Business Associate Risk

Similar documents
Determining Whether You Are a Business Associate

ARE YOU HIP WITH HIPAA?

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

503 SURVIVING A HIPAA BREACH INVESTIGATION

AFTER THE OMNIBUS RULE

HEALTHCARE BREACH TRIAGE

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

LEGAL ISSUES IN HEALTH IT SECURITY

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

HIPAA Data Breach ITPC

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

Privacy Rule - Complaint Investigations

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

To: Our Clients and Friends January 25, 2013

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

2016 Business Associate Workforce Member HIPAA Training Handbook

Management Alert Final HIPAA Regulations Issued

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

HIPAA Compliance Guide

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Privacy, Breach, & Security Rules

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

OMNIBUS RULE ARRIVES

Getting a Grip on HIPAA

HIPAA: Impact on Corporate Compliance

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Priciest HIPAA Incidents of 2015

Understanding Cyber Risk in the Dental Office. Melissa Moore Sanchez, CIC

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

GUIDANCE ON HIPAA & CLOUD COMPUTING

HIPAA UPDATE/ OCR ENFORCEMENT

H E A L T H C A R E L A W U P D A T E

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

HIPAA Compliance Under the Magnifying Glass

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees

HIPAA & The Medical Practice

March 1. HIPAA Privacy Policy

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

ARRA s Amendments to HIPAA Privacy & Security Rules

HIPAA and Lawyers: Your stakes have just been raised

HIPAA, Privacy, and Security Oh My!

ACC Compliance and Ethics Committee Presentation February 19, 2013

HIPAA Breach Notification Case Studies on What to Do and When to Report

H 7789 S T A T E O F R H O D E I S L A N D

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

8/30/2016 HIPAA: WHAT S CHANGED?

HIPAA Basic Training for Health & Welfare Plan Administrators

Interim Date: July 21, 2015 Revised: July 1, 2015

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

Compliance Steps for the Final HIPAA Rule

The Privacy Rule. Health insurance Portability & Accountability Act

JOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017

HIPAA OMNIBUS FINAL RULE

To Notify Or Not To Notify Is No Longer The Question Robin Campbell Chandra Westergaard

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

RISK TRACK. Privacy and Data Protection

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

How to mitigate risks, liabilities and costs of data breach of health information by third parties

HIPAA The Health Insurance Portability and Accountability Act of 1996

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

BREACH NOTIFICATION POLICY

HIPAA Omnibus Final Rule and Research

BUSINESS ASSOCIATE AGREEMENT

Effective Date: 4/3/17

Privacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

REF STANDARD PROVISIONS

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

2. HIPAA was introduced in There are many facets to the law. Which includes the facets of HIPAA that have been implemented?

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

Future of Healthcare in Washington April 2, Christiansen IT Law

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

RIGHT TO ACCESS AND SECURITY RISK ANALYSIS. K a t h r y n A y e r s W i c k e n h a u s e r, M B A, C H P C, C H T S

Transcription:

Business Associate Risk Assessing and Managing Business Associate Risk Presented by CJ Wolf, MD, COC, CPC, CHC, CCEP, CIA Healthicity Senior Compliance Executive Disclaimer: Nothing in this presentation should be construed as legal advice nor replied upon as legal expertise. 1

Breaches of 500+ individuals As required by section 13402(e)(4) of the HITECH Act, the HHS must post a list of breaches of unsecured protected health information affecting 500 or more individuals. As of Feb. 2016 approximately 20% were due to business associates https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf 2

RevSpring, Inc. 3,000 individuals Due to a printing error at the covered entity s (CE) business associate (BA), patients received billing statements containing other patients protected health information (PHI). The breach included names, account numbers, balances owed, procedure codes and descriptions, provider names, and dates of services. Following the breach, the CE obtained assurances from its BA that additional safeguards were implemented to prevent future disclosures. As a result of OCR s investigation, OCR reviewed the CE s policies and procedures to ensure compliance with the HIPAA Rules and reviewed the breach notification provided to affected individuals and the media. 3

4

KPMG LLP An employee of Newark Beth Israel Medical Center business associate (BA), KPMG LLP, lost an unencrypted USB drive that contained the electronic protected health information (ephi) of 956 individuals. The ephi included names and clinical information. The CE provided breach notification to HHS, the Media and affected individuals. As a result of OCR's investigation, the BA installed and implemented encryption software to its electronic equipment and devices. In addition, the BA encrypted and password protected all equipment and devices that could contain the CE's data. The BA also reprimanded and retrained the employee and retrained all employees on safeguarding ephi. 5

Global Care Delivery Five password-protected, but unencrypted laptop computers were stolen from Global Care Delivery, a business associate (BA) of the covered entity (CE), North Shore LIJ Health System The laptops contained the protected health information (PHI) of 18,213 individuals, including names, dates of birth, insurance identification numbers (which contained social security numbers), and diagnoses and/or treatment codes related to claims. The BA notified police at the time of the incident, but did not notify the CE until May 11, 2015. The business relationship between the CE and BA ended effective May 11, 2015. The BA has closed its business. 6

E-dreamz The credit card information of 9,988 patients of the covered entity (CE), Presbyterian Anesthesia Associates, P.A. (now known as Providence Anesthesia Associates, P.A.), was compromised when an unauthorized person gained access to the servers of E-dreamz, the CE s website hosting business associate (BA). The CE provided breach notification to HHS, the media, and affected individuals, and offered them a year of free credit monitoring and identity theft protection. In response to the breach, the CE hired an outside forensic computer specialist to investigate. Additionally, the CE terminated its service agreement with the BA and entered into a satisfactory BA agreement with a new website hosting vendor. The BA agreement prohibits storage of any PHI on the vendor s servers. The CE also reviewed and updated its HIPAA policies and procedures. 7

Dr. Veronica Joann Barber Veronica Joann Barber, O.D., (VB) copied the covered entity s (CE) entire data base and used the electronic protected health information (ephi) to solicit patients for her own practice. VB worked at the CE s office under a space-sharing agreement until the CE terminated the agreement. The CE requested that VB cease and desist using the PHI, but she did not agree. The theft occurred on December 15, 2013, and affected 4,000 individuals. The ephi involved in the breach included individuals names, social security numbers, addresses, driver s licenses, dates of births, other identifiers, credit card and bank account numbers, claims information, other financial information, diagnoses and medical conditions, medications, and other treatment information. The CE provided breach notification to HHS and affected individuals. Following the breach the CE installed computer firewalls. Based on OCR s provision of technical assistance, the CE notified the media and completed a risk assessment. It also improved safeguards by denying access by unlicensed persons to its computer systems and updating its policies and procedures regarding computer user names and passwords. The CE improved physical safeguards by moving the computer with the ephi behind a 5-foot tall counter. Pharmacy Chain Enters into Business Associate Agreement with Law Firm Covered Entity: Pharmacy Chain Issue: Impermissible Uses and Disclosures; Business Associates A complaint alleged that a law firm working on behalf of a pharmacy chain in an administrative proceeding impermissibly disclosed the PHI of a customer of the pharmacy chain. OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customer s PHI. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is appropriately safeguarded. Without a properly executed agreement, a covered entity may not disclose PHI to its law firm. To resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement. 8

http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html Steps to Protect Yourself Assess Business Associate s Preparedness/Exposure (due diligence) Contractual Protections Specificity of Tasks and Requirements (Statement of Work) 9

Has the BA performed a risk analysis? When? What were the results? What reasonably anticipated threats to ephi and system vulnerabilities were identified? What were the top 3 risks identified? What mitigation steps have been taken to identify the risks? Does the BA have a written privacy policy? Are employees required to attest to policy annually? Does the BA have a privacy officer? Are the privacy duties part-time? Are the privacy duties full-time? Is the privacy officer a high level employee? 10

Does the BA have a written security policy? Are employees required to attest to policy annually? Does the BA have a security officer (HPI)? Are the security duties part-time? Are the security duties full-time? Is the security officer a high level employee? Does the BA require employees to complete HIPAA training? Is completion of the training documented? Must the training be completed before the employee is given access to functions that expose PHI? 11

Has the BA proactively had an independent third party audit of their HIPAA compliance program? When? What were the results? What were the top 3 risks identified? What mitigation steps have been taken to identify the risks? Was penetration testing performed? Encryption: What are the encryption levels? Are all portable devices encrypted? Mobile Phones? Laptops? Tablets? Portable flash drives/usb drives? 12

What is the documented communication plan if contacted by OCR or other regulatory body? Does it include timely deadlines for contacting the CE? Who will be contacted? How? What is the documented plan for a breach? Is there a written policy that incorporates Breach Notification Rules? What are the physical security standards for all the sites of the BA? Does the BA have a written procedure for compliant destruction of PHI? Has the CE reviewed the procedure? 13

Compliance Manager Total Management Complete Guidance Affordable for Everyone Bonus Resources Compliance Services Leverage an Expert Optimize Revenue Improve Accuracy Save Time 14

Questions? cj.wolf@healthicity.com 15

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback