentation2
I D Theft Employee Presentation2I D Theft Employee Presentation2
I D Theft Employee Presentation2
Heather Smith
 
eFolder Partner Chat Webinar — HIPAA Policies and Best Practices from a Partner
eFolder Partner Chat Webinar — HIPAA Policies and Best Practices from a PartnereFolder Partner Chat Webinar — HIPAA Policies and Best Practices from a Partner
eFolder Partner Chat Webinar — HIPAA Policies and Best Practices from a Partner
eFolder
 
HIPAA Compliance Template Suites
HIPAA Compliance Template SuitesHIPAA Compliance Template Suites
HIPAA Compliance Template Suites
Matthew Crabtree
 
Business Associates: How to differentiate your organization using HIPAA compl...
Business Associates: How to differentiate your organization using HIPAA compl...Business Associates: How to differentiate your organization using HIPAA compl...
Business Associates: How to differentiate your organization using HIPAA compl...
Compliancy Group
 
Keeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor ManagementKeeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor Management
Paige Rasid
 
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINEDHIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
HIPAA MYTHS: HOW MUCH DO YOU KNOW? COMMON MYTHS DEBUNKED & EXPLAINED
Compliancy Group
 
Copyright © 2015. F.A. Davis CompanyManagerChapter 2.docx
Copyright © 2015. F.A. Davis CompanyManagerChapter 2.docxCopyright © 2015. F.A. Davis CompanyManagerChapter 2.docx
Copyright © 2015. F.A. Davis CompanyManagerChapter 2.docx
vanesaburnand
 
Keeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantKeeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-Compliant
Carbonite
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...
Compliancy Group
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
RightScale
 
HIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and DangersHIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and Dangers
Conference Panel
 
Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?
Dan Wellisch
 
HIPAA Omnibus Presentation
HIPAA Omnibus PresentationHIPAA Omnibus Presentation
HIPAA Omnibus Presentation
Compliancy Group
 
HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?
Conference Panel
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA Essentials
HNI Risk Services
 
M&A Post-Closing Disputes : Commonly disputed financial statement accounts
M&A Post-Closing Disputes : Commonly disputed financial statement accountsM&A Post-Closing Disputes : Commonly disputed financial statement accounts
M&A Post-Closing Disputes : Commonly disputed financial statement accounts
Deloitte United States
 
HIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldHIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile World
Ryan Snell
 
AICPA MS - Article MKS2016
AICPA MS - Article MKS2016AICPA MS - Article MKS2016
AICPA MS - Article MKS2016
Mitchell K. Smith
 
The Basics of Protecting PHI - Best Practices When Working with Business Asso...
The Basics of Protecting PHI - Best Practices When Working with Business Asso...The Basics of Protecting PHI - Best Practices When Working with Business Asso...
The Basics of Protecting PHI - Best Practices When Working with Business Asso...
Endeavor Management
 
The Ultimate Guide to Choosing the Right Medical Billing Agency.pdf
The Ultimate Guide to Choosing the Right Medical Billing Agency.pdfThe Ultimate Guide to Choosing the Right Medical Billing Agency.pdf
The Ultimate Guide to Choosing the Right Medical Billing Agency.pdf
medquikhelathsolutio
 
Vendor company overview-sample report 2020
Vendor company overview-sample report 2020Vendor company overview-sample report 2020
Vendor company overview-sample report 2020
Kyle Hamwey
 
Managing HIPAA Business Associate Relationships - April 24, 2018
Managing HIPAA Business Associate Relationships - April 24, 2018 Managing HIPAA Business Associate Relationships - April 24, 2018
Managing HIPAA Business Associate Relationships - April 24, 2018
Dan Wellisch
 
New health plan identifier & certifucation requirements for self insured plans
New health plan identifier & certifucation requirements for self insured plansNew health plan identifier & certifucation requirements for self insured plans
New health plan identifier & certifucation requirements for self insured plans
Patti Goldfarb, CSA
 
ComplianceOnline PPT Format 2015 SEC’s New Whistleblower Rules 5.12.2015
ComplianceOnline PPT Format 2015 SEC’s New Whistleblower Rules 5.12.2015ComplianceOnline PPT Format 2015 SEC’s New Whistleblower Rules 5.12.2015
ComplianceOnline PPT Format 2015 SEC’s New Whistleblower Rules 5.12.2015
Craig Taggart MBA
 
Ha investment proposal v4
Ha investment proposal v4Ha investment proposal v4
Ha investment proposal v4
Digital Picasso
 
The Small Company Clinical Study Sponsor -- Roles & Duties Vis-à-vis Liability
The Small Company Clinical Study Sponsor -- Roles & Duties Vis-à-vis LiabilityThe Small Company Clinical Study Sponsor -- Roles & Duties Vis-à-vis Liability
The Small Company Clinical Study Sponsor -- Roles & Duties Vis-à-vis Liability
Michael Swit
 
Privacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptxPrivacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptx
MohammadBashir26
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016
Compliancy Group
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud
Compliancy Group
 

More Related Content

Similar to HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Practices

Keeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantKeeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-Compliant
Carbonite
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...
Compliancy Group
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
RightScale
 
HIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and DangersHIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and Dangers
Conference Panel
 
Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?
Dan Wellisch
 
HIPAA Omnibus Presentation
HIPAA Omnibus PresentationHIPAA Omnibus Presentation
HIPAA Omnibus Presentation
Compliancy Group
 
HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?
Conference Panel
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA Essentials
HNI Risk Services
 
M&A Post-Closing Disputes : Commonly disputed financial statement accounts
M&A Post-Closing Disputes : Commonly disputed financial statement accountsM&A Post-Closing Disputes : Commonly disputed financial statement accounts
M&A Post-Closing Disputes : Commonly disputed financial statement accounts
Deloitte United States
 
HIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldHIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile World
Ryan Snell
 
AICPA MS - Article MKS2016
AICPA MS - Article MKS2016AICPA MS - Article MKS2016
AICPA MS - Article MKS2016
Mitchell K. Smith
 
The Basics of Protecting PHI - Best Practices When Working with Business Asso...
The Basics of Protecting PHI - Best Practices When Working with Business Asso...The Basics of Protecting PHI - Best Practices When Working with Business Asso...
The Basics of Protecting PHI - Best Practices When Working with Business Asso...
Endeavor Management
 
The Ultimate Guide to Choosing the Right Medical Billing Agency.pdf
The Ultimate Guide to Choosing the Right Medical Billing Agency.pdfThe Ultimate Guide to Choosing the Right Medical Billing Agency.pdf
The Ultimate Guide to Choosing the Right Medical Billing Agency.pdf
medquikhelathsolutio
 
Vendor company overview-sample report 2020
Vendor company overview-sample report 2020Vendor company overview-sample report 2020
Vendor company overview-sample report 2020
Kyle Hamwey
 
Managing HIPAA Business Associate Relationships - April 24, 2018
Managing HIPAA Business Associate Relationships - April 24, 2018 Managing HIPAA Business Associate Relationships - April 24, 2018
Managing HIPAA Business Associate Relationships - April 24, 2018
Dan Wellisch
 
New health plan identifier & certifucation requirements for self insured plans
New health plan identifier & certifucation requirements for self insured plansNew health plan identifier & certifucation requirements for self insured plans
New health plan identifier & certifucation requirements for self insured plans
Patti Goldfarb, CSA
 
ComplianceOnline PPT Format 2015 SEC’s New Whistleblower Rules 5.12.2015
ComplianceOnline PPT Format 2015 SEC’s New Whistleblower Rules 5.12.2015ComplianceOnline PPT Format 2015 SEC’s New Whistleblower Rules 5.12.2015
ComplianceOnline PPT Format 2015 SEC’s New Whistleblower Rules 5.12.2015
Craig Taggart MBA
 
Ha investment proposal v4
Ha investment proposal v4Ha investment proposal v4
Ha investment proposal v4
Digital Picasso
 
The Small Company Clinical Study Sponsor -- Roles & Duties Vis-à-vis Liability
The Small Company Clinical Study Sponsor -- Roles & Duties Vis-à-vis LiabilityThe Small Company Clinical Study Sponsor -- Roles & Duties Vis-à-vis Liability
The Small Company Clinical Study Sponsor -- Roles & Duties Vis-à-vis Liability
Michael Swit
 
Privacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptxPrivacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptx
MohammadBashir26
 

Similar to HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Practices (20)

Keeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantKeeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-Compliant
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
 
HIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and DangersHIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and Dangers
 
Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?
 
HIPAA Omnibus Presentation
HIPAA Omnibus PresentationHIPAA Omnibus Presentation
HIPAA Omnibus Presentation
 
HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA Essentials
 
M&A Post-Closing Disputes : Commonly disputed financial statement accounts
M&A Post-Closing Disputes : Commonly disputed financial statement accountsM&A Post-Closing Disputes : Commonly disputed financial statement accounts
M&A Post-Closing Disputes : Commonly disputed financial statement accounts
 
HIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile WorldHIPAA Compliance and Security in a Mobile World
HIPAA Compliance and Security in a Mobile World
 
AICPA MS - Article MKS2016
AICPA MS - Article MKS2016AICPA MS - Article MKS2016
AICPA MS - Article MKS2016
 
The Basics of Protecting PHI - Best Practices When Working with Business Asso...
The Basics of Protecting PHI - Best Practices When Working with Business Asso...The Basics of Protecting PHI - Best Practices When Working with Business Asso...
The Basics of Protecting PHI - Best Practices When Working with Business Asso...
 
The Ultimate Guide to Choosing the Right Medical Billing Agency.pdf
The Ultimate Guide to Choosing the Right Medical Billing Agency.pdfThe Ultimate Guide to Choosing the Right Medical Billing Agency.pdf
The Ultimate Guide to Choosing the Right Medical Billing Agency.pdf
 
Vendor company overview-sample report 2020
Vendor company overview-sample report 2020Vendor company overview-sample report 2020
Vendor company overview-sample report 2020
 
Managing HIPAA Business Associate Relationships - April 24, 2018
Managing HIPAA Business Associate Relationships - April 24, 2018 Managing HIPAA Business Associate Relationships - April 24, 2018
Managing HIPAA Business Associate Relationships - April 24, 2018
 
New health plan identifier & certifucation requirements for self insured plans
New health plan identifier & certifucation requirements for self insured plansNew health plan identifier & certifucation requirements for self insured plans
New health plan identifier & certifucation requirements for self insured plans
 
ComplianceOnline PPT Format 2015 SEC’s New Whistleblower Rules 5.12.2015
ComplianceOnline PPT Format 2015 SEC’s New Whistleblower Rules 5.12.2015ComplianceOnline PPT Format 2015 SEC’s New Whistleblower Rules 5.12.2015
ComplianceOnline PPT Format 2015 SEC’s New Whistleblower Rules 5.12.2015
 
Ha investment proposal v4
Ha investment proposal v4Ha investment proposal v4
Ha investment proposal v4
 
The Small Company Clinical Study Sponsor -- Roles & Duties Vis-à-vis Liability
The Small Company Clinical Study Sponsor -- Roles & Duties Vis-à-vis LiabilityThe Small Company Clinical Study Sponsor -- Roles & Duties Vis-à-vis Liability
The Small Company Clinical Study Sponsor -- Roles & Duties Vis-à-vis Liability
 
Privacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptxPrivacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptx
 

More from Compliancy Group

HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016
Compliancy Group
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud
Compliancy Group
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Compliancy Group
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
Compliancy Group
 
How to prepare for OCR's upcoming phase 2 audits
How to prepare for OCR's upcoming phase 2 auditsHow to prepare for OCR's upcoming phase 2 audits
How to prepare for OCR's upcoming phase 2 audits
Compliancy Group
 
Preparing for the unexpected in your medical practice
Preparing for the unexpected in your medical practicePreparing for the unexpected in your medical practice
Preparing for the unexpected in your medical practice
Compliancy Group
 
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
Compliancy Group
 
How to Survive a HIPAA Audit
How to Survive a HIPAA AuditHow to Survive a HIPAA Audit
How to Survive a HIPAA Audit
Compliancy Group
 
Meaningful Use vs HIPAA
Meaningful Use vs HIPAAMeaningful Use vs HIPAA
Meaningful Use vs HIPAA
Compliancy Group
 
How to Increase Your Profits Using Patient Payments on File, Recurring and On...
How to Increase Your Profits Using Patient Payments on File, Recurring and On...How to Increase Your Profits Using Patient Payments on File, Recurring and On...
How to Increase Your Profits Using Patient Payments on File, Recurring and On...
Compliancy Group
 
Why a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA ComplianceWhy a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA Compliance
Compliancy Group
 
The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challenge
Compliancy Group
 
What you need to know about Meaningful Use 2 & interoperability
What you need to know about Meaningful Use 2 & interoperabilityWhat you need to know about Meaningful Use 2 & interoperability
What you need to know about Meaningful Use 2 & interoperability
Compliancy Group
 
Just the Facts- Meaningful Use Stage 2 & ICD 10
Just the Facts- Meaningful Use Stage 2 & ICD 10Just the Facts- Meaningful Use Stage 2 & ICD 10
Just the Facts- Meaningful Use Stage 2 & ICD 10
Compliancy Group
 
Is Your EHR Safe? New Technologies for Auditing
Is Your EHR Safe? New Technologies for AuditingIs Your EHR Safe? New Technologies for Auditing
Is Your EHR Safe? New Technologies for Auditing
Compliancy Group
 
Business Associate and HIPAA Comliance Infographic
Business Associate and HIPAA Comliance InfographicBusiness Associate and HIPAA Comliance Infographic
Business Associate and HIPAA Comliance Infographic
Compliancy Group
 
Surving a HIPAA Audit Infographic
Surving a HIPAA Audit InfographicSurving a HIPAA Audit Infographic
Surving a HIPAA Audit Infographic
Compliancy Group
 
Cyber & Privacy Risk Infographic
Cyber & Privacy Risk InfographicCyber & Privacy Risk Infographic
Cyber & Privacy Risk Infographic
Compliancy Group
 
Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps
Compliancy Group
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Compliancy Group
 

More from Compliancy Group (20)

HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
 
How to prepare for OCR's upcoming phase 2 audits
How to prepare for OCR's upcoming phase 2 auditsHow to prepare for OCR's upcoming phase 2 audits
How to prepare for OCR's upcoming phase 2 audits
 
Preparing for the unexpected in your medical practice
Preparing for the unexpected in your medical practicePreparing for the unexpected in your medical practice
Preparing for the unexpected in your medical practice
 
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
HIPAA Compliance and Electronic Protected Health Information: Ignorance is no...
 
How to Survive a HIPAA Audit
How to Survive a HIPAA AuditHow to Survive a HIPAA Audit
How to Survive a HIPAA Audit
 
Meaningful Use vs HIPAA
Meaningful Use vs HIPAAMeaningful Use vs HIPAA
Meaningful Use vs HIPAA
 
How to Increase Your Profits Using Patient Payments on File, Recurring and On...
How to Increase Your Profits Using Patient Payments on File, Recurring and On...How to Increase Your Profits Using Patient Payments on File, Recurring and On...
How to Increase Your Profits Using Patient Payments on File, Recurring and On...
 
Why a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA ComplianceWhy a Risk Assessment is NOT Enough for HIPAA Compliance
Why a Risk Assessment is NOT Enough for HIPAA Compliance
 
The must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challengeThe must have tools to address your HIPAA compliance challenge
The must have tools to address your HIPAA compliance challenge
 
What you need to know about Meaningful Use 2 & interoperability
What you need to know about Meaningful Use 2 & interoperabilityWhat you need to know about Meaningful Use 2 & interoperability
What you need to know about Meaningful Use 2 & interoperability
 
Just the Facts- Meaningful Use Stage 2 & ICD 10
Just the Facts- Meaningful Use Stage 2 & ICD 10Just the Facts- Meaningful Use Stage 2 & ICD 10
Just the Facts- Meaningful Use Stage 2 & ICD 10
 
Is Your EHR Safe? New Technologies for Auditing
Is Your EHR Safe? New Technologies for AuditingIs Your EHR Safe? New Technologies for Auditing
Is Your EHR Safe? New Technologies for Auditing
 
Business Associate and HIPAA Comliance Infographic
Business Associate and HIPAA Comliance InfographicBusiness Associate and HIPAA Comliance Infographic
Business Associate and HIPAA Comliance Infographic
 
Surving a HIPAA Audit Infographic
Surving a HIPAA Audit InfographicSurving a HIPAA Audit Infographic
Surving a HIPAA Audit Infographic
 
Cyber & Privacy Risk Infographic
Cyber & Privacy Risk InfographicCyber & Privacy Risk Infographic
Cyber & Privacy Risk Infographic
 
Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps Surviving a HIPAA Audit: Five Crucial Steps
Surviving a HIPAA Audit: Five Crucial Steps
 
Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...Where security and privacy meet partnering tips for CSOs and privacy/complian...
Where security and privacy meet partnering tips for CSOs and privacy/complian...
 

Recently uploaded

How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17
Celine George
 
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPLAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
RAHUL
 
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
Nguyen Thanh Tu Collection
 
How to Create a More Engaging and Human Online Learning Experience
How to Create a More Engaging and Human Online Learning Experience How to Create a More Engaging and Human Online Learning Experience
How to Create a More Engaging and Human Online Learning Experience
Wahiba Chair Training & Consulting
 
Wound healing PPT
Wound healing PPTWound healing PPT
Wound healing PPT
Jyoti Chand
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
Nguyen Thanh Tu Collection
 
clinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdfclinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdf
Priyankaranawat4
 
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective UpskillingYour Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Excellence Foundation for South Sudan
 
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptxPrésentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
siemaillard
 
A Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdfA Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdf
Jean Carlos Nunes Paixão
 
Life upper-Intermediate B2 Workbook for student
Life upper-Intermediate B2 Workbook for studentLife upper-Intermediate B2 Workbook for student
Life upper-Intermediate B2 Workbook for student
NgcHiNguyn25
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
Priyankaranawat4
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .
Colégio Santa Teresinha
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Fajar Baskoro
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
History of Stoke Newington
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
Academy of Science of South Africa
 
Leveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit InnovationLeveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit Innovation
TechSoup
 
BBR 2024 Summer Sessions Interview Training
BBR 2024 Summer Sessions Interview TrainingBBR 2024 Summer Sessions Interview Training
BBR 2024 Summer Sessions Interview Training
Katrina Pritchard
 
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
heathfieldcps1
 
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...
Diana Rendina
 

Recently uploaded (20)

How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17How to Make a Field Mandatory in Odoo 17
How to Make a Field Mandatory in Odoo 17
 
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UPLAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
LAND USE LAND COVER AND NDVI OF MIRZAPUR DISTRICT, UP
 
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
BÀI TẬP BỔ TRỢ TIẾNG ANH LỚP 9 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2024-2025 - ...
 
How to Create a More Engaging and Human Online Learning Experience
How to Create a More Engaging and Human Online Learning Experience How to Create a More Engaging and Human Online Learning Experience
How to Create a More Engaging and Human Online Learning Experience
 
Wound healing PPT
Wound healing PPTWound healing PPT
Wound healing PPT
 
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
BÀI TẬP BỔ TRỢ TIẾNG ANH 8 CẢ NĂM - GLOBAL SUCCESS - NĂM HỌC 2023-2024 (CÓ FI...
 
clinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdfclinical examination of hip joint (1).pdf
clinical examination of hip joint (1).pdf
 
Your Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective UpskillingYour Skill Boost Masterclass: Strategies for Effective Upskilling
Your Skill Boost Masterclass: Strategies for Effective Upskilling
 
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptxPrésentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
Présentationvvvvvvvvvvvvvvvvvvvvvvvvvvvv2.pptx
 
A Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdfA Independência da América Espanhola LAPBOOK.pdf
A Independência da América Espanhola LAPBOOK.pdf
 
Life upper-Intermediate B2 Workbook for student
Life upper-Intermediate B2 Workbook for studentLife upper-Intermediate B2 Workbook for student
Life upper-Intermediate B2 Workbook for student
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .
 
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptxPengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
 
The History of Stoke Newington Street Names
The History of Stoke Newington Street NamesThe History of Stoke Newington Street Names
The History of Stoke Newington Street Names
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
 
Leveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit InnovationLeveraging Generative AI to Drive Nonprofit Innovation
Leveraging Generative AI to Drive Nonprofit Innovation
 
BBR 2024 Summer Sessions Interview Training
BBR 2024 Summer Sessions Interview TrainingBBR 2024 Summer Sessions Interview Training
BBR 2024 Summer Sessions Interview Training
 
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
 
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...
Reimagining Your Library Space: How to Increase the Vibes in Your Library No ...
 

HIPAA Compliance and Non-Business Associate Vendors - Strategies and Best Practices

  • 1. www.shipmangoodwin.com HARTFORD | STAMFORD | GREENWICH | WASHINGTON, DC @SGHealthLaw Negotiating Business Associate Agreements February 19, 2015 William J. Roberts, Esq. © Shipman & Goodwin LLP 2015. All rights reserved. Copyright 2015
  • 2. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 About HIPAA •  HIPAA is a federal law that governs the use, disclosure and safeguarding of individually identifiable health information. •  One of many state and federal laws that govern information held by health care providers and health plans. Others include: v  Substance abuse confidentiality regulations; and v  State personal information laws. 2
  • 3. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 When Does HIPAA Apply? •  HIPAA applies to most health care providers and health plans (“covered entities”) and certain third parties who use PHI to provide services for or on behalf of the covered entity (“business associates”). v  Business associates often include attorneys, consultants, IT firms, shredding companies and other vendors. •  Exceptions may include: v  health care services provided by schools or colleges/universities; or v  certain health care providers that are cash-only. 3
  • 4. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 What Information Does HIPAA Protect? •  HIPAA applies to and protects “protected health information”, usually referred to as “PHI.” •  PHI is health information about a patient created or received by health care providers and health plans. PHI includes information: v  Sent or stored in any form (written, verbal or electronic); v  That identifies the patient or can be used to identify the patient; and v  That generally is about a patient’s past, present and/or future treatment, health status or payment of services. •  In other words: PHI is any health information that can lead to the identity of the individual or the contents of the information can be used to make a reasonable assumption as the individual’s identity. 4
  • 6. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Identifying Business Associates •  Any individual or organization that either: v  Creates, receives, maintains, or transmits PHI on behalf of a covered entity for a function or activity regulated under HIPAA, such as claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, or repricing; or v  Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of PHI. •  Those who store or otherwise maintain PHI. •  Certain data transmission services. •  Certain personal health record vendors. •  Subcontractors. 6
  • 7. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Identifying Business Associates •  Who is not a business associate? v  Workforce members. v  Parties receiving PHI through litigation proceedings. v  Recipients of PHI disclosed when required or permitted by law, such as disclosures to law enforcement or state agencies. v  Typically, cleaning/food services. •  Managing Business Associates v  Keep a file of all business associate agreements – make sure they are executed and kept current. v  Periodically review vendors to see if any business associate agreements are missing. 7
  • 8. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Data Transmission Services •  Data Transmission Services v  Business associates include health information organizations and e- prescribing gateways. v  To qualify as a business associate, the data transmission service must have “routine” access to the PHI it is transmitting. v  The “conduit exception” – if an entity is simply acting as a pass- through with no routine access, not a business associate. ►  Examples include telephone company, UPS and courier services. 8
  • 9. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Personal Health Record Vendors •  Personal Health Record vendors may be a business associate. v  Not all vendors of personal health records will be your business associate. v  Fact-specific determination. v  Key: If you are hiring a vendor to provide a personal health record service for your patients, the vendor is likely a business associate. 9
  • 10. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Entities that “Maintain” PHI •  The definition of business associate includes entities which “maintain” PHI on behalf of a covered entity, even if the entity does not access or view the PHI. v  Includes paper record and cloud storage firms. v  Whether the vendor accesses your PHI is irrelevant. •  Entities that “temporarily” maintain or store PHI. v  If the conduit exception applies, no business associate relationship (i.e. UPS or an internet service provider temporarily storing PHI while transmitting it, while not routinely accessing it). v  Otherwise, temporary storage would create a business associate relationship (e.g. a shredding company which temporarily maintains PHI prior to shredding it). 10
  • 11. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Subcontractors •  The definition of “business associate” includes subcontractors that create, receive, maintain, or transmit PHI on behalf of a business associate. v  Excludes workforce members. v  Examples: ►  Hospital engages a consulting firm to advise the hospital on quality and patient safety issues, and provides PHI to the consulting firm as part of the engagement. ►  Consulting firm in turn provides the PHI to a third party copy center, off-site shredding firm and cloud storage email platform. •  HIPAA applies to all downstream subcontractors in the same manner as it applies to the business associates that directly contract with covered entities. 11
  • 12. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Vicarious Liability •  A covered entity may be liable for the acts or omissions of its business associates, and a business associate may be liable for the acts or omissions of its subcontractors. •  When are you liable? v  You may be liable if the business associate/subcontractor is your “agent”. v  No bright line rules for when a business associate/subcontractor is an agent – facts and circumstances approach. v  Key factor: If you can control the business associate’s or subcontractor’s conduct, the business associate or subcontractor is likely your agent. 12
  • 13. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Vicarious Liability •  Reducing Your Exposure: v  Attempt to structure vendor relationships to avoid vicarious liability. v  Consider how much ability to control a business associate’s or subcontractor’s acts you need (if any). v  Agreements should be narrowly tailored to specific tasks and obligations. v  Language saying “not an agent” is insufficient. v  Do you really need to disclose PHI? 13
  • 15. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Vicarious Liability •  Reducing Your Exposure (cont.) v  Consider conducting due diligence prior to contracting with business associates. v  Don’t assume the business associate complies with HIPAA. v  Consider requesting to see copies of HIPAA policies and procedures. v  Consider security review and audits. •  Note: Do you have the time, money and resources to take the above actions? If not, consider a more modest approach, such as a vendor questionnaire. 15
  • 16. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Business Associate Agreements •  The business associate agreement or “BAA” is the agreement entered into between the covered entity and the business associate to govern the business associate’s creation, use, maintenance and disclosure of PHI. •  Typically a separate agreement that applies to one or more underlying agreements, such as service contracts. v  May also be an addendum or embedded in the body of the service agreement. v  Generally, a best practice is to have only one business associate agreement between one covered entity and one business associate to govern all agreements and relationships between the parties. 16
  • 17. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Business Associate Agreements •  HIPAA requires business associate agreements to address: v  Compliance with the Security Rule; v  Compliance with the Privacy Rule (as applicable); v  Reporting breaches of unsecured PHI; v  Business associate’s subcontractors must agree to the same restrictions and conditions that apply to the business associate; v  Impermissible uses and disclosures; v  Access to electronic PHI; v  Required disclosures to the U.S. Department of Health and Human Services for the purpose of determining business associate’s compliance with HIPAA; and v  Limiting disclosures to the minimum necessary. 17
  • 18. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Subcontractor Agreements •  Business associates must enter into agreements with each of their subcontractors that receive or have access to PHI. v  May be called business associate agreements or HIPAA subcontractor agreements. •  Negotiation Points: v  Ensure that the subcontractor agreement allows the business associate to comply the obligations it owes to the covered entity. v  Business associate should retain right to amend subcontractor agreement in the event the business associate with the covered entity changes. v  Clarify who is responsible for a breach or HIPAA violation by the subcontractor. 18
  • 19. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Key Terms and Provisions •  When drafting, reviewing and negotiating business associate agreements, one should be focused on certain key terms. While all parts of the agreement are important, these are the terms that are most likely to affect the parties’ liability and obligations: v  Breach notification and mitigation v  Cooperation v  Indemnification v  Insurance v  De-Identification v  Security Safeguards v  Change of Law 19
  • 20. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 General Considerations •  Develop your own form business associate agreement. v  Worth the exercise to determine what you want in the agreement and what your risk profile is. v  Try to start with your own form and negotiate from there. •  When negotiating a business associate agreement, your goal should be to protect your organization – not to argue/win on every point. v  In other words, stay focused and don’t over-lawyer. v  Recognize your bargaining power and market position and be realistic in what you can achieve. 20
  • 22. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Breach Notification •  HIPAA requires covered entities to notify affected individuals of a breach of their unsecured (i.e. unencypted) PHI. v  Notifications may also be necessary to the media or government regulators. v  States may have their own notification requirements, such as to an Attorney General or consumer protection department. v  Notifications must be made as soon as practicable but within no more than 60 days of discovery. •  HIPAA requires a business associate to notify a covered entity of a breach of unsecured PHI as soon as practicable but within no more than 60 days of discovery. 22
  • 23. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Breach Notification •  Negotiation Points: v  While up to 60 days is permitted by law, regulators will not look fondly upon covered entities who give their business associates that much time – push for a shorter maximum reporting time frame. v  If a business associate is concerned about producing a list of affected individuals within a very short time frame (e.g. 3 days), consider a bifurcated obligation – tell the covered entity of the breach first, and give the covered entity the necessary information later. v  Make the business associate responsible for receiving timely reports from its subcontractors. v  Consider state laws that may require quicker breach reporting, particularly when Social Security numbers are involved. 23
  • 24. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Breach Mitigation •  In addition to breach reporting, many covered entities expect more from their business associates. In other words, if the business associate caused the problem, they own the problem. •  Consider: v  Require business associate to take reasonable steps to mitigate any potential harm from the breach, including such steps as the covered entity may reasonably require. v  Include specific actions the business associate must take, such as attempt to retrieve any lost or stolen information or operate (or arrange for) a call center through which affected individuals can have their questions answered. v  Require the business associate to make its records, personnel and advisors available to the covered entity for purposes of the covered entity completing its investigation of the breach. 24
  • 25. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Cooperation •  Investigations. v  When under investigation by an Attorney General, the Office for Civil Rights, or another state or federal agency, cooperation by the business associate is often vital. v  Include a provision in the BAA that requires the business associate to participate in the investigation and provide the information the covered entity needs. If the investigation is due to an act or omission of business associate, business associate’s cooperation should be at its cost and expense. Otherwise, covered entity typically is required to reimburse the business associate for its costs. •  Access to Books, Records and Policies. v  At times, a covered entity may want to conduct “due diligence” on a business associate to verify compliance with the BAA or HIPAA. To do so, business associate should be required to make relevant books, records and policies available to the covered entity on a confidential basis. 25
  • 26. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Indemnification •  Indemnification is the concept through which the party at fault makes the other party whole; in other words, the breaching party will pay the costs, expenses, fines and losses the non-breaching party incurs as a result of the breaching party’s act or omission. •  While many underlying agreements will address indemnification, it is often best to specifically address indemnification in the business associate agreement and how it applies to the use and disclosure of PHI. •  Goal: to not incur costs or damages due to the act or omission of the other party. Costs and damages typically are incurred under a business associate agreement with respect to data breaches and HIPAA violations. 26
  • 27. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Indemnification •  Negotiating Points: v  Business associate should be responsible for all costs the covered entity incurs due to a breach or violation of law/the BAA. If the business associate refuses such a “blank check,” the indemnification clause should specify the costs for which the business associate will be responsible (e.g. attorney fees, notification costs). v  Caps? Many business associates will want a cap or a limitation on their liability. While often reasonable, seek to tie the cap to the amount of PHI or the risk profile of the arrangement. Also consider linking indemnification to insurance (to be discussed later on). v  Be careful about limitations on liability contained in the underlying agreement. 27
  • 28. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Mutual Indemnification •  Often, one party will propose replacing a standard indemnification clause with “mutual indemnification.” This means that each party will indemnify the other, typically for the same costs and damages. •  Negotiating Points: v  Mutual indemnification is generally more beneficial to the covered entity than the business associate because in a business associate relationship, the covered entity is more likely to be the one seeking to recover costs or damages. v  In a business associate agreement, the business associate is the party more likely to violate the agreement because they have more obligations under the agreement. 28
  • 29. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Breach Reimbursement •  When indemnification is not on the table, or is unnecessarily delaying negotiations, consider breach reimbursement as an alternative. v  Focusing business associate liability on breach reimbursement benefits the business associate by limiting the scope of potential liability, and the covered entity by protecting it against its greatest monetary risk. v  Consider: ►  Caps - tied to insurance? ►  Identifying specific costs to be reimbursed (e.g. call center? attorney fees?). ►  Reimburse for subcontractor breaches. 29
  • 30. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Dealing with Sovereign Immunity •  Sovereign immunity is the legal rule that an individual or entity may not sue or file a claim against a government agency or official unless the government consents to being sued. v  This rule applies in some, but not all, states. v  May include state agencies or state educational facilities. •  Result is that if you contract with a state agency with sovereign immunity and the state agency is your business associate, and the state agency then loses a laptop with the names and Social Security numbers of 10,000 of your patients, you may have an exceedingly difficult time trying to get the state agency to indemnify or reimburse you for your costs. •  Negotiating Point: Have the state agency assume responsibility for any breach response, notification and mitigation. 30
  • 31. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Insurance •  An indemnification clause is valuable only to the extent the indemnifying party can pay what is owed. Given the high, and increasing costs, of data breaches and HIPAA violations, covered entities often feel more secure knowing that a business associate has appropriate insurance to cover indemnification obligations. •  Negotiating Points: v  Generally speaking, insurance is more important when dealing with a small, financially insecure business associate than a large, established company (e.g. a one-person start-up vs. large public company). v  Not just any insurance will do – traditional liability and malpractice policies won’t cover breaches – require cyber liability insurance. 31
  • 33. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Insurance •  Negotiating Points (cont.) v  Establish minimum insurance limits that the business associate must maintain throughout the term of the business associate agreement. ►  Consider tail coverage – some breaches are discovered only after the arrangement ends. v  Don’t limit your indemnification to the insurance coverage – insurance doesn’t cover everything and you still want to be made whole regardless of the scope of the applicable insurance policy. ►  Consider a bifurcated cap – covered costs paid by, and to the maximum amount of, insurance; other costs paid out of pocket. ►  Note: Insurance typically does not cover fines or penalties. v  How much to require? Depends upon the amount of PHI, the risk profile of the arrangement, and the bargaining positions of the parties. 33
  • 34. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 De-Identification of PHI •  De-identification is the process by which certain identifiers are removed from PHI so that the subject of the PHI can no longer be identified. •  Many vendors seek a right to de-identify PHI they receive to use for their own purposes, such as research or quality improvement. •  When vendors first started doing this, covered entities often sought to prevent de-identification in the business associate agreements. However, it has become much more common and largely accepted. •  Negotiating Points: v  Require that any de-identification be performed in accordance with HIPAA. v  Require covered entity identifiers to also be removed. v  Hold the business associate responsible for improper de-identification. 34
  • 35. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Security Safeguards •  Review what type and how much information you are providing to a business associate – given the risk profile of the PHI being provided, should the covered entity require any particular safeguards to be employed by the business associate? •  Consider the following: v  Mandate encryption when PHI is emailed or stored. v  Mandate confidentiality agreements with business associate employees with access to the PHI. v  Mandate adherence to any applicable state laws or standards. v  Prohibit storage of PHI on personal devices or servers. 35
  • 36. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Change of Law •  HIPAA and its implementing regulations, as is true with many health care laws, are routinely being amended, revised and re-interpreted. Because of this, an arrangement that is legal today may become questionable, more risky, or even illegal tomorrow. •  To address this concern, consider the following: v  Covered entity retains the right to amend the business associate agreement in the event of a change in law. v  Covered entity may do this unilaterally (preferred) or in consultation with the business associate. Failure to agree to a timely and satisfactory amendment would terminate the business associate agreement and the underlying agreement. v  Negotiating Tip: Don’t be held hostage by the other party – ensure an ability to modify or get out of an agreement should it become illegal or questionable. 36
  • 37. www.shipmangoodwin.com @SGHealthLaw Copyright 2015 Where Do BAA Negotiations Go Awry? •  Negotiators often spend considerable time and effort on BAA terms which, while important, may not be a covered entity’s priorities. These may include: v  Governing law – if unable to get your preferred state, defer to the underlying agreement, go with Delaware or leave blank. v  Assignment – consider whether you care if the vendor gets bought out or sold – are you interested in the person or the company? v  Individual rights – many vendors won’t have a “designated record set” and won’t be subject to the individual rights provisions. Consider if the provisions apply to the business associate arrangement prior to negotiating. 37
  • 38. HIPAA Education Series sponsored by: www.compliancy-group.com 855.85 HIPAA (855.854.4722) Copyright 2015 Compliance In 3 Steps! The Guard Outside Consultant Manuals or Templates Risk Assessmen Provider Other Compliance Software