Industry(leading(Education( Certiﬁed(Partner(Program ...

855.85HIPAA www.compliancygroup.com

Industry leading Education

Certified Partner Program

•  Please ask questions •  Todays slides are available http://compliancy-‐group.com/slides023/ •  Past webinars and recordings http://compliancy-‐group.com/webinar/

HIPAA New Final Omnibus Rule:

“Key Business Associate Implications for Your Organization”

Your Presenter

© HIPAA Continuity Planners 2013

A.J. (Andy) Weitzberg President of HIPAA Continuity Planners President of the Association of Contingency Planners Long Island Chapter


History •  Health Insurance Portability and Accountability

Act (HIPAA)of 1996

•  The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009

•  Omnibus Rule of 2013


Omnibus Rule conforms HIPAA regulations to HITECH Act changes:

– Before HITECH, BAs regulated through business

associate contracts or agreements ("BAAs")

– After HITECH, BAs and subcontractors are now regulated directly under HIPAA,

therefore they:

Must comply with Security Rules

Must comply with some of Privacy Rule and provisions of BAA

By the Numbers 2009 through 2012*

•  538 breaches of protected health information (PHI) –  21,408,505 patient health records affected

•  21.5% increase in # of large breaches in 2012 over 2011 –  77% decrease in # of patient records impacted

•  67% of all breaches have been the result of theft or loss •  57% of all patient records breached involved a business

associate •  Business associates have impacted 5 X times as many

patient records as those at a covered entity •  38% of incidents were as a result of an unencrypted laptop or

other portable electronic device •  63.9% percent of total records breached in 2012 resulted from

the 5 largest incidents •  780,000 number of records breached in the single largest incident

of 2012 *These numbers include breaches that affected >500 individuals and were reported to HHS from August 2009 to January 17, 2013.



"Business associate”: one who, on behalf of a covered entity creates, receives, maintains or transmits PHI*

•  Status as BA based upon role and responsibilities, not upon who are the parties to the contract •  Contract between the covered entity's BA and that

BA's subcontractor must satisfy the BA agreement requirements

Subcontractor of business associate: one who creates, receives, maintains or transmits PHI* on behalf of a business associate

*Personal Health Information

Expanded definition of “Business Associates”


Business Associate - Consequences

Secretary (HHS) authorized to receive and investigate complaints against BAs (including subcontractors), and to take action regarding complaints and noncompliance

BAs (incl. subs) required to maintain records and submit compliance reports to Secretary, cooperate in complaint investigations and compliance reviews, give Secretary access to information

BAs (incl. subs) forbidden to intimidate, discriminate against, etc. those who make complaints, cooperate with regulators or oppose unlawful actions

BAs (incl. subcontractors) subject to civil money penalties for HIPAA violations BA/Subs remain liable under contract to Covered Entity and BA

How do these updates affect your Business

As a “Business Associate” you have HIPAA/HITECH Compliance Requirements:

1. A Written Risk Analysis 2. A Written Continuity Plan 3. A Documented Security Practices and

Procedures 4. An Incident Response Plan (Breach

Response) 5. A Record Disposal Procedure for Electronic

Media and Paper Records 6. Employee Training Program 7. Termination Procedures 8. Documentation and Logs


Definition of a Breach The final rule also changes the risk analysis

requirements for determining when a breach has occurred.

Previously, a risk of harm threshold was considered in determining whether a breach had occurred.

The Office of Civil Rights (OCR) changes in the final rule create almost a presumption of a “breach,” which will seemingly make it more likely that a business will be required to notify those individuals whose personal health information has been affected, HHS and possibly the media.



Penalties for Your non-Compliance CATEGORIES OF VIOLATIONS AND RESPECTIVE PENALTY

AMOUNTS AVAILABLE

Violation Category Section 1176(a)(1)

Each Violation All such violations of an identical provision in a calendar year

(A) Did Not Know $100 to Max $50,000

$1,500,000

(B) Reasonable Cause

$1,000 to Max $50,000

$1,500,000

(C)(i) Willful Neglect-Corrected

$10,000 to Max $50,000

$1,500,000

(C)(ii) Willful Neglect-Not Corrected

$50,000 $1,500,000

HITRUST* now has several of its members that will require

business associates to follow the framework and document compliance with it.


*The Health Information Trust Alliance, or HITRUST, in collaboration with healthcare, technology and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by any and all organizations that create, access, store or exchange personal health and financial information. The most widely adopted security control framework in the U.S. healthcare industry, the CSF includes a prescriptive set of controls and supporting requirements that clearly define how organizations meet the objectives of the framework

Are you a “Business Associate”? Illustration of the types of firms that are now

considered “Business Associates”

•  IT Support and Software Vendors •  IT Equipment Vendors •  Leasing firms •  Telephone CPE Vendors •  Shredding Vendors •  Data Centers •  Cloud Computing Providers •  Answering Services for Medical Offices •  Medical Billing Services •  Medical Transcriptions Services •  Medical Collection Agencies •  Temporary Employment Agencies



Questions

A.J. (Andy) Weitzberg President

HIPAA Continuity Planners Email: [email protected] 1.800.654.2041 Toll Free 1.631.654.4001 Office 1.516.641.4001 Mobile

Free Demo and 60 Day Evaluation www.compliancy-‐group.com

HIPAA Hotline 855.85HIPAA

855.854.4722

  HIPAA Compliance   HITECH Attestation

 Omnibus Rule Ready  Meaningful Use core measure 15

Industry(leading(Education( Certiﬁed(Partner(Program ...

Documents

Transcript of Industry(leading(Education( Certiﬁed(Partner(Program ...