HIPAA Business Associate Agreements: Key Components and Obligations - PowerPoint PPT Presentation
Title:
HIPAA Business Associate Agreements: Key Components and Obligations
Description:
HIPAA compliance is a shared responsibility that extends throughout the chain, from CEs to BAs and subcontractors. Failure to comply not only exposes sensitive patient data to cybercriminals but also invites severe penalties and legal repercussions. By taking simple yet often overlooked steps, CEs and BAs can protect against potential HIPAA violations, safeguard PHI, and preserve their reputation and financial well-being. Maintaining open communication and ensuring "satisfactory assurances" documented in writing are fundamental to establishing a culture of compliance and data security in the healthcare industry. – PowerPoint PPT presentation
Number of Views:4
Title: HIPAA Business Associate Agreements: Key Components and Obligations
1
HIPAA BUSINESS ASSOCIATE
COMPLIANCE
PRESENTED BY PAUL R. HALES, J.D.
EDUCATIONAL WEBINAR
www.thehipaaetool.com
2
HIPAA Business Associate Compliance
What Are We Going to Cover? HIPAA Health
Insurance Portability and Accountability
Act Alert Important New Business Associate
HIPAA Enforcement HIPAA and Business
Associates Covered Entities Business
Associates Entangled Responsibilities Chain of
Trust Business Associate Agreements Agency
Due Diligence Business Associate Compliance HIPAA
Privacy, Breach Notification and Security
Rules Your Organizations HIPAA Compliance Program
www.thehipaaetool.com
3
HIPAA Business Associate Compliance
Health Insurance Portability and Accountability
Act of 1996
www.thehipaaetool.com
4
HIPAA Business Associate Compliance
- Definitions Covered Entity
- Health Care Provider Health Plan Health Care
Clearinghouse - Business Associate
- On behalf of a Covered Entity
- Creates, Receives, Maintains or Transmits
Protected Health Information (PHI) for a
function or activity regulated by the HIPAA Rules - Provides Services involving disclosure of PHI
from a Covered Entity or from another Business
Associate - Subcontractor Business Associate
- On behalf of a Business Associate
- Creates, Receives, Maintains or Transmits PHI for
function or activity regulated by the HIPAA Rules
www.thehipaaetool.com
5
HIPAA Business Associate Compliance
June 28, 2023 OCR Press Release iHealth
Solutions BA Investigation iHealth Solutions
Resolution Agreement and Corrective Action
Plan July 5, 2023 Blog Lessons OCR iHealth
Solutions Risk Analysis and HIPAA
Training February 27, 2023 HHS Announcement HHS
Announces New Divisions Within the Office for
Civil Rights to Better Address Growing Need of
Enforcement in Recent Years
www.thehipaaetool.com
6
HIPAA Business Associate Compliance
- OCR statement about iHealth Solutions Business
Associates - HIPAA business associates must protect the
privacy and security of the health information
they are entrusted with by HIPAA covered
entities, said OCR Director Melanie Fontes
Rainer. - iHealth Solutions Corrective Action Plan (CAP)
- Risk Analysis and Risk Management
- HIPAA Policies and Procedures including
management of identified Risks - Privacy Rule
- Security Rule
- Breach Notification Rule
- Workforce Training Privacy, Security Breach
Notification Policies Procedures - Owner or Officer Attestation verifying compliance
with CAP
www.thehipaaetool.com
7
HIPAA Business Associate Compliance
Brief Background HIPAA Rules Business
Associates How and When Business Associates
became liable for HIPAA Compliance
1996 HIPAA Privacy Security subtitle applies only to Covered Entities
2003 Privacy Rule Makeshift Fix Before disclosing PHI a Covered
Entity must contract with BA requiring BA to safeguard PHI
2005 Security Rule also requires CE contract with BA to safeguard ePHI
2009 HITECH Act Congress amends and strengthens HIPAA statute Breach Notification Rule New
2013 Emphasis on Enforcement BAs now directly liable Modifications including direct BA compliance finalized to
Privacy Security - Breach Notification - Enforcement Rules
www.thehipaaetool.com
8
HIPAA Business Associate Compliance
Brief Background HIPAA Rules Business
Associates 2013 Security and Privacy Rule
Modifications HIPAA Security Rule A Covered
Entity or Business Associate must identify the
Security Official to develop and implement
policies and procedures required by the Security
Rule for the Covered Entity or Business
Associate 45 CFR 164.308(a)(2) HIPAA Privacy
Rule A Covered Entity must designate a Privacy
Official to develop and implement the policies
and procedures to comply with the Privacy and
Breach Notification Rules 45 CFR
164.530(a)(1)(i) 45 CFR 164.530(i)(1)
www.thehipaaetool.com
9
HIPAA Business Associate Compliance
- Brief Background HIPAA Rules Business
Associates 2013 Security and Privacy Rule
Modifications - Note
- A Covered Entity must
- identify a Security Official to develop and
implement its Security Rule Policies and
Procedures and - designate a Privacy Official to develop and
implement its Privacy and Breach - Notification Rule Policies and Procedures.
- However,
- Business Associates have no specially named
official to develop and implement their Privacy
and Breach Notification Rule Policies and
Procedures. - Confusion Omissions Violations
www.thehipaaetool.com
10
HIPAA Business Associate Compliance
Brief Background HIPAA Rules Business
Associates 2013 Security and Privacy Rule
Modifications 2013 OCR Guidance 78 FR 5598,
Jan. 25, 2013 Business Associates are directly
liable under the HIPAA Rules for a failure to
provide breach notification to the covered
entity Breach Notification Rule Breach means the
acquisition, access, use, or disclosure of
protected health information in a manner not
permitted under the Privacy Rule which
compromises the security or privacy of the
protected health information. 45 CFR 164.402
Breach Security Rule Covered entities and
business associates must protect against any
reasonably anticipated uses or disclosures of
electronic protected health information that are
not permitted or required under the Privacy
Rule. 45 CFR 164.306(a)(3)
www.thehipaaetool.com
11
HIPAA Business Associate Compliance
Business Associates Covered Entities PHI
Chain of Trust PHI Chain of Trust
PHI
Covered Entity
Business Associate
Subcontractor Business Associate 1
Subcontractor Business Associate 2
Subcontractor Business Associate 3 Business
Associate Agreement required at each link of Chain
www.thehipaaetool.com
12
HIPAA Business Associate Compliance
Business Associates Covered Entities PHI
Chain of Trust PHI Chain of Trust Business
Associate Agreements are required between
A CE and a BA A BA and a Sub-BA A Sub-BA and a
Sub-BA
CE
BA
Sub-BA1
CEs are not required to have BAAs with Sub-BAs
Sub-BA 2
Sub-BA 3
www.thehipaaetool.com
13
HIPAA Business Associate Compliance
Business Associates Covered Entities Due
Diligence Enforcement Rule Willful Neglect means
conscious, intentional failure or reckless
indifference to the obligation to comply with
the administrative simplification provision
violated. Enforcement Rule 45 CFR 160.401
Willful neglect The Secretary will investigate
any complaint filed under this section when a
preliminary review of the facts indicates a
possible violation due to willful
neglect. Enforcement Rule 45 CFR
160.306(c)(1) The Secretary will conduct a
compliance review to determine whether a covered
entity or business associate is complying with
the applicable administrative simplification
provisions when a preliminary review of the facts
indicates a possible violation due to willful
neglect. Enforcement Rule 45 CFR 160.308(a)
www.thehipaaetool.com
14
Business Associate HIPAA Compliance
Business Associates Covered Entities Due
Diligence Due Diligence Business Associates
and Subcontractor Business Associates Important
and Essential HIPAA Compliant
www.thehipaaetool.com
15
HIPAA Business Associate Compliance
- Business Associate Privacy Rule Compliance
- A Business Associate may not use or disclose
protected health information in a manner that
would violate the requirements of the Privacy
Rule, if done by a covered entity - A Business Associate may use or disclose
protected health information only as permitted
or required by its business associate contract or
as required by law - 45 CFR 164.502(a)(3)
- A Business Associate is required to disclose
protected health information to HHS to
investigate or determine the Business Associate's
compliance with the Privacy Rule - 45 CFR 164.502(a)(4)(i)
www.thehipaaetool.com
16
HIPAA Business Associate Compliance
- Responsibility for Your Organizations HIPAA
Compliance Program - Senior Management is Responsible
- Delegate Authority to Compliance Officials
- HIPAA Compliance Official Explain Teach
Laterally Up Your Audience - Senior Management Compliance Colleagues
- Avoid Blame Stick to Facts
- Present Opportunity
- Build Consensus
www.thehipaaetool.com
17
HIPAA Business Associate Compliance
In conclusion we have covered HIPAA Health
Insurance Portability and Accountability
Act Alert Important New Business Associate
HIPAA Enforcement HIPAA and Business
Associates Covered Entities Business
Associates Entangled Responsibilities Chain of
Trust Business Associate Agreements Agency
Due Diligence Business Associate Compliance HIPAA
Privacy, Breach Notification and Security
Rules Your Organizations HIPAA Compliance Program
www.thehipaaetool.com
18
HIPAA Business Associate Compliance
Thank You Paul Hales, J. D.
Register Now
www.thehipaaetool.com
