Welcome. This presentation focuses on Business Associates under the Omnibus Rule of 2013.

Transcription

1 Welcome. This presentation focuses on Business Associates under the Omnibus Rule of 2013.

2 Business Associates have been part of the focus of the HIPAA regulations since 2003 when the privacy rule went into effect. The HIPAA privacy rule focused on having a policy and procedure in place to govern business associates within an organization. In 2005, the HIPAA security rule required that covered entities put written agreements in place, referred to as business associate contracts. In 2009, the HITECH regulations added additional requirements for business associates, with the biggest change being direct liability for compliance to the HIPAA security rule and parts of the HIPAA privacy rule. In 2013, when the Omnibus Rule was published it included a new definition of a business associate. A business associate is defined as an individual or organization that creates, receives, maintains, or transmits protected health information on behalf of a covered entity. In addition, four new categories were added to the definition: Health Information Exchange, e-prescribing gateway, data transmission services, and those that offer a personal health record. The Omnibus Rule also put responsibility on the business associate to enter into business associate agreements with subcontractors to assure that they are protecting and managing PHI in the same manner as they are required to. Additionally, the Omnibus Rule narrowed the definition of Mere Conduits. Mere Conduits are organizations that simply transport information and don t access it for transport purposes. Examples of mere conduits are US postal services and an

3 internet service provider.

4 Understanding how your business uses third party organizations to conduct day to day tasks will help assure that you have business associate agreements in place appropriately. Some sample business associate functions are: claims processing or administration data analysis, processing or administration utilization review quality assurance billing benefit management practice management repricing. Business associates may provide various services, such as: Legal Actuarial Accounting Consulting Data aggregation Management Administrative Accreditation Financial

5 Working directly with all areas of the organization will help assure that all business associates are identified properly.

6 The following is a list of sample business associates a covered entity may have. A business associate agreement would need to be initiated for all of these vendors. Examples include IT companies that support health care providers Electronic Health Record (EHR) system providers Data centers, online backup companies, Cloud service providers, even if they do not access data Shredding companies Insurance agents A CPA firm whose accounting services to a health care provider involve access to protected health information. An attorney whose legal services to a health plan or provider involve access to protected health information. Any person or entity providing services to a Business Associate that requires access to PHI Data centers, online backup companies, Cloud service providers, providing services to a Business Associate, even if they do not access data

7 When analyzing and implementing your business associate process, a covered entity should assure they are entering into a business associate agreement with each individual third party. A business associate agreement is the agreement between the covered entity and the business associate. A business associate agreement is commonly confused with the contract between an organization and a vendor; however, they are separate. A business associate agreement is used to assure proper safeguards are in place to protect PHI, including permissible uses and disclosures of PHI. A written contract between a covered entity and business associate must: Require the business associate to comply with the requirements applicable to the obligation and requirements by the covered entity Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity s compliance with the HIPAA Privacy Rule Require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity, at termination of the contract, if feasible Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information and will enter into a written agreement with subcontractors

8 Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements.

9 A covered entity should enter into a business associate agreement with all vendors whom they identify as a business associate; however, there are situations where it is not necessary to enter into a business associate agreement. Some examples of when a business associate agreement is not required is When a health care provider discloses protected health information to a health plan for payment purposes, or when the health care provider simply accepts a discounted rate to participate in the health plan s network. With persons or organizations (e.g., janitorial service or electrician) whose functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all. Among covered entities who participate in an organized health care arrangement (OHCA) to make disclosures that relate to the joint health care activities of the OHCA. Where a group health plan purchases insurance from a health insurance issuer or HMO. Where one covered entity purchases a health plan product or other insurance, for example, reinsurance, from an insurer. To disclose protected health information to a researcher for research purposes, either with patient authorization, pursuant to a waiver under 45 CFR (i), or as a limited data set pursuant to 45 CFR (e). When a financial institution processes consumer-conducted financial transactions by debit, credit, or other payment card, clears checks, initiates or processes

10 electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for payment for health care or health plan premiums.

11 As part of the HITECH Act of 2009, and the Omnibus Rule of 2013, business associates are now directly liable for compliance with the HIPAA Security Rule. Business associates must assure they are complying with the entire security rule, including having written policies and procedures as required by the regulations. Business associates are also responsible for complying with some of the components of the HIPAA Privacy Rule. Business associates must have policies and procedures in place to manage several aspects of the HIPAA privacy rule, for example, they: Must not use or disclose PHI, except as permitted under the Privacy Rule May use or disclose PHI only as permitted or required by its business associate agreement or as required by law May not use or disclose PHI in a manner that would violate the Privacy Rule if done by the covered entity (with certain limited exceptions) Must disclose PHI to HHS to investigate or determine compliance Must disclose PHI to the covered entity, individual or individual's designee as necessary to satisfy a covered entity's obligations to respond to an individual's request for an electronic copy of electronic PHI Must not sell PHI, except as otherwise permitted under the Privacy Rule Must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose when using, disclosing or requesting PHI As previously discussed, business associates must enter into a business associate agreement with any subcontractors that they use. They also must assure compliance with any additional requirements from the covered entity defined in the business associate agreement.

12 As part of the Omnibus Rule, Covered Entities need to update their business associate agreements and have them re-signed by all of their business associates. To help with getting this work done, two compliance dates were set based on if the covered entity updated the business associate agreement in 2009, after the HITECH Interim Rule was implemented. If the covered entity updated their Business Associate Agreement in 2009, they have until September 22, 2014 to update and have all BAAs re-signed; however, any new business associate agreements initiated after January 25, 2013 must use a business associate agreement that was updated for the Omnibus Rule regulations. If the covered entity did not update the business associate agreement in 2009, business associate agreements must be updated and re-signed by September 23, Regardless of compliance deadlines, compliance with the Omnibus Rule is required for all Business Associates on September 23, 2013.

13 In order to be successful with the management and implementation of business associate oversight within a covered entity, here are some best practices. 1.Define Ownership of the Business Associate Process within your organization 2.Get involved with the review and negotiation with any new vendors that qualify as a business associate to assure proper compliance within the negotiations 3.Consider asking key questions on safeguards to PHI for a Business Associate prior to entering into the contract 4.Review Accounts Payable on a quarterly or bi-annual basis to determine who the organization is paying and if they would qualify as a business associate 5.Create a log of business associates that includes the organization, contact person, date BAA was sent, date signed BAA was received, date BAA expires, and other information 6.Provide updates and regular reviews to the committee or group that governs HIPAA Compliance within the organization 7.Don t ignore this requirement manage it proactively!

14