SlideShare a Scribd company logo

Understanding Your Cloud Service Provider’s BAA

Download as PPTX, PDF
Hostway|HOSTING
Hostway|HOSTING

Healthcare organizations cite “willingness to sign a BAA” as their top consideration when evaluating cloud service providers (CSPs). But what are you really signing up for when you execute your CSP’s BAA? Are you getting the protection your organization needs? Steve Yoost, General Counsel of HOSTING, discusses how to ensure your BAA safeguards your PHI and meets your HIPAA compliance needs.

Technology
1 of 24
1 Understanding Your CSP’s BAA
• This webinar is being recorded and an on-demand version will be available at the same URL at the conclusion of the webinar • Please submit questions via the button on the upper left of the viewer • If we don’t get to your question during the webinar, we will follow up with you via email • Download related resources via the “Attachments” button above the viewing panel • On Twitter? Join the conversation: @HOSTINGdotcom 2 Housekeeping
HOSTING Overview 3 6 400 380 Employees Independent Audits In 2014 US-based Datacenters SOC 2 TYPE II SOC 3 CERTIFIED H I P A A C O M P L I A N T 180 Healthcare Customers 1st CHIME Launch Partner CHIME Technologies Cooperative Member Services Program
HOSTING and CHIME 4 For more info, visit http://www.hosting.com/chime/ in the “Attachments” section.
5 Introduction
6 Learning Objectives • Discuss three actions to take before signing a BAA • Identify key terms that every BAA should have • Describe terms and loopholes to avoid in a BAA
7 HIPAA Basics: Omnibus Rule • Requires the protection and confidential handling of protected health information (PHI) • Omnibus Rule (amendment) to HIPAA: • January 2013 passage • Subsequent compliance roll out • Impact of Omnibus Rule with regard to third party providers: • Requires compliance from an entity that “creates, receives, maintains, or transmits PHI on behalf of customers that are health care providers, health plans, or health care clearinghouses”
8 HIPAA Basics: CEs and BAs • “Covered Entities” • Health care providers, health plans, and health care clearinghouses • Examples: physicians, hospitals, health insurance companies, healthcare billing services, value-added healthcare networks • “Business Associates” • Entities that create, receive, maintain, or transmit PHI on behalf of Covered Entities • Examples: records storage companies, data analysis companies, hosting providers
9 HIPAA Basics: CEs and BAs • “Business Associates” Exceptions: • “Janitor Clause” – organizations whose functions or services do not involve the use or disclosure of protected health information, and where any access to PHI would be incidental, if at all • “Conduit Clause” – organizations that merely act as a conduit for protected health info
10 HIPAA Basics: PHI • “PHI” • Information that (1) is created or received by a health care provider, health plan, or health care clearinghouse; (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (3) identifies or could be used to identify the individual • Examples: name, address, dates (birthdate, admission date, release date, etc.), phone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and license plate numbers, URLs, IP address numbers, biometric identifiers, and photographs
11 HIPAA Basics: Compliance
12 HIPAA Basics: Compliance 1. HIPAA Security Rule 2. HIPAA Privacy Rule 3. HIPAA Data Breach Notification Rule 4. Business Associate Agreements (BAAs)
13 What is a BAA? • Contract that creates obligations between parties: • Business Associates and Covered Entities • Business Associates and Subcontractors • Purpose: ensure the parties have obligations to treat PHI in compliance with HIPAA • Required by HIPAA under certain circumstances
14 Two Kinds of BAAs 1. Between Covered Entities and Business Associates 2. Between Business Associates and Subcontractors
15 Three Things to Do before Signing a BAA 1. Assess your Risk 2. Assess your BAA 3. Assess your Business Associate
16 Three Things to Do before Signing a BAA: Assess Your Risk 1. Internal compliance 2. HIPAA compliance 3. Legal risk 4. Data breach expense
17 Three Things to Do before Signing a BAA: Assess Your BAA 1. Use a compliant BAA 2. Use the right kind of BAA 3. Ensure flow-down
18 Three Things to Do before Signing a BAA: Assess Your Business Associate 1. Certification 2. Guarantees 3. Check the breach list (https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf) 4. Insurance
19 Key BAA Terms • Preamble • Section 1: Definitions • Taken from HIPAA • Section 2: What Business Associate will and will not do • Ex: use and disclosure restrictions, safeguards, notice • Section 3: What Covered Entity will and will not do • Ex: compliance with law, notice of changes • Section 4: Term and Termination • At end, return or destroy PHI; if keep, maintain protections • Section 5: Miscellaneous
20 BAA Loopholes • Additional subcontracting • BAAs with extraneous provisions
21 HHS Form of BAA See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html Business Associate Contracts SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS (Published January 25, 2013) Introduction A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information…
22 Further Considerations
23 Learning Objectives • Discuss three actions to take before signing a BAA • Identify key terms that every BAA should have • Describe terms and loopholes to avoid in a BAA
24 Q&A Steve Yoost | General Counsel, HOSTING For more information about services by HOSTING, please contact our team at 888.894.4678.

Recommended

HIPAA Summary for Training
HIPAA Summary for Training HIPAA Summary for Training
HIPAA Summary for Training MDManagement
 
Understanding HIPAA / HITECH as a Mail Service Provider
Understanding HIPAA / HITECH as a Mail Service ProviderUnderstanding HIPAA / HITECH as a Mail Service Provider
Understanding HIPAA / HITECH as a Mail Service ProviderKarla Humphrey
 
Mini training.user.ba.termination.v2.0
Mini training.user.ba.termination.v2.0Mini training.user.ba.termination.v2.0
Mini training.user.ba.termination.v2.0Eloisa Gesmundo
 
Hm300 week 7 part 1 of 2
Hm300 week 7 part 1 of 2Hm300 week 7 part 1 of 2
Hm300 week 7 part 1 of 2BHUOnlineDepartment
 
Hi103 week 4 chpt 11
Hi103 week 4 chpt 11Hi103 week 4 chpt 11
Hi103 week 4 chpt 11BealCollegeOnline
 
HIPAA for Dummies
HIPAA for DummiesHIPAA for Dummies
HIPAA for Dummieshipaacompliance
 
HIPAA Lockdown: One-Hour Guide to PHI Best Practice
HIPAA Lockdown: One-Hour Guide to PHI Best PracticeHIPAA Lockdown: One-Hour Guide to PHI Best Practice
HIPAA Lockdown: One-Hour Guide to PHI Best Practicebenefitexpress
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceManny Oliverez
 

Recommended

HIPAA Summary for Training
HIPAA Summary for Training HIPAA Summary for Training
HIPAA Summary for Training MDManagement
 
Understanding HIPAA / HITECH as a Mail Service Provider
Understanding HIPAA / HITECH as a Mail Service ProviderUnderstanding HIPAA / HITECH as a Mail Service Provider
Understanding HIPAA / HITECH as a Mail Service ProviderKarla Humphrey
 
Mini training.user.ba.termination.v2.0
Mini training.user.ba.termination.v2.0Mini training.user.ba.termination.v2.0
Mini training.user.ba.termination.v2.0Eloisa Gesmundo
 
Hm300 week 7 part 1 of 2
Hm300 week 7 part 1 of 2Hm300 week 7 part 1 of 2
Hm300 week 7 part 1 of 2BHUOnlineDepartment
 
Hi103 week 4 chpt 11
Hi103 week 4 chpt 11Hi103 week 4 chpt 11
Hi103 week 4 chpt 11BealCollegeOnline
 
HIPAA for Dummies
HIPAA for DummiesHIPAA for Dummies
HIPAA for Dummieshipaacompliance
 
HIPAA Lockdown: One-Hour Guide to PHI Best Practice
HIPAA Lockdown: One-Hour Guide to PHI Best PracticeHIPAA Lockdown: One-Hour Guide to PHI Best Practice
HIPAA Lockdown: One-Hour Guide to PHI Best Practicebenefitexpress
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceManny Oliverez
 
HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011darichardson
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingvrgill22
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA DamianKnowles1
 
Personal Health Records & HIPAA
Personal Health Records & HIPAAPersonal Health Records & HIPAA
Personal Health Records & HIPAAMargery Lynn
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookElizabeth Dimit
 
HIPAA Tittle II
HIPAA Tittle IIHIPAA Tittle II
HIPAA Tittle IIEmily Marshall
 
Hipaa
HipaaHipaa
Hipaateammayco
 
HIPAA wise - 2017b
HIPAA wise - 2017bHIPAA wise - 2017b
HIPAA wise - 2017bfaemont
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI Risk Services
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013RightScale
 
2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus ruleDusaElraha
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sIatric Systems
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...eringold
 
PSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy PracticesSpringfield Clinic
 
Don't Let HIPAA Violations Happen: Tips for Staying Safe Online
Don't Let HIPAA Violations Happen: Tips for Staying Safe OnlineDon't Let HIPAA Violations Happen: Tips for Staying Safe Online
Don't Let HIPAA Violations Happen: Tips for Staying Safe OnlineConference Panel
 
The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...CureMD
 
HIPAA and Patient Access of Information - New Rules and Guidelines
HIPAA and Patient Access of Information - New Rules and GuidelinesHIPAA and Patient Access of Information - New Rules and Guidelines
HIPAA and Patient Access of Information - New Rules and GuidelinesConference Panel
 

More Related Content

What's hot

HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011darichardson
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingvrgill22
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnKloudLearn
 
Personal Health Records & HIPAA
Personal Health Records & HIPAAPersonal Health Records & HIPAA
Personal Health Records & HIPAAMargery Lynn
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookElizabeth Dimit
 
HIPAA wise - 2017b
HIPAA wise - 2017bHIPAA wise - 2017b
HIPAA wise - 2017bfaemont
 

What's hot (10)

HIPAA Training - 2011
HIPAA Training - 2011HIPAA Training - 2011
HIPAA Training - 2011
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA Training
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy training
 
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - KloudlearnHealth Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
Health Insurance Portability and Accountability Act (HIPPA) - Kloudlearn
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA
 
Personal Health Records & HIPAA
Personal Health Records & HIPAAPersonal Health Records & HIPAA
Personal Health Records & HIPAA
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
 
HIPAA Tittle II
HIPAA Tittle IIHIPAA Tittle II
HIPAA Tittle II
 
Hipaa
HipaaHipaa
Hipaa
 
HIPAA wise - 2017b
HIPAA wise - 2017bHIPAA wise - 2017b
HIPAA wise - 2017b
 

Similar to Understanding Your Cloud Service Provider’s BAA

Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013RightScale
 
2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus ruleDusaElraha
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sIatric Systems
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...eringold
 
PSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy PracticesSpringfield Clinic
 
Don't Let HIPAA Violations Happen: Tips for Staying Safe Online
Don't Let HIPAA Violations Happen: Tips for Staying Safe OnlineDon't Let HIPAA Violations Happen: Tips for Staying Safe Online
Don't Let HIPAA Violations Happen: Tips for Staying Safe OnlineConference Panel
 
The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...CureMD
 
HIPAA and Patient Access of Information - New Rules and Guidelines
HIPAA and Patient Access of Information - New Rules and GuidelinesHIPAA and Patient Access of Information - New Rules and Guidelines
HIPAA and Patient Access of Information - New Rules and GuidelinesConference Panel
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009rogersons
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleMichigan Primary Care Association
 
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxChapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxcravennichole326
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightScale
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowCompliancy Group
 
Breaking Down the Latest HIPAA Modifications: What's New in 2024 and Beyond
Breaking Down the Latest HIPAA Modifications: What's New in 2024 and BeyondBreaking Down the Latest HIPAA Modifications: What's New in 2024 and Beyond
Breaking Down the Latest HIPAA Modifications: What's New in 2024 and BeyondConference Panel
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...Michigan Primary Care Association
 

Similar to Understanding Your Cloud Service Provider’s BAA (20)

Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA Essentials
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
 
2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule2013 06-21 HIPPA omnibus rule
2013 06-21 HIPPA omnibus rule
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
What Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​sWhat Covered Entities Need to Know about OCR HIPAA Audit​s
What Covered Entities Need to Know about OCR HIPAA Audit​s
 
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
PACT Cybersecurity Series Event, speaker Gregory M. Fliszar, Esq. of Cozen O'...
 
PSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS CommunityPSOW 2016 - HIPAA Compliance for EMS Community
PSOW 2016 - HIPAA Compliance for EMS Community
 
Data Security and Privacy Practices
Data Security and Privacy PracticesData Security and Privacy Practices
Data Security and Privacy Practices
 
Don't Let HIPAA Violations Happen: Tips for Staying Safe Online
Don't Let HIPAA Violations Happen: Tips for Staying Safe OnlineDon't Let HIPAA Violations Happen: Tips for Staying Safe Online
Don't Let HIPAA Violations Happen: Tips for Staying Safe Online
 
The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...The real reason why physicians must comply with HIPAA. What the government do...
The real reason why physicians must comply with HIPAA. What the government do...
 
HIPAA and Patient Access of Information - New Rules and Guidelines
HIPAA and Patient Access of Information - New Rules and GuidelinesHIPAA and Patient Access of Information - New Rules and Guidelines
HIPAA and Patient Access of Information - New Rules and Guidelines
 
Becoming HITECH - 9/2009
Becoming HITECH - 9/2009Becoming HITECH - 9/2009
Becoming HITECH - 9/2009
 
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus RuleHIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule
 
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxChapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
 
Rightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloudRightscale webinar-hipaa-public-cloud
Rightscale webinar-hipaa-public-cloud
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
 
Breaking Down the Latest HIPAA Modifications: What's New in 2024 and Beyond
Breaking Down the Latest HIPAA Modifications: What's New in 2024 and BeyondBreaking Down the Latest HIPAA Modifications: What's New in 2024 and Beyond
Breaking Down the Latest HIPAA Modifications: What's New in 2024 and Beyond
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
 

More from Hostway|HOSTING

Compliance-as-a-Crisis: Managing Cloud Compliance
Compliance-as-a-Crisis: Managing Cloud ComplianceCompliance-as-a-Crisis: Managing Cloud Compliance
Compliance-as-a-Crisis: Managing Cloud ComplianceHostway|HOSTING
 
SQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsSQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsHostway|HOSTING
 
KPIs: Aligning Your IT and Business Objectives
KPIs: Aligning Your IT and Business ObjectivesKPIs: Aligning Your IT and Business Objectives
KPIs: Aligning Your IT and Business ObjectivesHostway|HOSTING
 
Ransomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationRansomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationHostway|HOSTING
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightHostway|HOSTING
 
Hacking Airwaves with Pineapples
Hacking Airwaves with PineapplesHacking Airwaves with Pineapples
Hacking Airwaves with PineapplesHostway|HOSTING
 
5 Cloud Migration Experiences Not to Be Repeated
5 Cloud Migration Experiences Not to Be Repeated5 Cloud Migration Experiences Not to Be Repeated
5 Cloud Migration Experiences Not to Be RepeatedHostway|HOSTING
 
Caveat Emptor: 10 Questions to Ask a Managed Service Provider Before You Sign
Caveat Emptor: 10 Questions to Ask a Managed Service Provider Before You SignCaveat Emptor: 10 Questions to Ask a Managed Service Provider Before You Sign
Caveat Emptor: 10 Questions to Ask a Managed Service Provider Before You SignHostway|HOSTING
 
Cloud Migration: Tales from the Trenches
Cloud Migration: Tales from the TrenchesCloud Migration: Tales from the Trenches
Cloud Migration: Tales from the TrenchesHostway|HOSTING
 
Protecting Against Disaster: Plan for the Inevitable Before it Happens
Protecting Against Disaster: Plan for the Inevitable Before it HappensProtecting Against Disaster: Plan for the Inevitable Before it Happens
Protecting Against Disaster: Plan for the Inevitable Before it HappensHostway|HOSTING
 
Don’t Get Caught with An Out of Support MS SQL Server…
Don’t Get Caught with An Out of Support MS SQL Server…Don’t Get Caught with An Out of Support MS SQL Server…
Don’t Get Caught with An Out of Support MS SQL Server…Hostway|HOSTING
 
Content Delivery in an On-Demand Age
Content Delivery in an On-Demand AgeContent Delivery in an On-Demand Age
Content Delivery in an On-Demand AgeHostway|HOSTING
 
High Performance Security: Mitigating DDoS Attacks Without Losing Your Edge
High Performance Security: Mitigating DDoS Attacks Without Losing Your EdgeHigh Performance Security: Mitigating DDoS Attacks Without Losing Your Edge
High Performance Security: Mitigating DDoS Attacks Without Losing Your EdgeHostway|HOSTING
 
Finding Success with Managed Services in the Azure Environment
Finding Success with Managed Services in the Azure EnvironmentFinding Success with Managed Services in the Azure Environment
Finding Success with Managed Services in the Azure EnvironmentHostway|HOSTING
 
DR in the Cloud: Finding the Right Tool for the Job
DR in the Cloud: Finding the Right Tool for the JobDR in the Cloud: Finding the Right Tool for the Job
DR in the Cloud: Finding the Right Tool for the JobHostway|HOSTING
 
Safeguarding PCI Data in the Cloud
Safeguarding PCI Data in the CloudSafeguarding PCI Data in the Cloud
Safeguarding PCI Data in the CloudHostway|HOSTING
 
How to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security DollarHow to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security DollarHostway|HOSTING
 
Azure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/DevAzure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/DevHostway|HOSTING
 
New Business Models in Behavioral Health IT
New Business Models in Behavioral Health ITNew Business Models in Behavioral Health IT
New Business Models in Behavioral Health ITHostway|HOSTING
 
Introducing HOSTING Labs - Ed Schaefer
Introducing HOSTING Labs - Ed Schaefer Introducing HOSTING Labs - Ed Schaefer
Introducing HOSTING Labs - Ed Schaefer Hostway|HOSTING
 

More from Hostway|HOSTING (20)

Compliance-as-a-Crisis: Managing Cloud Compliance
Compliance-as-a-Crisis: Managing Cloud ComplianceCompliance-as-a-Crisis: Managing Cloud Compliance
Compliance-as-a-Crisis: Managing Cloud Compliance
 
SQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite ThingsSQL Server 2016: Just a Few of Our DBA's Favorite Things
SQL Server 2016: Just a Few of Our DBA's Favorite Things
 
KPIs: Aligning Your IT and Business Objectives
KPIs: Aligning Your IT and Business ObjectivesKPIs: Aligning Your IT and Business Objectives
KPIs: Aligning Your IT and Business Objectives
 
Ransomware: Mitigation Through Preparation
Ransomware: Mitigation Through PreparationRansomware: Mitigation Through Preparation
Ransomware: Mitigation Through Preparation
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
Hacking Airwaves with Pineapples
Hacking Airwaves with PineapplesHacking Airwaves with Pineapples
Hacking Airwaves with Pineapples
 
5 Cloud Migration Experiences Not to Be Repeated
5 Cloud Migration Experiences Not to Be Repeated5 Cloud Migration Experiences Not to Be Repeated
5 Cloud Migration Experiences Not to Be Repeated
 
Caveat Emptor: 10 Questions to Ask a Managed Service Provider Before You Sign
Caveat Emptor: 10 Questions to Ask a Managed Service Provider Before You SignCaveat Emptor: 10 Questions to Ask a Managed Service Provider Before You Sign
Caveat Emptor: 10 Questions to Ask a Managed Service Provider Before You Sign
 
Cloud Migration: Tales from the Trenches
Cloud Migration: Tales from the TrenchesCloud Migration: Tales from the Trenches
Cloud Migration: Tales from the Trenches
 
Protecting Against Disaster: Plan for the Inevitable Before it Happens
Protecting Against Disaster: Plan for the Inevitable Before it HappensProtecting Against Disaster: Plan for the Inevitable Before it Happens
Protecting Against Disaster: Plan for the Inevitable Before it Happens
 
Don’t Get Caught with An Out of Support MS SQL Server…
Don’t Get Caught with An Out of Support MS SQL Server…Don’t Get Caught with An Out of Support MS SQL Server…
Don’t Get Caught with An Out of Support MS SQL Server…
 
Content Delivery in an On-Demand Age
Content Delivery in an On-Demand AgeContent Delivery in an On-Demand Age
Content Delivery in an On-Demand Age
 
High Performance Security: Mitigating DDoS Attacks Without Losing Your Edge
High Performance Security: Mitigating DDoS Attacks Without Losing Your EdgeHigh Performance Security: Mitigating DDoS Attacks Without Losing Your Edge
High Performance Security: Mitigating DDoS Attacks Without Losing Your Edge
 
Finding Success with Managed Services in the Azure Environment
Finding Success with Managed Services in the Azure EnvironmentFinding Success with Managed Services in the Azure Environment
Finding Success with Managed Services in the Azure Environment
 
DR in the Cloud: Finding the Right Tool for the Job
DR in the Cloud: Finding the Right Tool for the JobDR in the Cloud: Finding the Right Tool for the Job
DR in the Cloud: Finding the Right Tool for the Job
 
Safeguarding PCI Data in the Cloud
Safeguarding PCI Data in the CloudSafeguarding PCI Data in the Cloud
Safeguarding PCI Data in the Cloud
 
How to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security DollarHow to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security Dollar
 
Azure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/DevAzure: Finding Success Beyond Test/Dev
Azure: Finding Success Beyond Test/Dev
 
New Business Models in Behavioral Health IT
New Business Models in Behavioral Health ITNew Business Models in Behavioral Health IT
New Business Models in Behavioral Health IT
 
Introducing HOSTING Labs - Ed Schaefer
Introducing HOSTING Labs - Ed Schaefer Introducing HOSTING Labs - Ed Schaefer
Introducing HOSTING Labs - Ed Schaefer
 

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Understanding Your Cloud Service Provider’s BAA

  • 2. • This webinar is being recorded and an on-demand version will be available at the same URL at the conclusion of the webinar • Please submit questions via the button on the upper left of the viewer • If we don’t get to your question during the webinar, we will follow up with you via email • Download related resources via the “Attachments” button above the viewing panel • On Twitter? Join the conversation: @HOSTINGdotcom 2 Housekeeping
  • 3. HOSTING Overview 3 6 400 380 Employees Independent Audits In 2014 US-based Datacenters SOC 2 TYPE II SOC 3 CERTIFIED H I P A A C O M P L I A N T 180 Healthcare Customers 1st CHIME Launch Partner CHIME Technologies Cooperative Member Services Program
  • 4. HOSTING and CHIME 4 For more info, visit http://www.hosting.com/chime/ in the “Attachments” section.
  • 6. 6 Learning Objectives • Discuss three actions to take before signing a BAA • Identify key terms that every BAA should have • Describe terms and loopholes to avoid in a BAA
  • 7. 7 HIPAA Basics: Omnibus Rule • Requires the protection and confidential handling of protected health information (PHI) • Omnibus Rule (amendment) to HIPAA: • January 2013 passage • Subsequent compliance roll out • Impact of Omnibus Rule with regard to third party providers: • Requires compliance from an entity that “creates, receives, maintains, or transmits PHI on behalf of customers that are health care providers, health plans, or health care clearinghouses”
  • 8. 8 HIPAA Basics: CEs and BAs • “Covered Entities” • Health care providers, health plans, and health care clearinghouses • Examples: physicians, hospitals, health insurance companies, healthcare billing services, value-added healthcare networks • “Business Associates” • Entities that create, receive, maintain, or transmit PHI on behalf of Covered Entities • Examples: records storage companies, data analysis companies, hosting providers
  • 9. 9 HIPAA Basics: CEs and BAs • “Business Associates” Exceptions: • “Janitor Clause” – organizations whose functions or services do not involve the use or disclosure of protected health information, and where any access to PHI would be incidental, if at all • “Conduit Clause” – organizations that merely act as a conduit for protected health info
  • 10. 10 HIPAA Basics: PHI • “PHI” • Information that (1) is created or received by a health care provider, health plan, or health care clearinghouse; (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (3) identifies or could be used to identify the individual • Examples: name, address, dates (birthdate, admission date, release date, etc.), phone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and license plate numbers, URLs, IP address numbers, biometric identifiers, and photographs
  • 12. 12 HIPAA Basics: Compliance 1. HIPAA Security Rule 2. HIPAA Privacy Rule 3. HIPAA Data Breach Notification Rule 4. Business Associate Agreements (BAAs)
  • 13. 13 What is a BAA? • Contract that creates obligations between parties: • Business Associates and Covered Entities • Business Associates and Subcontractors • Purpose: ensure the parties have obligations to treat PHI in compliance with HIPAA • Required by HIPAA under certain circumstances
  • 14. 14 Two Kinds of BAAs 1. Between Covered Entities and Business Associates 2. Between Business Associates and Subcontractors
  • 15. 15 Three Things to Do before Signing a BAA 1. Assess your Risk 2. Assess your BAA 3. Assess your Business Associate
  • 16. 16 Three Things to Do before Signing a BAA: Assess Your Risk 1. Internal compliance 2. HIPAA compliance 3. Legal risk 4. Data breach expense
  • 17. 17 Three Things to Do before Signing a BAA: Assess Your BAA 1. Use a compliant BAA 2. Use the right kind of BAA 3. Ensure flow-down
  • 18. 18 Three Things to Do before Signing a BAA: Assess Your Business Associate 1. Certification 2. Guarantees 3. Check the breach list (https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf) 4. Insurance
  • 19. 19 Key BAA Terms • Preamble • Section 1: Definitions • Taken from HIPAA • Section 2: What Business Associate will and will not do • Ex: use and disclosure restrictions, safeguards, notice • Section 3: What Covered Entity will and will not do • Ex: compliance with law, notice of changes • Section 4: Term and Termination • At end, return or destroy PHI; if keep, maintain protections • Section 5: Miscellaneous
  • 20. 20 BAA Loopholes • Additional subcontracting • BAAs with extraneous provisions
  • 21. 21 HHS Form of BAA See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html Business Associate Contracts SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS (Published January 25, 2013) Introduction A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information…
  • 23. 23 Learning Objectives • Discuss three actions to take before signing a BAA • Identify key terms that every BAA should have • Describe terms and loopholes to avoid in a BAA
  • 24. 24 Q&A Steve Yoost | General Counsel, HOSTING For more information about services by HOSTING, please contact our team at 888.894.4678.