It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?

Similar documents
BUSINESS ASSOCIATE AGREEMENT. Recitals

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Sample Business Associate Agreement Provisions

BUSINESS ASSOCIATE AGREEMENT

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement (BAA) Guidance

SAMPLE BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

Business Associate Considerations for the HIE Under the Omnibus Final Rule

Business Associate Agreement

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

BUSINESS ASSOCIATES AND BUSINESS ASSOCIATE AGREEMENTS

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

HIPAA Business Associate Contract. Definitions

SaaS. Business Associate Agreement

HIPAA Compliance And Participation in the National Oncologic Pet Registry Project

Business Associates: HITECH Changes You Need to Know

Creating Stable Security & Compliance Relationships

University Healthcare Physicians Compliance and Privacy Policy

BUSINESS ASSOCIATE ADDENDUM

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy Rule Policies

BUSINESS ASSOCIATE AGREEMENT

Exhibit 2. Business Associate Addendum

MMA SAMPLE FORM *REVIEW CAREFULLY & ADAPT TO YOUR PRACTICE*

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

This form may not be modified without prior approval from the Department of Justice.

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

BUSINESS ASSOCIATE AGREEMENT HIPAA Omnibus Rule (Final Rule)

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Use & Disclosure of Protected Health Information by Business Associates

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

The Institute of Professional Practice, Inc. Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Business Associate Agreement

DHHS POLICIES AND PROCEDURES

Covered Entities and Business Associates: An Evolving Relationship

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

How To Write A Community Based Care Coordination Program Agreement

Am I a Business Associate?

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

HIPAA Business Associate Agreement

Enclosure. Dear Vendor,

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230

Please print the attached document, sign and return to or contact Erica Van Treese, Account Manager, Provider Relations &

DRAFT BUSINESS ASSOCIATES AGREEMENT

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

BUSINESS ASSOCIATE AGREEMENT. (Contractor name and address), hereinafter referred to as Business Associate;

ADDENDUM TO ADMINISTRATIVE SERVICES AGREEMENT FOR HIPAA PRIVACY/SECURITY RULES

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell. Topics Covered Part One. Topics Covered Part Two.

Business Associate Contract

Check In Systems. Software Usage Agreement

Snake River School District No. 52 HIPAA BUSINESS ASSOCIATE AGREEMENT (See also Policy No. 7436, HIPAA Privacy Rule)

BUSINESS ASSOCIATE AGREEMENT

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Welcome. This presentation focuses on Business Associates under the Omnibus Rule of 2013.

Disclaimer: Template Business Associate Agreement (45 C.F.R )

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

M E M O R A N D U M. Definitions

CONTRACT ADDENDUM BUSINESS ASSOCIATE CONTRACT 1

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

BUSINESS ASSOCIATE AGREEMENT

COVERMYMEDS BUSINESS ASSOCIATE AGREEMENT

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

Definitions. Catch-all definition:

VERSION DATED AUGUST 2013/TEXAS AND CALIFORNIA

INTERMACS REGISTRY BUSINESS ASSOCIATE AGREEMENT

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

BUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy and Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

Information for Agents and Brokers Regarding the HIPAA Business Associate Agreement

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

HIPAA BUSINESS ASSOCIATES CONTRACT FOR EYE CARE PROVIDERS 1 ST ADDENDUM

BUSINESS ASSOCIATE AGREEMENT

Health Partners HIPAA Business Associate Agreement

Transcription:

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? The AMC Privacy & Security Conference Series Securely Connecting Communities for Improved Health June 22, 2015 Rebecca Fayed Associate General Counsel & Privacy Officer The Advisory Board Company SAM Sather Vice-President Clinical Pathways Patricia Corn Privacy Program Manager Wake Forest Baptist Medical Center

2 Business Associates Who Are They? A person who [on behalf of a covered entity] creates, receives, maintains, or transmits protected health information for a function or activity regulated by [the Privacy Rule] or provides, [certain] services to or for such covered entity where the provision of the service involves the disclosure of protected health information to the person. 45 C.F.R. 160.103 (emphasis added) Who is HIO E-Prescribing Gateway Provider of data transmission requiring access to PHI PHR Vendor on behalf of CE Subcontractor to a BA Who is Not Health care providers for treatment purposes Plan sponsors Government agencies PHR Vendor not acting on behalf of CE or BA OHCA Participant

3 Business Associates What Must They Do? A covered entity may disclose protected health information to a business associate if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. The satisfactory assurances must be documented through a written contract or other written agreement or arrangement. 45 C.F.R. 164.502(e) BA Obligations (Pre-HITECH) Limit use and disclosure to contract Implement safeguards Report to CE impermissible use, disclosure, security incident Downstream obligations to subcontractors Comply with access, amendment, and accounting obligations Make books and records available Return or destroy PHI upon termination! Significant (Additional) Post-HITECH BA Obligations Limit use and disclosure to Privacy Rule Notify CE of Breach of unsecured PHI Comply with the Security Rule Provide electronic copy of PHI to CE

4 Business Associates What Should They Do? Take Steps to Create a Culture of Compliance Designate a Privacy Officer and Information Security Officer Review, revise, and implement policies and procedures Conduct risk assessments and implement appropriate safeguards, including encryption. Develop and conduct training Set up process and means for questions, incident reporting, etc. Review and revise business associate agreements Assess business associates and subcontractor compliance Identify incident response team and other responsible parties for security incidents, breaches, or other incidents and have plan in place to address these incidents and sanction workforce Get senior leadership and board on board with a culture of compliance

5 Business Associate Agreements Required Provisions Establish uses and disclosures of PHI and prohibit others Implement appropriate safeguards and comply with HIPAA Security Rule Report impermissible uses and disclosures, breaches of unsecured PHI, and security incidents Downstream BAA obligations to subcontractors Make PHI available in compliance with access and amendment requirements Make information available in compliance with accounting for disclosure requirements Make books and records related to use and disclosure of PHI available to Secretary of HHS If feasible, return or destroy PHI upon termination of agreement; if not feasible continue to protect the PHI Authorize termination of the agreement if the BA materially breaches BAA Comply with the Privacy Rule to the extent BA is to carry out a covered entity's obligation under the Privacy Rule (if not applicable, provision is not required)

6 Business Associate Agreements Other Common Provisions May use or disclose PHI: For the proper management and administration of the BA or to fulfill its legal obligations To provide data aggregation services relating to the health care operations of the covered entity To deidentify the PHI in compliance with the Privacy Rule Comply with minimum necessary standard Mitigate, to the extent practicable, any harmful effect that is known to the BA of an impermissible use or disclosure of PHI

Business Associate Agreements Other Considerations 7 Whose template BAA should be used? How quickly must the BA notify the Covered Entity of 1) impermissible disclosures; 2) security incidents; and 3) breaches of unsecure PHI? If notification timeline is fairly short, can BA follow up with additional information as investigation unfolds? Who will notify individuals in the event of a breach? Who will pay the costs associated with a breach or for mitigating harmful effects? Should the BA be required to carry some type of privacy and security liability insurance? How should unsuccessful security incidents be reported to the Covered Entity? Should the BA have an opportunity to cure a breach of the agreement prior to termination? Should the BAA dictate specific security safeguards or require compliance with the Security Rule? Should the BAA require that the Covered Entity provide consent for use of subcontractors?

Perspectives 8 Covered Entity Perspective Business Associate Perspective www.clinicalpathwaysresearch.com

Business Associate Perspective Experience with CEs and BA Agreements Clinical Pathways provides services that are both covered and non-covered services Training Auditing Monitoring Quality System evaluation

Business Associate Perspective Experience with CEs and BA Agreements Consultant hired by the research center that is a CE vs. Auditor hired by the sponsor Misinterpretation of BA definition and Sponsor Monitoring Requests for BA agreement or other layers of confidentiality or security agreements. Implications

Business Associate Perspective Experience with CEs and Access to PHI that is pertinent to the study. Questions?

Covered Entity Perspective Challenges Who is our Business Associate? Are we their BA? o Making that decision Risk Assessment and timing? o What kind do we accept? Does it have to be 3 rd party? o Review of the results Pushback (internal and external) o Negotiation of terms of agreement? Keeping track/housing executed agreements Auditing Scope Creep

Covered Entity Perspective Successes Develop/depend on relationships Develop process/chokepoints o Include key stakeholders Legal, IT Security, Research (?hybrid entity status), Procurement o Don t try to reinvent the wheel Agree upon priorities for review o Data risk stratification o Breach notification timeline Store in central place(s) EDUCATE o Yourselves o Internal customers o Leadership

14 QUESTIONS?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information