Industry leading Education Certified Partner Program Please ask questions Todays slides are available http://compliancy- group.com/slides023/ Past webinars and recordings http://compliancy- group.com/webinar/ 855.85HIPAA www.compliancygroup.com
HIPAA New Final Omnibus Rule: Key Business Associate Implications for Your Organization
Your Presenter A.J. (Andy) Weitzberg President of HIPAA Continuity Planners President of the Association of Contingency Planners Long Island Chapter
History Health Insurance Portability and Accountability Act (HIPAA)of 1996 The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009 Omnibus Rule of 2013
Omnibus Rule conforms HIPAA regulations to HITECH Act changes: Before HITECH, BAs regulated through business associate contracts or agreements ("BAAs") After HITECH, BAs and subcontractors are now regulated directly under HIPAA, therefore they: Must comply with Security Rules Must comply with some of Privacy Rule and provisions of BAA
By the Numbers 2009 through 2012* 538 breaches of protected health information (PHI) 21,408,505 patient health records affected 21.5% increase in # of large breaches in 2012 over 2011 77% decrease in # of patient records impacted 67% of all breaches have been the result of theft or loss 57% of all patient records breached involved a business associate Business associates have impacted 5 X times as many patient records as those at a covered entity 38% of incidents were as a result of an unencrypted laptop or other portable electronic device 63.9% percent of total records breached in 2012 resulted from the 5 largest incidents 780,000 number of records breached in the single largest incident of 2012 *These numbers include breaches that affected >500 individuals and were reported to HHS from August 2009 to January 17, 2013.
Expanded definition of Business Associates "Business associate : one who, on behalf of a covered entity creates, receives, maintains or transmits PHI* Status as BA based upon role and responsibilities, not upon who are the parties to the contract Contract between the covered entity's BA and that BA's subcontractor must satisfy the BA agreement requirements Subcontractor of business associate: one who creates, receives, maintains or transmits PHI* on behalf of a business associate *Personal Health Information
Business Associate - Consequences Secretary (HHS) authorized to receive and investigate complaints against BAs (including subcontractors), and to take action regarding complaints and noncompliance BAs (incl. subs) required to maintain records and submit compliance reports to Secretary, cooperate in complaint investigations and compliance reviews, give Secretary access to information BAs (incl. subs) forbidden to intimidate, discriminate against, etc. those who make complaints, cooperate with regulators or oppose unlawful actions BAs (incl. subcontractors) subject to civil money penalties for HIPAA violations BA/Subs remain liable under contract to Covered Entity and BA
How do these updates affect your Business As a Business Associate you have HIPAA/ HITECH Compliance Requirements: 1. A Written Risk Analysis 2. A Written Continuity Plan 3. A Documented Security Practices and Procedures 4. An Incident Response Plan (Breach Response) 5. A Record Disposal Procedure for Electronic Media and Paper Records 6. Employee Training Program 7. Termination Procedures 8. Documentation and Logs
Definition of a Breach The final rule also changes the risk analysis requirements for determining when a breach has occurred. Previously, a risk of harm threshold was considered in determining whether a breach had occurred. The Office of Civil Rights (OCR) changes in the final rule create almost a presumption of a breach, which will seemingly make it more likely that a business will be required to notify those individuals whose personal health information has been affected, HHS and possibly the media.
Penalties for Your non-compliance CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY AMOUNTS AVAILABLE Violation Category Section 1176(a)(1) (A) Did Not Know (B) Reasonable Cause (C)(i) Willful Neglect-Corrected (C)(ii) Willful Neglect-Not Corrected Each Violation $100 to Max $50,000 $1,000 to Max $50,000 $10,000 to Max $50,000 All such violations of an identical provision in a calendar year $1,500,000 $1,500,000 $1,500,000 $50,000 $1,500,000
HITRUST* now has several of its members that will require business associates to follow the framework and document compliance with it. *The Health Information Trust Alliance, or HITRUST, in collaboration with healthcare, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. The most widely adopted security control framework in the U.S. healthcare industry, the CSF includes a prescriptive set of controls and supporting requirements that clearly define how organizations meet the objectives of the framework
Are you a Business Associate? Illustration of the types of firms that are now considered Business Associates IT Support and Software Vendors IT Equipment Vendors Leasing firms Telephone CPE Vendors Shredding Vendors Data Centers Cloud Computing Providers Answering Services for Medical Offices Medical Billing Services Medical Transcriptions Services Medical Collection Agencies Temporary Employment Agencies
Questions A.J. (Andy) Weitzberg President HIPAA Continuity Planners Email: AJ@HIPAACP.COM 1.800.654.2041 Toll Free 1.631.654.4001 Office 1.516.641.4001 Mobile
HIPAA Compliance HITECH Attestation Omnibus Rule Ready Meaningful Use core measure 15 Free Demo and 60 Day Evaluation www.compliancy- group.com HIPAA Hotline 855.85HIPAA 855.854.4722