Jose Ivan Delgado, Ph.D., profile picture
Uploaded byJose Ivan Delgado, Ph.D.
470 views

Hipaa for business associates simple

The document outlines the responsibilities of business associates under HIPAA, including maintaining the privacy and security of protected health information (PHI) and conducting risk analyses. It highlights recent settlements involving breaches and emphasizes the necessity of business associate agreements between covered entities and associates. The text also explains key aspects of HIPAA compliance, the role of the HITECH Act, and the implications of the Omnibus Rule for subcontractors.

Embed presentation

HIPAA for Subcontractors and Business Associates Dr. Jose I. Delgado
HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individuals • CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee. • OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls. https://www.hhs.gov/sites/default/files/chspsc-ra-cap.pdf - PDF.
$750,000 settlement highlights the need for HIPAA business associate agreements • Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) failed to execute a business associate agreement prior to turning PHI to a potential business partner. • The settlement includes a monetary payment of $750,000 and a robust corrective action plan. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic- clinic/index.html “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement • Catholic Health Care Services (CHCS) has agreed to settle potential HIPAA violations after the theft of a CHCS mobile device. • CHCS provided management and information technology services as a business associate to six skilled nursing facilities. “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.” https://www.hhs.gov/sites/default/files/chcs-racap-final.pdf
What is HIPAA? Is a federal law that: • Provides Portability: Protects and guarantees health insurance coverage when an employee changes jobs • Provides Accountability: Protects health data integrity, confidentiality, and availability • Sets National Standards for Electronic Data Transmission Transactions (eligibility, claims, payment, and others) and identifiers • Standard medical codes (e.g., ICD-9, CPT-4,ICD-10) • Sets National Standards for the Protection of Health Information • Privacy (operational, consumer control, administration) • Security (administrative, physical, technical, network)
HIPAA Health Insurance Portability and Accountability Act of 1996 Title I Health Care Access, Portability and Renewability Title II Preventing Health Care Fraud and Abuse Medical Liability Reform Administrative Simplification Electronic Data Interchange Transactions Identifiers Code Sets Privacy Security Security Standards: General Rules Administrative Standards Technical Standards Physical Standards Organizational Requirements Policies and Procedures and Documentation Requirements Title III Tax Related Health Provision Title IV Group Health Plan Requirements Title V Revenue Offsets
HIPAA Specifics • Title One: "Health care access, portability and renewability," employers and health plans must allow a new employee's medical insurance coverage to remain continuous without regard to pre-existing conditions. • Title Two: "Preventing health care fraud and abuse; administrative simplification; medical liability reform" defines new requirements for privacy and security of individually identifiable patient information. • Electronic health transaction standards and code sets - The implementation of a national standard for transmitting health data electronically and using standard code sets to describe diseases, injuries and other health problems • Unique Identifiers - A system that uses one identification number per employer, health plan or payer and health care provider to simplify administration • Security - Safeguarding the storage of, access to and transmission of electronic patient information • Privacy - Generally limiting the use or disclosure of protected health information to a minimum necessary standard. It also gives patients the right to see and get copies of their records, request amendments to their records and learn details of certain disclosures of their records. • Title Three: "Tax-related health provisions" standardizes the amount you can save per person in a pre-tax medical savings account. • Title Four: "Application and enforcement of group health plan requirements" broadened information on insurance reform provisions and provide detailed explanations. • Title Five: "Revenue offsets" are regulations on how employers can deduct company-owned life insurance premiums for income tax purposes.
Title II Administrative Simplification Electronic Data Interchange Privacy Security Administrative Safeguards Physical Safeguards Technical Safeguards Preventing Health Care Fraud and Abuse Medical Liability Reform
HIPAA Intersections There are several similarities between Privacy and Security Privacy  Security Security Awareness & Training Business Associate Contracts Privacy Officers for All Entities Multi-disciplinary Work Groups. Security Awareness & Training Business Associate Contracts Security Liaisons for All Entities Multi-disciplinary Work Groups
Privacy vs Security • Privacy. Protects the rights of individual and their information in any medium. • Security. Protects electronic information. Specifies Standards that must be met based on three basic areas: • Administrative • Physical • Technical
Key Elements • Covered Entity. Refers to a health care provider, health plan and/or a healthcare clearinghouse who transmits health information in electronic format in connection with a transaction covered under HIPAA. • Health information. Refers to any information, oral or recorded, that is created or received by a Covered Entity and relates to the provision of health care to an individual. • Protected Health Information (PHI). Individually identifiable health information related to the provision of care to an individual. • Electronic Protected Health Information (ePHI). PHI that is transmitted, maintained or stored in electronic media. • Business Associate. Refers to an individual or organization that creates, receives, maintains, stores or transmits PHI or ePHI on behalf of a Covered Entity or Business Associate.
Key Concepts • Uses and Disclosures. Refers to appropriate uses of PHI and the conditions on how to authorize disclosures. • Individual Rights. Refers to specific legal and enforceable rights related to individuals’ information. • Compliance and Enforcement. Refers to the requirement to comply from Covered Entities and Business Associate as of April 20, 2005. The Office for Civil Rights (OCR) became responsible for enforcing the Security Rule as of July 27, 2009. • “More stringent”. Refers that HIPAA supersedes State Legislations unless state privacy protections are more stringent than HIPAA. Example of more stringent laws cover: • Mental Health • HIV Protection • Substance Abuse
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) • Places all of the Security Rule burdens of HIPAA on Business Associates and some of the Privacy Rule burdens as well. • Part of the Affordable Care Act which was signed in 2009 • 22 billion dollars allocated to the promotion of EHRs • Mandatory penalties imposed for "willful neglect" • Civil penalties for willful neglect increased to $250,000, with repeat/uncorrected violations extending up to $1.5 million • HIPAA's civil and criminal penalties now extend to business associates • Allows state attorney general to bring legal action on behalf of his/her residents • HHS required to conduct periodic audits of covered entities and business associates
HITECH Act Business Associate Requirements • Comply with the administrative, physical, and technical safeguards for electronic PHI under the HIPAA Security Rule in the same manner as a Covered Entity; • Develop and establish a written data security program for electronic PHI that complies with the HIPAA Security Rule; • Comply with the restrictions on use and disclosure of PHI contained in Section 164.504(e) of the HIPAA Privacy Rule; • Follow restrictions on marketing communications and mandatory compliance audits by the Department of Health and Human Services ("HHS"); • Notify Covered Entities of any breach of "unsecured PHI“.
Omnibus Rule • Broadens the definition of Business Associate • Person or entity who creates, receives, maintains, stores or transmits PHI or ePHI on behalf of, or provides services to, a Covered Entity that involves Individually Identifiable Health Information • Applies to subcontractors irrespective of how far downstream the subcontractor is, • Clarifies which requirements and liabilities pertain to business associates, • Business Associates can be subject to civil or criminal penalties for violations of the Privacy, Security, or Breach Notification Rules.
Translation of Rule to Business Associates • Entity is liable for the acts or omissions of its Subcontractor • The reach of this designation will apply to subcontractors irrespective of how far downstream the subcontractor is, contractually, from the covered entity. • Entity can be penalized for its agent’s violations • Knowledge of a breach or other violation will be imputed to the principal • Federal common law of Agency will govern whether an agency relationship exists between the parties - regardless of what the contract actually says
Sample of Responsibilities • BAs to comply with the HIPAA Security Rule’s requirements and implement policies and procedures in the same manner as a Covered Entity • Requires BA to implement administrative, physical, and technical safeguards in compliance with HIPAA Security Rule (most BA Agreements require this by contract) • Sign a Business Associate Agreement with all Covered Entities and subcontractors that meet the requirements of Business Associate. • Obtain assurances from subcontractors or terminate the relationship. • BA must also implement Breach Notification Policies and Procedures, Workforce Training, and associated documentation of Incident Handling • BAs must conduct risk assessment and be more proactive and diligent to monitor new rules, regulations and guidance • Develop a Security Management Plan based on the findings of the HIPAA Security Risk Analysis.
Examples of Business Associates • IT Support Vendor • Email encryption Provider • File sharing vendors • Information Technology vendors • Cloud vendors • Backup Storage • Medical equipment service companies handling equipment that holds PHI • Billing Companies • Translator services • Dictation services • Lawyers • Shredding services • Accounting or consulting firms • Consultants hired to conduct audits, perform coding reviews, etc.
Security Risk Analysis (SRA) • Information security risk assessment is an on-going process of discovering, correcting and preventing security problems. “Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate. Once you have completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(ii)). “ https://www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/2016_SecurityRiskAnalysis.pdf
Security Risk Analysis (sample topics) • Administration • Agreements • Policies • Job Descriptions • Training • Physical • Assess • Disaster Preparedness • Technical • Inventory - Resources • Security (Firewalls, patches, antimalware)
FAQs Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule? Answer: No. A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements at 45 CFR 164.504(e). https://www.hhs.gov/hipaa/for-professionals/faq/237/can-business- associates-self-certify/index.html
Summary • Places all of the Security Rule burdens of HIPAA on Business Associates and some of the Privacy Rule burdens as well. • Business Associates can be subject to civil or criminal penalties for violations of the Privacy, Security, or Breach Notification Rules. • Covered Entities must have a signed Business Associate Agreement (BAA) with any Business Associate (BA) they hire that may come in contact with PHI.
Questions or Additional Information Taino Consultants Inc. DrDelgado@TainoConsultants.com Mr. Ray Walters Walters.R@epicompliance.com
References • https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business- associates/index.html • http://searchsecurity.techtarget.com/definition/business-associate • https://www.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa- regulations-affect-business-associates • https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business- associate-agreement-provisions/index.html • https://www.imagineiti.com/hipaa-compliance/business-associates/ • https://www.cdc.gov/phlp/publications/topic/hipaa.html

More Related Content

PPTX
HIPAA - Understanding the Basics of Compliance
byJay Hodes
 
PPT
Data protection
byLewis Silkin
 
PPTX
Presentation on GDPR
byDipanjanDey12
 
PDF
HIPAA 101- What all Doctors NEED to know
byCompliancy Group
 
PPTX
Presentation hippa
bymaggie_Platt
 
PDF
Overview on data privacy
byAmiit Keshav Naik
 
PPS
HIPAA Basics
byKarna *
 
PPTX
Legal obligations and responsibilities of data processors and controllers und...
byIT Governance Ltd
 
HIPAA - Understanding the Basics of Compliance
byJay Hodes
 
Data protection
byLewis Silkin
 
Presentation on GDPR
byDipanjanDey12
 
HIPAA 101- What all Doctors NEED to know
byCompliancy Group
 
Presentation hippa
bymaggie_Platt
 
Overview on data privacy
byAmiit Keshav Naik
 
HIPAA Basics
byKarna *
 
Legal obligations and responsibilities of data processors and controllers und...
byIT Governance Ltd
 

What's hot

PPT
Data protection in_india
byAltacit Global
 
PDF
IT ACT 2008 ALA GTU
byShrey Patel
 
PPTX
Digital personal data protection act, 2023.pptx
byDineshPrasad64
 
PDF
Basic Data Privacy for Non Lawyers
byJDP Consulting
 
PDF
DPDP Act 2023.pdf
byPriyanka Aash
 
PDF
HIPAA and How it Applies to You
byWinston & Strawn LLP
 
PPTX
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
PDF
Welcome to HIPAA Training
byJonathan Montes
 
PPTX
skillcast-gdpr-training-presentation-q320.pptx
byRahulGarg294918
 
PPTX
General Data Protection Regulations (GDPR): Do you understand it and are you ...
byCvent
 
PPT
Data Privacy in India and data theft
byAmber Gupta
 
PPT
Data Protection Act
bymrmwood
 
PPS
Introduction to Data Protection and Information Security
byJisc Scotland
 
PDF
GDPR and Security.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
PPTX
Cyber law
byArnab Roy Chowdhury
 
PPTX
Introduction to GDPR
byPriyab Satoshi
 
PPTX
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
byDavid Menken
 
PPTX
General Data Protection Regulation (GDPR)
byKimberly Simon MBA
 
PPTX
GDPR: Training Materials by Qualsys
byQualsys Ltd
 
PDF
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
byEryk Budi Pratama
 
Data protection in_india
byAltacit Global
 
IT ACT 2008 ALA GTU
byShrey Patel
 
Digital personal data protection act, 2023.pptx
byDineshPrasad64
 
Basic Data Privacy for Non Lawyers
byJDP Consulting
 
DPDP Act 2023.pdf
byPriyanka Aash
 
HIPAA and How it Applies to You
byWinston & Strawn LLP
 
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
Welcome to HIPAA Training
byJonathan Montes
 
skillcast-gdpr-training-presentation-q320.pptx
byRahulGarg294918
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
byCvent
 
Data Privacy in India and data theft
byAmber Gupta
 
Data Protection Act
bymrmwood
 
Introduction to Data Protection and Information Security
byJisc Scotland
 
GDPR and Security.pdf
byAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
Cyber law
byArnab Roy Chowdhury
 
Introduction to GDPR
byPriyab Satoshi
 
Security Awareness Training - For Companies With Access to NYS "Sensitive" In...
byDavid Menken
 
General Data Protection Regulation (GDPR)
byKimberly Simon MBA
 
GDPR: Training Materials by Qualsys
byQualsys Ltd
 
Data Protection Indonesia: Basic Regulation and Technical Aspects_Eryk
byEryk Budi Pratama
 

Similar to Hipaa for business associates simple

PPT
HNI U: HIPAA Essentials
byHNI Risk Services
 
PPTX
Hitech changes-to-hipaa
bygeeksikh
 
PPTX
HIPAA Security 2019
byJose Ivan Delgado, Ph.D.
 
PPTX
HITECH-Changes-to-HIPAA
byGurvinder Singh, CISSP, CISA, ITIL v3
 
PPT
HIPAA Privacy & Security
byNational Pharmacy Technician Association
 
PPTX
The Health Insurance Portability and Accountability Act 
byKartheek Kein
 
PPTX
HIPAA Complaince
byFarhatParveen10
 
PDF
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
bySkoda Minotti
 
PPT
Knowing confidentiality
byjessie66
 
PPTX
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
bysusmitaghosh93
 
PPTX
What is HIPAA and How it is important to all
byNatashaDanielleHudso
 
PPTX
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
byKloudLearn
 
PPTX
Health Insurance Portability and Accountability Act (HIPAA) Compliance
byControlCase
 
PPTX
Medical coding and health care data management
bymanoshmanosh4657
 
PPTX
The Basics of HIPAA
byDamianKnowles1
 
PDF
A brief introduction to hipaa compliance
byPrince George
 
PDF
What is HIPAA Compliance?
byPower Admin LLC
 
PDF
HIPAA Panel Discussion
byDan Wellisch
 
PDF
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
byNetwork 1 Consulting
 
PPTX
Dental Compliance for Dentists and Business Associates
bygppcpa
 
HNI U: HIPAA Essentials
byHNI Risk Services
 
Hitech changes-to-hipaa
bygeeksikh
 
HIPAA Security 2019
byJose Ivan Delgado, Ph.D.
 
HITECH-Changes-to-HIPAA
byGurvinder Singh, CISSP, CISA, ITIL v3
 
HIPAA Privacy & Security
byNational Pharmacy Technician Association
 
The Health Insurance Portability and Accountability Act 
byKartheek Kein
 
HIPAA Complaince
byFarhatParveen10
 
HIPAA Compliance: What Medical Practices and Their Business Associates Need t...
bySkoda Minotti
 
Knowing confidentiality
byjessie66
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
bysusmitaghosh93
 
What is HIPAA and How it is important to all
byNatashaDanielleHudso
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
byKloudLearn
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
byControlCase
 
Medical coding and health care data management
bymanoshmanosh4657
 
The Basics of HIPAA
byDamianKnowles1
 
A brief introduction to hipaa compliance
byPrince George
 
What is HIPAA Compliance?
byPower Admin LLC
 
HIPAA Panel Discussion
byDan Wellisch
 
HIPAA HiTech Regulations: What Non-Medical Companies Need to Know
byNetwork 1 Consulting
 
Dental Compliance for Dentists and Business Associates
bygppcpa
 

More from Jose Ivan Delgado, Ph.D.

PPTX
Guide to Online Tracking Technologies.pptx
byJose Ivan Delgado, Ph.D.
 
PPTX
Macra 101
byJose Ivan Delgado, Ph.D.
 
PPTX
Macra 2017
byJose Ivan Delgado, Ph.D.
 
PPTX
Healthcare unplug oct
byJose Ivan Delgado, Ph.D.
 
PPTX
Healthcare unplug
byJose Ivan Delgado, Ph.D.
 
PPTX
Meaningful use 2016
byJose Ivan Delgado, Ph.D.
 
PPTX
Icd 10 general presentation
byJose Ivan Delgado, Ph.D.
 
PPTX
Icd 10 codes
byJose Ivan Delgado, Ph.D.
 
PPTX
Colors only god could create
byJose Ivan Delgado, Ph.D.
 
PPT
Meaningful Use Basics for Healthcare Professionals and Organizations
byJose Ivan Delgado, Ph.D.
 
PPTX
Meaningful use 2015
byJose Ivan Delgado, Ph.D.
 
PPTX
Healhcare Billing Comparison
byJose Ivan Delgado, Ph.D.
 
PPT
Services, Compliance and Innovation
byJose Ivan Delgado, Ph.D.
 
PPT
HIPAA security risk assessments
byJose Ivan Delgado, Ph.D.
 
PPTX
Healthcare Compliance Software
byJose Ivan Delgado, Ph.D.
 
PPTX
Physician quality reporting system (pqrs)
byJose Ivan Delgado, Ph.D.
 
PPT
Healthcare update 2
byJose Ivan Delgado, Ph.D.
 
PPT
Healthcare Business: Present and Future Challenges
byJose Ivan Delgado, Ph.D.
 
PPT
From paper to digital
byJose Ivan Delgado, Ph.D.
 
PPT
Where do you fall
byJose Ivan Delgado, Ph.D.
 
Guide to Online Tracking Technologies.pptx
byJose Ivan Delgado, Ph.D.
 
Macra 101
byJose Ivan Delgado, Ph.D.
 
Macra 2017
byJose Ivan Delgado, Ph.D.
 
Healthcare unplug oct
byJose Ivan Delgado, Ph.D.
 
Healthcare unplug
byJose Ivan Delgado, Ph.D.
 
Meaningful use 2016
byJose Ivan Delgado, Ph.D.
 
Icd 10 general presentation
byJose Ivan Delgado, Ph.D.
 
Icd 10 codes
byJose Ivan Delgado, Ph.D.
 
Colors only god could create
byJose Ivan Delgado, Ph.D.
 
Meaningful Use Basics for Healthcare Professionals and Organizations
byJose Ivan Delgado, Ph.D.
 
Meaningful use 2015
byJose Ivan Delgado, Ph.D.
 
Healhcare Billing Comparison
byJose Ivan Delgado, Ph.D.
 
Services, Compliance and Innovation
byJose Ivan Delgado, Ph.D.
 
HIPAA security risk assessments
byJose Ivan Delgado, Ph.D.
 
Healthcare Compliance Software
byJose Ivan Delgado, Ph.D.
 
Physician quality reporting system (pqrs)
byJose Ivan Delgado, Ph.D.
 
Healthcare update 2
byJose Ivan Delgado, Ph.D.
 
Healthcare Business: Present and Future Challenges
byJose Ivan Delgado, Ph.D.
 
From paper to digital
byJose Ivan Delgado, Ph.D.
 
Where do you fall
byJose Ivan Delgado, Ph.D.
 

Recently uploaded

PPTX
Heart Block ppt made by 1sy year NH student
byAfifKhan7
 
PPTX
Arrthymias in cardiology for Physician assistant
byMass Mahesh medico
 
PDF
Erik Lannen - A Devoted Nurse, Christian Leader, And Adventurer
byErik Lannen
 
PPTX
PPT presentation on Gairikadya malaahara
byShreeyashSalunke1
 
PPTX
Online Personal Yoga Training certificate course .pptx
byKaruna Yoga Vidya Peetham
 
PPT
Mind Sound Resonance Technique (MSRT) Ma.ppt
byKaruna Yoga Vidya Peetham
 
PDF
KARUNA YOGA - YOGA PROJECT WORK - THE SCIENCE OF YOGA A HOLISTIC APPROACH TO ...
byKaruna Yoga Vidya Peetham
 
PDF
Ocular Health Evaluation with Retinal Imaging (Optomap)
bytylriii07
 
PDF
CASE STUDY on Healthcare ; Auroville, Bangalore
byaishwaryag2304
 
PPTX
ADHD Treatment and Therapy Options in 2026
byTherapy Center of New York: Psychologists in New York City
 
PPTX
adrenaltumors-150626212759-lva1-app6892.pptx
byankushsingla517
 
PPTX
Adolescent reproductive Health slide4.pptx
bynuramalicha
 
PPTX
Non-Fluoridated Remineralizing Agents1.pptx
bysukanyagattu5
 
PDF
A Brief Introduction About - Antonial Marbuery Cleveland Ohio
byAntonial Marbuery Cleveland Ohio
 
PDF
Personal Trainer On Demand App Development
byV3CUBE TECHNOLABS
 
PPTX
Your Body Is Stressed, Not Lazy — The Amit Kakkar Healthyway Burnout Biology ...
byAmit Kakkar Healthyway
 
PDF
Beyond Clinical Validation Medtech Commercialization Gaps.pdf
byStellarix
 
PDF
Learning About Hormones Before Menopause
byHummingbird Healthcare
 
PDF
Top 10 AI Healthcare Agents to Build in 2026 | Future Healthcare AI
byGradious AI
 
PPTX
CHILD.HEALTH.PROGRAMMES.IN.INDIA..2.pptx
bydrkasana123
 
Heart Block ppt made by 1sy year NH student
byAfifKhan7
 
Arrthymias in cardiology for Physician assistant
byMass Mahesh medico
 
Erik Lannen - A Devoted Nurse, Christian Leader, And Adventurer
byErik Lannen
 
PPT presentation on Gairikadya malaahara
byShreeyashSalunke1
 
Online Personal Yoga Training certificate course .pptx
byKaruna Yoga Vidya Peetham
 
Mind Sound Resonance Technique (MSRT) Ma.ppt
byKaruna Yoga Vidya Peetham
 
KARUNA YOGA - YOGA PROJECT WORK - THE SCIENCE OF YOGA A HOLISTIC APPROACH TO ...
byKaruna Yoga Vidya Peetham
 
Ocular Health Evaluation with Retinal Imaging (Optomap)
bytylriii07
 
CASE STUDY on Healthcare ; Auroville, Bangalore
byaishwaryag2304
 
ADHD Treatment and Therapy Options in 2026
byTherapy Center of New York: Psychologists in New York City
 
adrenaltumors-150626212759-lva1-app6892.pptx
byankushsingla517
 
Adolescent reproductive Health slide4.pptx
bynuramalicha
 
Non-Fluoridated Remineralizing Agents1.pptx
bysukanyagattu5
 
A Brief Introduction About - Antonial Marbuery Cleveland Ohio
byAntonial Marbuery Cleveland Ohio
 
Personal Trainer On Demand App Development
byV3CUBE TECHNOLABS
 
Your Body Is Stressed, Not Lazy — The Amit Kakkar Healthyway Burnout Biology ...
byAmit Kakkar Healthyway
 
Beyond Clinical Validation Medtech Commercialization Gaps.pdf
byStellarix
 
Learning About Hormones Before Menopause
byHummingbird Healthcare
 
Top 10 AI Healthcare Agents to Build in 2026 | Future Healthcare AI
byGradious AI
 
CHILD.HEALTH.PROGRAMMES.IN.INDIA..2.pptx
bydrkasana123
 

Hipaa for business associates simple

  • 1.
  • 2.
    HIPAA Business AssociatePays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individuals • CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee. • OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls. https://www.hhs.gov/sites/default/files/chspsc-ra-cap.pdf - PDF.
  • 3.
    $750,000 settlement highlightsthe need for HIPAA business associate agreements • Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) failed to execute a business associate agreement prior to turning PHI to a potential business partner. • The settlement includes a monetary payment of $750,000 and a robust corrective action plan. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic- clinic/index.html “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
  • 4.
    Business Associate’s Failureto Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement • Catholic Health Care Services (CHCS) has agreed to settle potential HIPAA violations after the theft of a CHCS mobile device. • CHCS provided management and information technology services as a business associate to six skilled nursing facilities. “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.” https://www.hhs.gov/sites/default/files/chcs-racap-final.pdf
  • 5.
    What is HIPAA? Isa federal law that: • Provides Portability: Protects and guarantees health insurance coverage when an employee changes jobs • Provides Accountability: Protects health data integrity, confidentiality, and availability • Sets National Standards for Electronic Data Transmission Transactions (eligibility, claims, payment, and others) and identifiers • Standard medical codes (e.g., ICD-9, CPT-4,ICD-10) • Sets National Standards for the Protection of Health Information • Privacy (operational, consumer control, administration) • Security (administrative, physical, technical, network)
  • 6.
    HIPAA Health Insurance Portabilityand Accountability Act of 1996 Title I Health Care Access, Portability and Renewability Title II Preventing Health Care Fraud and Abuse Medical Liability Reform Administrative Simplification Electronic Data Interchange Transactions Identifiers Code Sets Privacy Security Security Standards: General Rules Administrative Standards Technical Standards Physical Standards Organizational Requirements Policies and Procedures and Documentation Requirements Title III Tax Related Health Provision Title IV Group Health Plan Requirements Title V Revenue Offsets
  • 7.
    HIPAA Specifics • TitleOne: "Health care access, portability and renewability," employers and health plans must allow a new employee's medical insurance coverage to remain continuous without regard to pre-existing conditions. • Title Two: "Preventing health care fraud and abuse; administrative simplification; medical liability reform" defines new requirements for privacy and security of individually identifiable patient information. • Electronic health transaction standards and code sets - The implementation of a national standard for transmitting health data electronically and using standard code sets to describe diseases, injuries and other health problems • Unique Identifiers - A system that uses one identification number per employer, health plan or payer and health care provider to simplify administration • Security - Safeguarding the storage of, access to and transmission of electronic patient information • Privacy - Generally limiting the use or disclosure of protected health information to a minimum necessary standard. It also gives patients the right to see and get copies of their records, request amendments to their records and learn details of certain disclosures of their records. • Title Three: "Tax-related health provisions" standardizes the amount you can save per person in a pre-tax medical savings account. • Title Four: "Application and enforcement of group health plan requirements" broadened information on insurance reform provisions and provide detailed explanations. • Title Five: "Revenue offsets" are regulations on how employers can deduct company-owned life insurance premiums for income tax purposes.
  • 8.
    Title II Administrative Simplification Electronic Data Interchange PrivacySecurity Administrative Safeguards Physical Safeguards Technical Safeguards Preventing Health Care Fraud and Abuse Medical Liability Reform
  • 9.
    HIPAA Intersections There areseveral similarities between Privacy and Security Privacy  Security Security Awareness & Training Business Associate Contracts Privacy Officers for All Entities Multi-disciplinary Work Groups. Security Awareness & Training Business Associate Contracts Security Liaisons for All Entities Multi-disciplinary Work Groups
  • 10.
    Privacy vs Security • Privacy.Protects the rights of individual and their information in any medium. • Security. Protects electronic information. Specifies Standards that must be met based on three basic areas: • Administrative • Physical • Technical
  • 11.
    Key Elements • CoveredEntity. Refers to a health care provider, health plan and/or a healthcare clearinghouse who transmits health information in electronic format in connection with a transaction covered under HIPAA. • Health information. Refers to any information, oral or recorded, that is created or received by a Covered Entity and relates to the provision of health care to an individual. • Protected Health Information (PHI). Individually identifiable health information related to the provision of care to an individual. • Electronic Protected Health Information (ePHI). PHI that is transmitted, maintained or stored in electronic media. • Business Associate. Refers to an individual or organization that creates, receives, maintains, stores or transmits PHI or ePHI on behalf of a Covered Entity or Business Associate.
  • 12.
    Key Concepts • Usesand Disclosures. Refers to appropriate uses of PHI and the conditions on how to authorize disclosures. • Individual Rights. Refers to specific legal and enforceable rights related to individuals’ information. • Compliance and Enforcement. Refers to the requirement to comply from Covered Entities and Business Associate as of April 20, 2005. The Office for Civil Rights (OCR) became responsible for enforcing the Security Rule as of July 27, 2009. • “More stringent”. Refers that HIPAA supersedes State Legislations unless state privacy protections are more stringent than HIPAA. Example of more stringent laws cover: • Mental Health • HIV Protection • Substance Abuse
  • 13.
    The Health InformationTechnology for Economic and Clinical Health Act (HITECH Act) • Places all of the Security Rule burdens of HIPAA on Business Associates and some of the Privacy Rule burdens as well. • Part of the Affordable Care Act which was signed in 2009 • 22 billion dollars allocated to the promotion of EHRs • Mandatory penalties imposed for "willful neglect" • Civil penalties for willful neglect increased to $250,000, with repeat/uncorrected violations extending up to $1.5 million • HIPAA's civil and criminal penalties now extend to business associates • Allows state attorney general to bring legal action on behalf of his/her residents • HHS required to conduct periodic audits of covered entities and business associates
  • 14.
    HITECH Act Business AssociateRequirements • Comply with the administrative, physical, and technical safeguards for electronic PHI under the HIPAA Security Rule in the same manner as a Covered Entity; • Develop and establish a written data security program for electronic PHI that complies with the HIPAA Security Rule; • Comply with the restrictions on use and disclosure of PHI contained in Section 164.504(e) of the HIPAA Privacy Rule; • Follow restrictions on marketing communications and mandatory compliance audits by the Department of Health and Human Services ("HHS"); • Notify Covered Entities of any breach of "unsecured PHI“.
  • 15.
    Omnibus Rule • Broadensthe definition of Business Associate • Person or entity who creates, receives, maintains, stores or transmits PHI or ePHI on behalf of, or provides services to, a Covered Entity that involves Individually Identifiable Health Information • Applies to subcontractors irrespective of how far downstream the subcontractor is, • Clarifies which requirements and liabilities pertain to business associates, • Business Associates can be subject to civil or criminal penalties for violations of the Privacy, Security, or Breach Notification Rules.
  • 16.
    Translation of Ruleto Business Associates • Entity is liable for the acts or omissions of its Subcontractor • The reach of this designation will apply to subcontractors irrespective of how far downstream the subcontractor is, contractually, from the covered entity. • Entity can be penalized for its agent’s violations • Knowledge of a breach or other violation will be imputed to the principal • Federal common law of Agency will govern whether an agency relationship exists between the parties - regardless of what the contract actually says
  • 17.
    Sample of Responsibilities •BAs to comply with the HIPAA Security Rule’s requirements and implement policies and procedures in the same manner as a Covered Entity • Requires BA to implement administrative, physical, and technical safeguards in compliance with HIPAA Security Rule (most BA Agreements require this by contract) • Sign a Business Associate Agreement with all Covered Entities and subcontractors that meet the requirements of Business Associate. • Obtain assurances from subcontractors or terminate the relationship. • BA must also implement Breach Notification Policies and Procedures, Workforce Training, and associated documentation of Incident Handling • BAs must conduct risk assessment and be more proactive and diligent to monitor new rules, regulations and guidance • Develop a Security Management Plan based on the findings of the HIPAA Security Risk Analysis.
  • 18.
    Examples of Business Associates • ITSupport Vendor • Email encryption Provider • File sharing vendors • Information Technology vendors • Cloud vendors • Backup Storage • Medical equipment service companies handling equipment that holds PHI • Billing Companies • Translator services • Dictation services • Lawyers • Shredding services • Accounting or consulting firms • Consultants hired to conduct audits, perform coding reviews, etc.
  • 19.
    Security Risk Analysis(SRA) • Information security risk assessment is an on-going process of discovering, correcting and preventing security problems. “Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate. Once you have completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(ii)). “ https://www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/2016_SecurityRiskAnalysis.pdf
  • 20.
    Security Risk Analysis(sample topics) • Administration • Agreements • Policies • Job Descriptions • Training • Physical • Assess • Disaster Preparedness • Technical • Inventory - Resources • Security (Firewalls, patches, antimalware)
  • 21.
    FAQs Instead of enteringinto a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule? Answer: No. A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements at 45 CFR 164.504(e). https://www.hhs.gov/hipaa/for-professionals/faq/237/can-business- associates-self-certify/index.html
  • 22.
    Summary • Places allof the Security Rule burdens of HIPAA on Business Associates and some of the Privacy Rule burdens as well. • Business Associates can be subject to civil or criminal penalties for violations of the Privacy, Security, or Breach Notification Rules. • Covered Entities must have a signed Business Associate Agreement (BAA) with any Business Associate (BA) they hire that may come in contact with PHI.
  • 23.
    Questions or AdditionalInformation Taino Consultants Inc. DrDelgado@TainoConsultants.com Mr. Ray Walters Walters.R@epicompliance.com
  • 24.
    References • https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business- associates/index.html • http://searchsecurity.techtarget.com/definition/business-associate •https://www.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa- regulations-affect-business-associates • https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business- associate-agreement-provisions/index.html • https://www.imagineiti.com/hipaa-compliance/business-associates/ • https://www.cdc.gov/phlp/publications/topic/hipaa.html