complying with hipaa business associate requirements quick, cost effective solutions for hipaa...
TRANSCRIPT
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTSQuick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements
2
Agenda
Overview and Background of the HIPAA Omnibus Final Rule
Compliance Issues and Practical Solutions for Business Associates and Subcontractors
Questions and Answers
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
OVERVIEW AND COMPLIANCE ISSUES
4
HIPAA Omnibus Final Rule
The HIPAA Omnibus Final Rule, which had a compliance date of September 23, 2013, made significant modifications to the following areas of relevance to business associates and subcontractors: Business associate (BA) definition and
liabilities Business associate agreements (BAAs) Breach notification Enforcement
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
5
Business Associate Definition Under the Omnibus Final Rule, a BA is defined as a
person who “creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered entity (CE).”
The Omnibus Final Rule clarifies that the following additional entities fall under the definition of BA: Patient safety organizations Health information organizations E-prescribing gateways Vendors of personal health records Any person/entity that provides data transmission services to
a CE and requires routine access to the PHI Any person/entity that stores or maintains PHI on behalf of a
CE whether or not they routinely access the PHICopyright © 2013, Strategic Management Services, LLC. All Rights Reserved.
www.compliance.com 703-683-9600
6
Business Associate Liability
The Omnibus Final Rule extends direct liability to BAs for compliance with the HIPAA Security Rule and certain Privacy Rule provisions. BAs must: Develop policies and procedures. Conduct a risk analysis. Train members of the workforce on their
responsibilities under HIPAA. Provide breach notification to covered entities. Sign subcontractor business associate
agreements (subcontractor BAAs) with subcontractors.
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
7
Subcontractors
Under the Omnibus Final Rule, a subcontractor is defined as a person to whom a BA delegates a function, activity or service that involves PHI and that was initially delegated to the BA by the CE. Subcontractors have the same responsibilities
and liabilities as the BA. These responsibilities and liabilities are defined
through the subcontractor BAA.
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
8
Business Associate Agreements A CE must execute a BAA with each of its BAs. A BA must execute a subcontractor BAA with each
of its subcontractors. The Omnibus Final Rule requires that CEs and BAs
update their BAAs to include additional content. General deadline: September 23, 2013
BAAs that were executed after January 25, 2013 or were renewed or modified between March 26, 2013 and September 23, 2013.
Transition Rule deadline: September 22, 2014 BAAs that were in effect prior to January 25, 2013 and were
not renewed or modified between March 26, 2013 and September 23, 2013.
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
PRACTICAL SOLUTIONS
10
Contract Management Process
Contract Management
Process
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
PRACTICAL SOLUTIONS FOR CONTRACT PLANNING
12
Contract Planning
Have you reviewed your arrangements with third parties to identify those that are subject to HIPAA? Does the arrangement involve the creation,
receipt, maintenance or transmission of PHI on behalf of a CE?
Have you determined your role in each covered arrangement? Are you a BA or a subcontractor?
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
13
Arrangements
Covered Entity
Business Associate
Business Associate
Subcontractor
Subcontractor A
Subcontractor B
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
14
Contract Planning
Have you reviewed your existing subcontractor BAAs to determine the compliance deadline to which they are subject? September 23, 2013 (General) September 22, 2014 (Transition Rule)
Have you prioritized your existing subcontractor BAAs to update those that do not qualify for the Transition Rule first?
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
15
Contract Planning
Prioritize your contracts
Evaluate Multi-Year Automatic Renewals Evergreen
September 23, 2013
September 22, 2014
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
16
Contract Planning
How will you ensure the most up-to-date version of the BAA/subcontractor BAA is used? Where is it stored? Do the appropriate people know how/where to access it?
Who is authorized to sign BAAs/subcontractor BAAs on behalf of your organization?
Who is responsible for tracking and maintaining signed BAAs/subcontractor BAAs? How are they logged? Where are they stored? How are expiration dates tracked?
Who is responsible for updating contracts pursuant to regulatory or organizational changes?
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
17
Contract Planning
Delegate Develop a Remediation Team
Contracting Representative Privacy Officer Security Officer Compliance Officer Legal Representative
Create a work plan Implement
Execute your work planCopyright © 2013, Strategic Management Services, LLC. All Rights Reserved.
www.compliance.com 703-683-9600
18
Sample Work Plan
Task Timeframe Personnel
Assigned
Status
Create and/or revise BAA/subcontractor BAA template
Day 1-15
Identify existing BAAs/subcontractor BAAs
Day 1-15
Renegotiate existing BAA/subcontractors BAAs
Day 15-30
Create BAA Policy/Subcontractor BAA Policy
Day 30 and beyond
Remediation Work Plan
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
19
BAA/Subcontractor BAA Policy
BAA/Subcontractor BAA Policy Privacy and Security requirements State requirements Procedures related to:
Determination of business associate/subcontractor status
Initiation of business associate/subcontractor status
Tracking and Maintenance of BAA/subcontractor BAA
TemplateCopyright © 2013, Strategic Management Services, LLC. All Rights Reserved.
www.compliance.com 703-683-9600
PRACTICAL SOLUTIONS FOR CONTRACT DEVELOPMENT
21
Contract Development
Have you incorporated the following into your BAAs/subcontractor BAAs? Omnibus Final Rule Requirements
BAAs must contain language requiring the BA or subcontractor to:
Comply with Security Rule; Report breaches to CE in accordance with breach
notification rules; Ensure subcontractors agree to the same restrictions that
apply to BAs with respect to PHI; and Comply with any Privacy Rule requirements applicable to
the CE in the performance of the service. HHS Sample BAA Provisions:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.htmlCopyright © 2013, Strategic Management Services, LLC. All Rights Reserved.
www.compliance.com 703-683-9600
22
Contract Development
Have you incorporated the following into your BAAs subcontractor BAAs? Applicable state laws
Have you… Conducted a preemption analysis? Determined which state laws are more stringent than
HIPAA? In each case, included the more stringent law in the
subcontractor BAA? Reviewed state definitions of “protected” or “sensitive”
health information? Examples
California Texas
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
23
Additional Tips
Beyond HIPAA/State Laws – additional elements to include in BAAs/subcontractors BAAs All requirements contained in the BAA your organization
signed with the CE Contract expiration date Data breach notification requirements
Timeliness Response and reporting
Restrictions related to subcontracting Training requirements Policies and procedures Indemnification/reimbursement of incident response
costsCopyright © 2013, Strategic Management Services, LLC. All Rights Reserved.
www.compliance.com 703-683-9600
PRACTICAL SOLUTIONS FOR CONTRACT EXECUTION
25
Contract Execution
How do you ensure that… Your organization is in compliance with the
terms of the BAAs/subcontractors BAAs are signed with upstream entities?
Your BAs/subcontractors are in compliance with the terms of the BAAs/subcontractor BAAs they have signed with your organization?
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
26
Contract Execution
Audits of BAs and subcontractors Internal Assessments
Verify compliance with BAA/Subcontractor BAA Policy Verify compliance with HIPAA privacy and security requirements Verify compliance with risk analysis Maintenance of documentation
External Assessments Request for BAs and subcontractors policies and procedures with
respect to privacy and security of PHI. E.g. Breach Notification Policy
Request BA or subcontractor to demonstrate how it will respond to an Office for Civil Rights investigation.
Request training updates: Date of last training Training content Percent completion
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
STRATEGIC MANAGEMENT HIPAA SERVICES FOR BUSINESS
ASSOCIATES & SUBCONTRACTORS
28
Strategic Management Services HIPAA Services for Business Associates
and Subcontractors State Regulatory Analyses Policy and Procedures Risk Assessments Gap Analysis Training Advisory Services Auditing and Monitoring
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
29
Take Home Message
Prioritize Delegate Implement
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600
30
Contact Information
Betta Sherman, MPP, CHC, Senior Associate [email protected]
Camella Boateng, MPH, CHC, Vice President [email protected]
Suzanne Charleston, Vice President of Business Development [email protected]
Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com
703-683-9600