Forming a HIPAA Compliance Plan
Download
Report
Transcript Forming a HIPAA Compliance Plan
Steps to Compliance:
Managing Business Associates
PRESENTED BY
Today’s Presenters
Daniel B. Brown, Esq.
Healthcare Attorney
Taylor English Duma LLP
Jason Karn
Director Training and IT
Total HIPAA Compliance
Housekeeping
This program is educational and does not
constitute, and may not be construed as,
legal advice to, or creating an attorney-client
relationship with, any person or entity.
The materials referenced here are subject to change, so
frequent review of the source material is suggested.
3
Who Are The Players?
Covered
Entities
Business
Associates
Business Associate
Subcontractors
4
Who is a Business Associate?
Any person who performs functions or
activities on behalf of, or certain services for,
a Covered Entity that involves the use or
disclosure of protected health information.
5
Examples of Business Associates
Lawyers
IT Contractors
Billing Companies
Email Encryption Provider
Web Hosts
Cloud Storage
6
Make a List
List your Business Associates
with contact information
Request that your BA make a
list of subcontractors and provide you a copy
7
Who is NOT a Business Associate?
Cleaning Company
Laboratories
Physician Referrals
These entities may have access to PHI,
but access alone does not make them a
Business Associate.
8
Am I a HIPAA Conduit?
This is narrow exception and only applies to:
US Postal Services
Internet Service Providers (ISPs)
Physician Referrals
9
Requirements for a Business Associate
Document Privacy/Security Policies & Procedures
Protect PHI and ePHI
Train Employees
Work with C.E. to send Breach Notifications
Manage Subcontractors
10
Liability
Violations by a Business Associate also affect
Covered Entities.
Business Associates are liable for…
Violations they have created
Violations of a Subcontractor
11
Common Law of Agency
This change makes a Covered Entity liable for
the mistakes of the Business Associate when the
Business Associate is an agent of the Covered
Entity and is acting in the scope of the agency.
12
What is a Breach
PHI that has been accessed, used, acquired by or
disclosed to an unauthorized person HIPAA Rules
apply to PHI in any format:
ePHI
Oral
Paper
13
Permitted Uses for PHI
Treatment
Payment
Health Care Operations
Certain Public Policy Exceptions
All other uses require an individual’s written
authorization
14
Breach Exceptions
Unintentional access by an employee
Inadvertent disclosure by a covered entity or business
associate employee authorized to access PHI to a coemployee also authorized to access PHI
Unauthorized access to PHI by a third party who can’t
reasonably use the information in its current format, or
retain the disclosed information
15
Breach Notification
Notice Requirements:
Notify without unreasonable delay and at least
within 60-day timeframe
This starts the date one knew, or reasonably
should have known about the Breach
16
Individuals Affected By Breaches
Individuals Affected by Breaches in 2012 by Entity Type
Business
Associate
42%
Healthcare
Clearinghouse
1%
Healthcare
Provider
49%
Health Plan
8%
Source: "Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance." 1 Jan. 2013. Web.
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/compliancereport2011-2012.pdf
17
+
@nuemd
@totalhipaa
Auditing Your Business Associates
Privacy and Security Policies and Procedures
Privacy and Security Personnel
Workforce Training and Management
Data Safeguards
Document and Record Retention
18
Managing Your Business Associates
Periodically review them
Alert to changes in how they conduct business
B.A. should provide updated compliance plan
19
Special Thanks
Taylor English Duma LLP is a full-service law firm built from the ground up to provide
highest-quality legal services for optimal value. The firm was founded in 2005 and its
attorneys work each day to provide timely, creative and cost-effective counsel to help
clients solve problems and achieve goals. Taylor English represents all types of clients—
from Fortune 500 companies to start-ups to individuals.
20
Questions?