Headaches and Pitfalls in Business Associate Contract Management

Similar documents
Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates under HITECH: A Chain of Trust

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

The HITECH Business Associates Rule Tool: Finding Your Place and Planning Compliance In the New Ecology of Healthcare Privacy and Security

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Business Associate Agreement (BAA) Guidance

Overview of the HIPAA Security Rule

Isaac Willett April 5, 2011

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Dissecting New HIPAA Rules and What Compliance Means For You

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Sample Business Associate Agreement Provisions

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT

Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell. Topics Covered Part One. Topics Covered Part Two.

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Enclosure. Dear Vendor,

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

Business Associate Liability Under HIPAA/HITECH

Use & Disclosure of Protected Health Information by Business Associates

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Business Associate Management Methodology

How To Write A Community Based Care Coordination Program Agreement

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

University Healthcare Physicians Compliance and Privacy Policy

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

SaaS. Business Associate Agreement

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

Accounting for Disclosure Requirements Summary of Changes Included in the Proposed Rule 76 Federal Register May 31, 2011

BUSINESS ASSOCIATE AGREEMENT. Recitals

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

SAMPLE BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

Legislative & Regulatory Information

BUSINESS ASSOCIATE AGREEMENT

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

Authorized. User Agreement

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Business Associate Agreement

HIPAA Privacy Rule Policies

HIPAA Business Associate Contract. Definitions

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

The Challenges of Applying HIPAA to the Cloud. Adam Greene, Partner Davis Wright Tremaine LLP

My Docs Online HIPAA Compliance

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT BUSINESS ASSOCIATE TERMS AND CONDITIONS

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

COMPLIANCE ALERT 10-12

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA BUSINESS ASSOCIATE AGREEMENT

Disclaimer: Template Business Associate Agreement (45 C.F.R )

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

HIPAA Security Rule Compliance

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

2012 HIPAA Privacy and Security Audits

BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA and HITECH Compliance for Cloud Applications

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

Transcription:

Headaches and Pitfalls in Business Associate Contract Management ISACA Puget Sound Chapter September Monthly Luncheon Meeting September 17, 2013 2013 Christiansen IT Law

Presenter CV John R. Christiansen, J.D. - Christiansen IT Law Chair, ABA HITECH Megarule/Business Associates Task Force (2009 pres.); Committees on Healthcare Privacy, Security and Information Technology (2004 06); on Healthcare Informatics (2000 04); and PKI Assessment Guidelines Health Information Protection and Security Task Group (2000 2003) Author, The HITECH Business Associate Contracts Bible (ABA 2013); State and Federal Consent Laws Affecting Health Information Exchange (NGA 2011); Policy Solutions for Advancing Interstate Health Information Exchange (NGA 2009); An Integrated Standard of Care for Healthcare Information Security (AHLA 2005); Electronic Health Information: Security and Privacy Compliance under HIPAA (AHLA 2000) Special Assistant Attorney General to Washington State Health Care Authority, health care information issues related to HIPAA, HITECH, and related issues Privacy and Security Expert, ONC/OCR Comprehensive Campaign for Communication and Education About the HITECH Act (2010 2012); Consultant, ONC State Health Policy Consortium (2010 pres.); Technical Advisor, ONC Health Information Security and Privacy Collaboration (2005 2009) Executive Committee/Secretary, Washington State Bar Association Health Law Section (2012 pres.) Adjunct Faculty, University of Washington Information School (2008 2012); Oregon Health and Sciences University Division of Medical Informatics and Outcomes Research (2000 2003) 2013 Christiansen IT Law Privacy/Security/Compliance 2

Our Agenda I Assume You Know at Least the Fundamentals of the Omnibus Rule September 23 is Less than Six Days Away Quick Basics of Terminology Scary Diagrams Business Associate Contract Pass-Along Problems A Few Sample Problems 2013 Christiansen IT Law Privacy/Security/Compliance 3

You Think Organic Chemistry is Complicated? 2013 Christiansen IT Law Privacy/Security/Compliance 4

A Few HITECH BA Chain Variations 2013 Christiansen IT Law Privacy/Security/Compliance 5

Covered Entities (CE): Business Associate Terminology Organizations directly involved in health claims transactions Any health care provider which gets paid electronically, health plans, health care clearinghouses Must have Business Associate Contract (BAC) with Business Associate Business Associate (BA): Performs or assists in the performance of a function or activity involving the use or disclosure of PHI on behalf of a CE Claims processing or administration; data analysis, processing or administration; utilization review; billing; quality assurance; benefit management; practice management, repricing; IT services; security management and administration; legal, actuarial, accounting, consulting, etc. services to or for CE 2013 Christiansen IT Law 6

Subcontractor: Business Associate Terminology Any person to which BA delegates function, activity or service involving PHI which BA performs for a CE Defined as BA, required to have BAC with BA delegating function/activity/service Conduit: Data transmission services only Hosting services are not conduits, even if data is well-encrypted and services has no access to keys No BAC Services Provider: A person which BA allows to obtain, use, disclose PHI for BA purposes No BAC Agreement to keep PHI confidential, only use/disclose PHI for BA purposes (or required by law), report breaches of confidentiality 2013 Christiansen IT Law 7

Subcontractor: Business Associate Terminology Any person to which BA delegates function, activity or service involving PHI which BA performs for a CE Defined as BA, required to have BAC with BA delegating function/activity/service Conduit: Data transmission services only Hosting services are not conduits, even if data is well-encrypted and services has no access to keys No BAC Services Provider: A person which BA allows to obtain, use, disclose PHI for BA purposes No BAC Agreement to keep PHI confidential, only use/disclose PHI for BA purposes (or required by law), report breaches of confidentiality 2013 Christiansen IT Law 8

Business Associate Terminology Regulatory status is definitional If it does what a CE, BA or Subcontractor does, it s a CE, BA or Subcontractor Knowledge or intent are irrelevant Presence, absence or content of a contract is irrelevant 2013 Christiansen IT Law Privacy/Security/Compliance 9

Business Associate Terminology Long Chain Subcontracting Upstream: CE, or BA delegating function Downstream: BA to which function is delegated First tier BA: BA with direct delegation from CE Second tier BA: BA with direct delegation from first tier BA (and third, fourth tier, etc.) Lower tier BAs: BAs below first tier 2013 Christiansen IT Law 10

Business Associate Terminology Side Chain Services Providers BA retains organization to provide services to BA Not a BA/Subcontractor* BA Services Provider may use, disclose PHI for BA purposes BA Services Provider may use other parties to provide support/related services for BA purposes These parties are also not BAs * Note: Same kind of services provider to CE is a BA 2013 Christiansen IT Law 11

Pass-Along Problems 1. PHI Use/Disclosure Limitations for CE Functions, Activities, Services CE must pass-along to First Tier BA: General Privacy Rule limitations required part of BAC NOPP limitations (if any) implied, not required in BAC Additional restrictions (if any) implied, not required in BAC Minimum necessary policies (see below) implied, not required in BAC First Tier BA must pass-along BAC limitations to Second Tier BA First Tier BA may add more stringent limitations to Downstream BAC Each Lower Tier BA must pass-along limitations from Upstream BAC Each BA may add more stringent limitations to Downstream BAC 2013 Christiansen IT Law Privacy/Security/Compliance 12

Pass-Along Problems 2. Individual Access/Accounting Timing and Format Long-chain relationships must ensure CE can comply with: 30 day access response (permitted 60 day extension if PHI not maintained on-site by CE) CE review for denial may be necessary Requests for copies in specified electronic formats 60 day response for accounting of disclosure (permitted 30 day extension if CE gives statement of reasons) BAC response requirements shorten with each link in the chain permitted as More Stringent requirement 2013 Christiansen IT Law Privacy/Security/Compliance 13

Pass-Along Problems 3. PHI Use/Disclosure Permissions for BA/Subcontractor Purposes Optional BAC provisions permitting Business Associates to use/disclose PHI for Business Associate management, administration, legal responsibilities, if required by law CE not required to include in BAC First and Lower Tier BAs not required to include in BAC even if CE permits ( more stringent ) If not included, BAs below cutoff (BAC not including optional provisions) may not use/disclose PHI for e.g. legal services, audit, consultants, breach investigation, personnel matters (e.g. Security Rule sanctions enforcement), etc., etc. 2013 Christiansen IT Law Privacy/Security/Compliance 14

Pass-Along Problems 3. PHI Use/Disclosure Permissions for BA/Subcontractor Purposes First Tier BAC does not permit use/disclosure for BA purposes First Tier BA cannot disclose PHI to law firm Second Tier BA cannot disclose PHI to security services provider Third Tier BA cannot use third party hosting services Etc. 2013 Christiansen IT Law 15

Pass-Along Problems 4. Minimum Necessary A covered entity s contract with a business associate may not authorize the business associate to use or further disclose the information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. See 45 CFR 164.504(e)(2)(i). Thus, a business associate contract must limit the business associate s uses and disclosures of, as well as requests for, protected health information to be consistent with the covered entity s minimum necessary policies and procedures... OCR Health Information Privacy FAQ, http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/252.html All BAs have to comply with CE minimum necessary policies BAs (mostly) don t have the authority to adopt their own minimum necessary policies 2013 Christiansen IT Law Privacy/Security/Compliance 16

Pass-Along Problems 4. Minimum Necessary Not a specifically required BAC provision Strongly implied: BA can t use/disclose PHI in a manner CE can t, and CE mostly can t use/disclose except under minimum necessary policy OCR BAC Sample optional provisions Does the CE have minimum necessary policies and procedures? Are the CE s minimum necessary policies complete and intelligible? Do the CE s minimum necessary policies include purposes, positions, PHI scope consistent with BA services, functions, activities? Both for CE purposes, and for BA administrative etc. purposes E.g. physician practice outsources all EHR functions, has no need or policy for network administrator Note that professional services provider (e.g. audit, consulting, law firm) can define minimum necessary in request to CE but can t in request to BA 2013 Christiansen IT Law Privacy/Security/Compliance 17

Pass-Along Problems 5. BAC Termination Problems How to coordinate termination of lower tiers? How does CE obtain return of PHI from lower tiers? Lower tier BAC probably specifies that PHI will be returned to upstream BA upon termination Can lower tier BAC include permission to retain PHI if upstream BAC does not? Should CE have notice of lower tier BA retention? Can Services Providers retain PHI? Can BA allow Services Provider to retain PHI? Does retention provision have to be in BA/Services Provider agreement? 2013 Christiansen IT Law Privacy/Security/Compliance 18

Pass-Along Problems 6. Breach Notification BAC required to specify reporting of security incidents, unauthorized use/disclosure of PHI, breaches Lower tier BACs probably specify that Downstream BA will notify Upstream BA Agreements with Services Providers must include requirement to report breach of confidentiality not the same as a Breach Notification Rule breach? Breach Notification Rule independently requires any BA to notify CE of breaches 2013 Christiansen IT Law Privacy/Security/Compliance 19

Pass-Along Problems 6. Breach Notification First Tier BA has regulatory and contract requirement to notify CE Second Tier BA has regulatory requirement to notify CE, and contract requirement to notify First Tier BA Third Tier BA has regulatory requirement to notify CE, and contract requirement to notify Second Tier BA Etc. 2013 Christiansen IT Law 20

Pass-Along Problems 6. Breach Notification Breach Notification Rule specifies that the CE (or its designee ) has the authority to determine if an unauthorized use/disclosure is a breach Even though BAs must report breaches? Under some conditions both CE and BA may have state law breach notification obligations BA must notify CE with no unreasonable delay, maximum 60 days from when it knew/should have known of breach CE must notify individuals, OCR (if more than 500 affected individuals) with no unreasonable delay, maximum 60 days from when it knew/should have known of breach CE imputed BA knowledge if BA is CE agent under federal common law State laws typically require maximum 60 days notice BAC response requirements shorten with each link in the chain 2013 Christiansen IT Law Privacy/Security/Compliance 21

Contract to Pass Along in These Variations Bundled IT Service Provider BA with multiple Subcontractor Chains and Side Chains 2013 Christiansen IT Law Privacy/Security/Compliance 22

Contract to Pass Along in These Variations Multi-Services QIO with Multiple CEs Using Various Services Provided through multiple Subcontractor Chains, with Side Chains 2013 Christiansen IT Law Privacy/Security/Compliance 23

Contract to Pass Along in These Variations HIO Providing Multiple Services to Open Community of CEs and BAs Using Various Services Provided through Multiple Subcontractor Chains, with Side Chains 2013 Christiansen IT Law Privacy/Security/Compliance 24

Contract to Pass Along in These Variations External Audit and Legal BAs, with Support Subcontractors, Reviewing Health Plan Compliance Issues 2013 Christiansen IT Law Privacy/Security/Compliance 25

How to Solve These Problems 2013 Christiansen IT Law Privacy/Security/Compliance 26

If That Doesn t Work... 2013 Christiansen IT Law Privacy/Security/Compliance 27

Questions? Answers? Thanks! 2013 Christiansen IT Law Privacy/Security/Compliance 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information