HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017

Similar documents
HIPAA Compliance for Business Associates

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Determining Whether You Are a Business Associate

AFTER THE OMNIBUS RULE

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

GUIDANCE ON HIPAA & CLOUD COMPUTING

HIPAA Compliance Guide

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

Negotiating Business Associate Agreements

HHS, Office for Civil Rights. IAPP October 11, 2012

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

HIPAA Privacy Overview

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

ARE YOU HIP WITH HIPAA?

HIPAA Background and History

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

Getting a Grip on HIPAA

OMNIBUS RULE ARRIVES

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients

HIPAA Compliance Under the Magnifying Glass

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA and Lawyers: Your stakes have just been raised

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

LEGAL ISSUES IN HEALTH IT SECURITY

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

ARRA 2009: Privacy and Security Provisions. Deven McGraw

HIPAA: Impact on Corporate Compliance

HEALTHCARE BREACH TRIAGE

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

Highlights of the Omnibus HIPAA/HITECH Final Rule

The HIPAA Omnibus Rule

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES KURTIN PLLC COMPLIANCE SOLUTION: UPDATE January 3, I. Executive Summary.

HIPAA OMNIBUS FINAL RULE

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

HIPAA Basic Training for Health & Welfare Plan Administrators

Health Law Diagnosis

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

The Privacy Rule. Health insurance Portability & Accountability Act

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Business Associate Risk

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

HIPAA The Health Insurance Portability and Accountability Act of 1996

To: Our Clients and Friends January 25, 2013

HIPAA Data Breach ITPC

HIPAA Omnibus Final Rule and Research

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Management Alert Final HIPAA Regulations Issued

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

HIPAA Omnibus Rule Compliance

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

Business Associate Agreement

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Changes to HIPAA Under the Omnibus Final Rule

HIPAA Privacy & Security. Transportation Providers 2017

1 Security 101 for Covered Entities

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA & The Medical Practice

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Fifth National HIPAA Summit West

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

2016 Business Associate Workforce Member HIPAA Training Handbook

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, and Texting

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

Transcription:

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017 Presenters: Isaac M. Willett & Doriann H. Cain

Business Associates & HIPAA in 2017 Increasing focus on business associates and business associate relationships Phase II audits includes business associates OCR settlements re: failure to have BAAs in place Major settlements with record fines for security violations OCR guidance on topical security issues

What/who is a Business Associate? Providers of certain covered functions Person or organization who on behalf of a Covered Entity creates, receives, maintains or transmits PHI for a function or activity regulated by HIPAA Claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management and re-pricing 3

What/who is a Business Associate? Providers of Professional Services Involves disclosure of PHI Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services 4

Business Associates & the HITECH ACT Post HITECH Final Rule Expanded definition of Business Associate Now includes Subcontractors of Business Associate Definition applies even without a written contract In sum, a Subcontractor is a Business Associate of a Business Associate 5

OCR Guidance on Cloud Computing Makes clear that when a cloud service provider (CSP) creates, receives, maintains or transmits ephi it s a business associate CSPs are business associates even if PHI is encrypted & CSP doesn t have encryption key CSPs rarely fall within the conduit exception Involves temporary storage while transmitting PHI

Business Associate Obligations Execute and comply with the terms of the BAA with Covered Entity Must contain certain terms required by HIPAA Comply with the Security Rule Appoint security officer Perform and document a risk assessment Implement required safeguards written policies and procedures Train personnel Comply with minimum necessary standard Report breaches of unsecured PHI to covered entity

Business Associate Obligations Business associates directly liable under HIPAA for: Use and disclosures in violation of the BAA or the Privacy Rule, including minimum necessary standard Failing to comply with the Security Rule Failing to notify covered entity of a reportable breach Failing to disclose PHI to HHS in response to investigation Failing to disclose PHI in response to an individual s request for e-phi Failing to execute agreements with subcontractors Failing to address breach by subcontractor

Enforcement Government Sanctions Past Law Civil Money Penalties ( CMP ) limited to $100 per HIPAA violation, with a maximum of $25,000 for all violations of identical nature in single year HITECH (Effective 2/17/09) CMPs are now tiered and increase for different levels of HIPAA violations Fines range from $100 to a maximum of $1.5 million cap for all violations per year The Office for Civil Rights maintains discretion to use corrective action without penalty where person did not know of violation 9

Enforcement Government Sanctions Violation Type Amount Per Violation Identical Violations /Calendar Year Did not know $100 - $50,000 $1.5M Reasonable Cause $1,000 - $50,000 $1.5M Willful neglect - Corrected $10,000 - $50,000 $1.5M Willful neglect Not Corrected $50,000 $1.5M 10 10

Business Associate Agreements BAA before disclosing PHI or authorizing business associate to create or receive PHI for covered entity Limits BA s use of PHI Need BAA with subcontractor Match scope of BAA between CE and BA Must comply with terms of BAA Breach of contract with covered entity HIPAA penalties imposed by OCR Must comply with HIPAA even if no BAA

Business Associate Agreement: Required Terms Establish permitted uses Allowance for use and disclosure for management or administration Implementation of safeguards Comply with Security Rule Report breaches Cooperate in allowing access, amendment or accounting of disclosures of PHI Execution of BAAs with Subcontractors Termination destroy/return PHI

Pro Business Associate Terms Covered Entity: Not disclose PHI unless necessary Notify Business Associate of all restrictions Right to cure a breach Limitation or cap on damages

Business Associate Agreement Negotiation Contractor is not a business associate Playing it safe Not clear on definition of business associate Execution of confidentiality agreement Some terms may exceed those required No assumption of liability unless required

Hot Topics Negotiated Definitions Timing for Breach Notification Indemnity/Limitations on Liability Insurance Audit Rights Right to Cure Before Termination Use of the Cloud Offshoring Compliance with other laws Security protections

Catholic Health Care Services Settlement CHCS provides management and IT services to SNFs First ever settlement with business associate June 30, 2016 CHCS issued phone stolen from employee Not encrypted or password protected Contained PHI of over 440 individuals $650,000 fine & 2 year corrective action plan

Care New England Health System (September 23, 2016) Parent company of Woman & Infants Hospital Provides information security & technical support for WIH so business associate WIH notified OCR of the loss of unencrypted backup tapes including PHI of 14,000 individuals BAA between WIH and CNE was effective March 2005 Didn t comply with HIPAA Final Rule $400,000 fine and corrective action plan

Advocate Health Care Network (August 4, 2016) Three HIPAA breaches involving 4 million individuals Failed to conduct accurate and thorough risk assessments Lacked adequate security polices and procedures Lacked BAAs to protect ephi $5.55 million fine & 2 year corrective action plan Due in part to extent & duration of the non-compliance

Privacy & Security Challenges

Harnessing Health Data Electronic format makes analysis easy Promote population health Improve outcomes Better allocate resources Predict trends and prevent illness/outbreaks Increase sales 20

Examples Optum Labs joint venture of UnitedHealth and Mayo Clinic Links 5 million Mayo records + 100 million UH claim records Examine outcomes and cost CMS Basic Stand Alone Claims Public Use Files (de-identified) and Limited Data Sets (partially de-identified) 21

Examples Professional society data registries NCDR American College of Cardiology FDA post-market surveillance registries IMS Health vendor of physician prescribing data Business associates of all varieties 22

Related HIPAA Issues Data aggregation De-identification and limited data sets 23

Data Aggregation Combining of PHI of one covered entity with that of another Can be done only by business associate Must further health care operations of the respective covered entities Must be authorized by BAA 24

Data Aggregation Challenges BA wants to aggregate data and CE refuses CE wants benefit of data aggregation but says its PHI cannot be used for other CEs CE wants to be able to remove its data BA wants to use aggregated data for purpose other than health care operations of CEs 25

De-Identification De-identified data is not PHI and can be used and disclosed for any purpose De-identification standards are strict Person with appropriate knowledge applies statistical principles, determines risk is very small that information could be used to identify the individual & documents that 18 specific identifiers removed (safe harbor) 26

De-Identification Challenges BAA does not address de-identification CE and BA do not agree on whether/when permitted Parties misunderstand de-identification standard common to think removal of limited direct identifiers is sufficient CE and BA do not agree on use of de-identified data 27

Limited Data Sets Partially de-identified data that removes direct identifiers Can retain dates, zip codes Must have data use agreement Use only for health care operations of CE, research, public health purposes 28

LDS Challenges BAA does not provide for creation/use of LDS BA wants to use LDS for purposes other than those permitted Confusion over use of LDS to meet minimum necessary requirements and use of LDS for public health, research, HCO Failure to recognize this is still PHI 29

Best Practices Think through data aggregation, de-identification, LDS on front end Be sure underlying agreement/baa address these issues Educate clients on requirement/limitations of each 30

Security Breaches BAs must give notice of breaches of unsecured PHI BA must give notice to CE of a breach Subcontractor BAs must give notice to primary BA BAA must address security breaches 31

Security Breach Challenges Requests that BA provides notice directly to individuals rather than CE Works in some cases (TPA of health plan), but not in others Unrealistic time frames for breach reporting Downstream BAAs that are not as restrictive as primary BAA 32

Security Breach Challenges Content of notice involving BA Allocation of responsibility, use of name/trademarks Managing foreign subcontractors Liquidated damages clauses for violations State law notification obligations Implementation 33

Contact Information Isaac M. Willett isaac.willett@faegrebd.com 317-569-4640 Doriann H. Cain I doriann.cain@faegrebd.com I 317-569-4837 34

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback