business associate hipaa compliance impact on the business associate and covered entities
TRANSCRIPT
Joe DylewskiHealth Care Management
© 2012 Health Care Management
HIPAA, HITECH, and The Business Associate
Relationships with Healthcare Entities and Medical Practices
Next StepsSummary and Q/A
© 2012 Health Care Management
MSPs
MSSPs
IT Service Providers
600K +
© 2012 Health Care Management
▪ Defining the “certain functions or activities”
▪ Disclosures▪ Services▪ Reasonable and Appropriate Safeguards
© 2012 Health Care Management
HIPAA
Title II
Administrative Simplification
Electronic Data
Interchange (Transaction
and Code Sets)
Privacy RuleSecurity
Rule
Administrative Safeguards
45 CFR 164.308
Physical Safeguards
45 CFR 164.310
Technical Safeguards
45 CFR 164.312
© 2012 Health Care Management
What is HITECH? HITECH - The Health Information
Technology for Economic Recovery and Reinvestment Act of 2009 Meaningful Use Education HIPAA Enforcement
© 2012 Health Care Management
What changed relative to HIPAA? Physician Attestation for Meaningful Use Improved Enforcement HIPAA ignorance no longer tolerated Business Associates now have the same
HIPAA responsibilities as the Covered Entities they service
© 2012 Health Care Management
Key Statistics
CategoryTotal
BreachesNo BA
InvolvedBA
Involved
Percent of Total 100% 79% 21%
Total Individuals Affected 21,021,132 8,917,133 12,103,99
9
Percent of Total 100% 42% 58%
Average Individuals per Breach 43,076 23,101 118,667
Source :U.S. Department of Health and Human Services HIPAA Breach Notifications – September 2009 to May 2012 © 2011 ATMP Solutions© 2012 Health Care Management
“By exercising reasonable diligence would not
have known”
“Due to Willful
Neglect if the violation
is not corrected”
“Due to Willful
Neglect if the violation is corrected”
“Due to Reasonable Cause and not Willful Neglect”
Increasing Degree of HIPAA Compliance Effort
Decreasing Degree of HIPAA Compliance Risk
© 2012 Health Care Management
Business Associate is taking
necessary steps to
compliance
No Business Associate Contract in place
Business Associate Contract in Place
Business Associate
has Conducte
d Risk Assessme
nt
Increasing Degree of HIPAA Compliance Effort by Covered Entity and Business Associate
Decreasing Degree of HIPAA Compliance Risk to Covered Entity
Business Associate proof of HIPAA
Compliance
© 2012 Health Care Management
Is the Covered Entity responsible for their Business Associate’s HIPAA Compliance, or vice versa? No
Is the Covered Entity responsible for engaging in relationships with HIPAA Compliant Business Associates? Yes
If the Business Associate claims HIPAA Compliance, does this imply that the Covered Entity is HIPAA Compliant? No
© 2011 ATMP Solutions© 2012 Health Care Management
Solution Complian
ce
Institutional
Compliance
Electronic Medical Record
HIPAA Compliant EMR Hosted in a HIPAA Compliant Facility
EMR Company HIPAA Compliance with respect to internal operating policies
© 2012 Health Care Management
Private Cloud / Data Center
Private Cloud / Data Center
Health Information Exchange
(HIE)
Health Information Exchange
(HIE)
EMR
Physician Practice
IT Services
Document Destruction
Insurance Company
Health System
Lab
DR Site
© 2012 Health Care Management
Private Cloud / Data Center
Private Cloud / Data Center
Health Information Exchange
(HIE)
Health Information Exchange
(HIE)
EMR
Physician Practice
IT Services
Document Destruction
Insurance Company
Health System
Lab
DR Site
© 2012 Health Care Management
Private Cloud / Data Center
Private Cloud / Data Center
Health Information Exchange
(HIE)
Health Information Exchange
(HIE)
EMR
Physician Practice
IT Services
Document Destruction
Insurance Company
Health System
Lab
DR Site
© 2012 Health Care Management
Compliance
Privacy / Security
Policy Proof
© 2012 Health Care Management
United States Department of Health and Human Services Office of Civil Rights
Individual state’s Office of The Attorney General
© 2012 Health Care Management
Treat HIPAA compliance with the same degree of diligence and urgency as Accounting, Taxes, and the IRS
Start with a simple checklist of areas that need to be addressed A.K.A. - Risk Assessment
© 2012 Health Care Management