Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients

Transcription

1 Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients 1

2 Federal Regulations HIPAA: Health Insurance and Portability Accountability Act of 1996 Purpose: to protect confidential information through improved security and privacy standards HITECH: The Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009 Omnibus Rule of

3 Entities Defined Covered Entity (CE): Health care providers, health plans, health care clearinghouses who electronically transmit any Protected Health Information (PHI) Business Associate (BA): Create, receive, maintain or transmit PHI on behalf of a Covered Entity (CE) Subcontractor: Create, receive, maintain or transmit PHI on behalf of a BA 3

4 Are You A Business Associate? Examples: IT Support and Software Vendors IT Equipment Vendors Leasing firms Telephone CPE Vendors Shredding Vendors Data Centers Cloud Computing Providers Answering Services for Medical Offices Medical Billing Services Medical Transcriptions Services Medical Collection Agencies Temporary Employment Agencies 4

5 Omnibus Rule Substantially increased the magnitude of HIPAA enforcement risk and liability Before Omnibus: BAs/Subcontractors regulated through Business Associate Agreements (BAAs) After Omnibus: BAs/Subcontractors are now regulated directly under HIPAA: Comply with HIPAA Security Rule Comply with a specific section of the HITECH Breach Notification Rule Comply with all applicable provisions of the Privacy Rule Still need to provide BAA 5

6 Business Associate Agreement Agreement between the CE and BA to govern the BA s creation, use, maintenance and disclosure of PHI. Must comply with HIPAA Security and Privacy Rules BAAs have ALWAYS been required by HIPAA After Omnibus Require reciprocal monitoring by the BA & CE Subcontractors of BAs are treated as BAs as well 6

7 Your Liabilities Business associates are directly liable for: 1. Impermissible uses and disclosures 2. Failure to provide breach notification to the CE 3. Failure to provide access to a copy of ephi to either the CE the individual, or the individual s designee 4. Failure to disclose PHI where required by the HHS to investigate or determine the BA s HIPAA compliance 5. Failure to follow Minimum Necessary standard when using or disclosing 6. Failure to provide an accounting of disclosures 7

8 Penalties For Non-Compliance Before Omnibus: No more than $100 per violation or $25,000 for all identical violations After Omnibus: Violations é, no more Did Not Know defense Viola&on Category Sec&on 1176(a)(1) Each Viola&on All such viola&ons of an iden&cal provision in a calendar year (A) Did Not Know $100 to Max $50,000 $1,500,000 (B) Reasonable Cause $1,000 to Max $50,000 $1,500,000 (C)(i) Willful Neglect- Corrected (C)(ii) Willful Neglect- Not Corrected $10,000 to Max $50,000 $1,500,000 $50,000 $1,500,000 8

9 Willful Neglect NO plan to show you are working towards FULL compliance despite not being compliant at the moment. NO visible demonstrable evidence that you are either in compliance or making a serious attempt at compliance You have legal documents but they do not meet the specific requirements of the regulations You have are legal documents/manuals but NO policies and procedures to support said documents 9

10 What You NEED To Do Your Compliance Requirements as a Business Associate: 1) Security Management Risk assessment, Risk management 2) Assigned Security Responsibility 3) Information Access Management 4) Workforce Security 5) Employee Training 6) Security Incident Plan 7) Contingency Plan 8) Evaluation Annual/periodic evaluation 10

11 Compliance Plan Step 1. Assess where you are against the regulation (GAP) The key to a risk analysis is auditing yourself against the administrative, technical, and physical aspects of HIPAA Step 2. Remediation Plan Prove that you remediated the deficiencies identified in the risk analysis Policies & Procedures, Training, and Attestation 11

12 Compliance Plan (Continued) Step 3. How do you prove it? Successful compliance plans address: Administration and Technical Policies and Procedures IT security Devices installed and maintained within your organization Physical Security within physical locations of your practice(s) Step 4. Maintain your compliance As the regulations, staff, and practice changes 12

13 13

14 To Be, Or Not To Be Protect you and your clients reputations Limit your liabilities Protect PHI Differentiate your company Retain Clients Obtain New Clients This is a Federal Mandate 14

15 Health Care Industry Heavy Enforcement In the News Reputation vs. Fines 3-5 Million CE S & BA S 70-79% Are NOT Compliant $44 Billion Incentive Dollars Paid 15

16 Trends in HIPAA Enforcement Dentist (Indiana) Pharmacy (Colorado) Nonprofit (Alaska) Hospital (Texas) Anthem Indiana Dentist License Permanently Revoked for Mishandling medical records Denver Pharmacy failed to provide training as required by the Privacy Rule. Alaskan Nonprofit policies and procedures were not followed and/or updated. Wellpoint Inc. $1.7 Million settlement caused by a BA performing software upgrade 16

17 The Big Misconception I completed a Risk Assessment, I m HIPAA Compliant. A Risk Assessment is only a part of HIPAA compliance. ALL aspects of HIPAA are needed to pass an audit. 70% of Covered Entities are not compliant 79% of Covered Entities fail their Meaningful Use audit CEs fail to understand the difference between HIPAA and HITECH. Problems were discovered with most or all CE s policies and procedures including those for performing Risk Assessments 1 89% of the entities audited were noncompliant in one or more areas. Security Rule issues accounted for 60% of the findings and observations, while the Privacy and Breach Notification Rules yielded 30% and 10% respectively 2 1 : CMS Compliance Reviews, HIPAA Compliance Review Analysis and Summary of Results 2 : hqp:// informatcs.com/artcle/ocr- audits- forewarned- forearmed 17

18 * : Stats compiled from 2015 Webinar A Risk Assessment is Not Enough. 18

19 Partnership Program Best solution in the market Designed by Auditors for HIPAA, PCI & GLB Culture of Compliance for the end user TOTAL compliance solution Compliance Coaching Sales & Marketing Support Flexible options for New Revenue Streams Affiliate Referral Reseller 19

20 For more information, contact: Sales & Demo Scheduling Questions Marc Haskelson ext 507 HIPAA Questions Bob Grant ext

21 The Total Compliance Solution The Guard Compliance Simplified Audits Security, Administrative, Privacy Achieve Compliance Coaching Illustrate Seal of Compliance Maintain HIPAA Hotline HIPAA Compliant Incident Management Business Associate Management Document Version Employee Attestation & Tracking Remediation Planning Policies, Procedures & Training u All aspects of compliance satisfied u Compliance simplified! u Compliance Coach walks the client through the whole journey u No client has ever failed an audit! Find out more now: HIPAA ( ) 21

22 22