Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients

1 Copyright 2007-2015

Business Associates: ��How to become HIPAA

compliant, increase �� revenue, and gain ��

new clients ��


Federal Regulations §  HIPAA: Health Insurance and Portability Accountability

Act of 1996 •  Purpose: to protect confidential information through

improved security and privacy standards

§  HITECH: The Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009

§  Omnibus Rule of 2013


Entities Defined §  Covered Entity (CE): Health care providers, health plans,

health care clearinghouses who electronically transmit any Protected Health Information (PHI)

§  Business Associate (BA): Create, receive, maintain or transmit PHI on behalf of a Covered Entity (CE)

§  Subcontractor: Create, receive, maintain or transmit PHI on behalf of a BA


Are You A Business Associate? Examples: §  IT Support and Software Vendors §  IT Equipment Vendors §  Leasing firms §  Telephone CPE Vendors §  Shredding Vendors §  Data Centers §  Cloud Computing Providers §  Answering Services for Medical Offices §  Medical Billing Services §  Medical Transcriptions Services §  Medical Collection Agencies §  Temporary Employment Agencies


Omnibus Rule §  Substantially increased the magnitude of HIPAA

enforcement risk and liability §  Before Omnibus: BAs/Subcontractors regulated through

Business Associate Agreements (BAAs) §  After Omnibus: BAs/Subcontractors are now regulated

directly under HIPAA: •  Comply with HIPAA Security Rule •  Comply with a specific section of the HITECH Breach

Notification Rule •  Comply with all applicable provisions of the Privacy Rule •  Still need to provide BAA


Business Associate Agreement Agreement between the CE and BA to govern the BA’s creation, use, maintenance and disclosure of PHI. §  Must comply with HIPAA Security and Privacy Rules §  BAAs have ALWAYS been required by HIPAA §  After Omnibus – Require reciprocal monitoring by the BA & CE §  Subcontractors of BAs are treated as BAs as well


Your Liabilities Business associates are directly liable for: 1.  Impermissible uses and disclosures 2.  Failure to provide breach notification to the CE 3.  Failure to provide access to a copy of ePHI to either the

CE the individual, or the individual’s designee 4.  Failure to disclose PHI where required by the HHS to

investigate or determine the BA’s HIPAA compliance 5.  Failure to follow Minimum Necessary standard when

using or disclosing 6.  Failure to provide an accounting of disclosures


Penalties For Non-Compliance

Viola&on Category Sec&on 1176(a)(1)

Each Viola&on All such viola&ons of an iden&cal provision in a

calendar year

(A) Did Not Know $100 to Max $50,000 $1,500,000

(B) Reasonable Cause $1,000 to Max $50,000 $1,500,000

(C)(i) Willful Neglect-‐Corrected

$10,000 to Max $50,000 $1,500,000

(C)(ii) Willful Neglect-‐Not Corrected

$50,000 $1,500,000

Before Omnibus: No more than $100 per violation or $25,000 for all identical violations After Omnibus: Violations é, no more “Did Not Know” defense


Willful Neglect §  NO plan to show you are working towards FULL compliance

despite not being compliant at the moment. §  NO visible demonstrable evidence that you are either in

compliance or making a serious attempt at compliance §  You have legal documents but they do not meet the specific

requirements of the regulations §  You have are legal documents/manuals but NO policies and

procedures to support said documents


What You NEED To Do Your Compliance Requirements as a Business Associate:

1) Security Management §  Risk assessment, Risk management

2) Assigned Security Responsibility 3)  Information Access Management 4) Workforce Security 5) Employee Training 6) Security Incident Plan 7) Contingency Plan 8) Evaluation – Annual/periodic evaluation


Compliance Plan Step 1. Assess where you are against the regulation (GAP)

•  The key to a risk analysis is auditing yourself against the administrative, technical, and physical aspects of HIPAA

Step 2. Remediation Plan •  Prove that you remediated the deficiencies identified in

the risk analysis •  Policies & Procedures, Training, and Attestation


Compliance Plan (Continued) Step 3. How do you prove it? Successful compliance plans address: •  Administration and Technical

§  Policies and Procedures •  IT security

§  Devices installed and maintained within your organization •  Physical

§  Security within physical locations of your practice(s) Step 4. Maintain your compliance •  As the regulations, staff, and practice changes



To Be, Or Not To Be… §  Protect you and your clients’ reputations §  Limit your liabilities

•  Protect PHI §  Differentiate your company

•  Retain Clients •  Obtain New Clients

This is a Federal Mandate


Health Care Industry

$44 Billion

Incentive Dollars Paid

3-5 Million

CE’S & BA’S

70-79% Are NOT

Compliant

§  Heavy Enforcement §  In the News §  Reputation vs. Fines


No

np

rofit

(A

lask

a)

Pha

rma

cy

(Co

lora

do

)

Ho

spita

l (T

exa

s)

An

the

m

§  Indiana Dentist – License Permanently Revoked for “Mishandling medical records”

§  Denver Pharmacy – “ failed to provide training as required by the Privacy Rule.”

§  Alaskan Nonprofit – “policies and procedures were not followed and/or updated.”

§  Wellpoint Inc. – $1.7 Million settlement caused by a BA performing software upgrade

Trends in HIPAA Enforcement D

en

tist

(Ind

ian

a)


A Risk Assessment is only a part of HIPAA compliance. ALL aspects of HIPAA are needed to pass an audit.

•  70% of Covered Entities are not compliant •  79% of Covered Entities fail their Meaningful Use audit

CEs fail to understand the difference between HIPAA and HITECH.

The Big Misconception “I completed a Risk Assessment, I’m HIPAA Compliant.”

1: CMS Compliance Reviews, “HIPAA Compliance Review Analysis and Summary of Results” 2: hQp://www.healthcare-‐informaTcs.com/arTcle/ocr-‐audits-‐forewarned-‐forearmed

“Problems were discovered with most or all CE’s policies and procedures including those for performing Risk Assessments”1

“89% of the entities audited were non-compliant in one or more areas. Security Rule issues accounted for 60% of the findings and observations, while the Privacy and Breach Notification Rules yielded 30% and 10% respectively”2


*: Stats compiled from 2015 Webinar “A Risk Assessment is Not Enough.”


Partnership Program §  Best solution in the market

•  Designed by Auditors for HIPAA, PCI & GLB •  Culture of Compliance for the end user •  TOTAL compliance solution •  Compliance Coaching

§  Sales & Marketing Support §  Flexible options for New Revenue

Streams •  Affiliate Referral •  Reseller


For more information, contact:

Sales & Demo Scheduling Questions

Marc Haskelson 855.854.4722 ext 507

[email protected]

HIPAA Questions Bob Grant

855.854.4722 ext 502 [email protected]


www.compliancy-group.com 855.85 HIPAA (855.854.4722)

HIPAA Compliant

Audits Security,

Administrative, Privacy

Remediation Planning

Policies, Procedures & Training

Business Associate

Management Document

Version Employee

Attestation & Tracking

Incident Management

Illustrate Seal of Compliance

Maintain HIPAA Hotline

Achieve Compliance Coaching

Compliance Simplified

Find out more now:

The Total Compliance Solution The Guard

u  All aspects of compliance satisfied

u  Compliance simplified!

u  Compliance Coach walks the client through the whole journey

u  No client has ever failed an audit!


Health & Medicine

Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients