A Professional Corporation Stinson, Mag & Fizzell (402) 342-1700 Business Associates 101 Jennifer Wolfe Jerram, B.S.N., J.D.

Slides:



Advertisements
Similar presentations
Fourth National HIPAA Summit April 26, 2002 Implementation of a HIPAA Data Management Strategy Safeguarding privacy interests while making data available.
Advertisements

H OGAN & H ARTSON, L.L.P.
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Minimum Necessary Standard Version 1.0
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
HIPAA Patient Privacy Rules May Robert M. Portman, J.D. (202) Jenner & Block th Street, NW Washington, DC
NAU HIPAA Awareness Training
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
H IPAA PRIVACY WORK GROUP FOR EYE BANKS EBAA HIPAA PRIVACY WORK GROUP Christina W. Strong, Esq., Facilitator.
 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Overview of HIPAA Administrative Simplification and Privacy Regulations Darrel J. Grinstead, Partner Amy B. Kiesel, Associate Hogan & Hartson L.L.P.
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
HIPAA Compliance Strategies for Employers, METs, MEWAs and Taft Hartley Union Trust Funds The HIPAA Colloquium at Harvard University Presented by: Melissa.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
1 Sixth National HIPAA Summit The Health Lawyer as Business Associate March 28, 2003 Session VI 3:00 pm Gerald E. DeLoss, Esquire Barnwell Whaley Patterson.
HIPAA Collaborative of Wisconsin Business Associates Extending the Reach of the Privacy Rule.
HIPAA Health Insurance Portability & Accountability Act of 1996.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
HIPAA Trading Partners, Legal Relationships October 2, 2001 presented by Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC.
HIPAA PRIVACY AND SECURITY AWARENESS.
California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 1 NEW OBLIGATIONS.
HIPAA and HITECH The Latest Developments Presented By: Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP
1 Ethics For the Employee Benefits Agent.  Ethics – defined as a principle of right or good conduct; a system of moral principles or values; the rules.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Sharon A. Anolik, Esq. Privacy Official Blue Shield of California MIND YOUR OWN BUSINESS … ASSOCIATES: CONDUCTING BAA AUDITS HIPAA SUMMIT XIII September.
1 Defense Health Agency Privacy and Civil Liberties Office Data Sharing Program Overview Ms. Rita DeShields DHA Data Sharing Compliance Manager August.
HIPAA’s Medical Privacy Standards: The Long and Really Winding Road Michael D. Bell, Esq. Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. Washington,
Office of the Secretary Office for Civil Rights (OCR) The HITECH NPRM: Overview of Research Comments October 19, 2010 Christina Heide, JD HHS Office for.
Privacy and the Civil Commitment Process Allyson K. Tysinger Assistant Attorney General June 4-5, 2008.
HIPAA Workforce Training PRIVACY and HIPAA MANDATORY Completion of training is mandatory under HIPAA for the entire workforce of the MHRB Including volunteers,
HIPAA and Employer Group Health Plans: Nothing is Simple Beth L. Rubin March 26, 2003  2003 Dechert LLP.
Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,
The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.
HIPAA For Provider Contracting Networks Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
OHCAs, ACEs and Hybrid Entities Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)
HIPAA Privacy Rules: What Are Plan Sponsors Required to Do?
A NATIONAL HIPAA SUMMIT AUDIOCONFERENCE Davis Wright Tremaine LLP Legal Requirements For Vendor And Clearinghouse HIPAA Compliance; Business Associate.
HIPAA Privacy Rule Implementation Status Report Richard M. Campanelli, J.D. Director, Office for Civil Rights Before the The Tenth National HIPAA Summit.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.
Enforcement, Business Associates and Breach Notification. Oh my!
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
HIPAA.
HOGAN & HARTSON, L.L.P. “Publications” “Health”
HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services.
Disability Services Agencies Briefing On HIPAA
Business Associate Contracts: Time Is Running Out . . .
Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP
National Congress on Health Care Compliance
Advanced Issues in Business Associate Contracting
Presentation transcript:

A Professional Corporation Stinson, Mag & Fizzell (402) Business Associates 101 Jennifer Wolfe Jerram, B.S.N., J.D. (402) HIPAA Privacy

A Professional Corporation Stinson, Mag & Fizzell (402) Business Associate - Defined § : Federal Register, p Preamble – pp Comments – p Where to look in the regulations:

A Professional Corporation Stinson, Mag & Fizzell (402) Business Associate - Disclosure Standard § (e); Federal Register, p Preamble – p Comments – pp Where to look in the regulations:

A Professional Corporation Stinson, Mag & Fizzell (402) Business Associate - Contract Requirements § (e): Federal Register, pp Preamble – pp Comments – pp Where to look in the regulations:

A Professional Corporation Stinson, Mag & Fizzell (402) A party who will be governed indirectly by portions of the HIPAA privacy regulations by virtue of his/her/its contractual obligations to covered entities. Who is a Business Associate?

A Professional Corporation Stinson, Mag & Fizzell (402) separate groups under the regulations Who are your Business Associates?

A Professional Corporation Stinson, Mag & Fizzell (402) st Group: Relationship with Covered Entity A person or entity who performs or assists in the performance of a function or activity involving the use or disclosure of PHI on behalf of the Covered Entity. Who are your Business Associates?

A Professional Corporation Stinson, Mag & Fizzell (402) Examples include: Claims processing Data analysis UR QA Billing Others Who are your Business Associates?

A Professional Corporation Stinson, Mag & Fizzell (402) nd Group: Listed Functions A person or entity who provides certain identified services to the Covered Entity, where the provision of services involves disclosure of PHI. Who are your Business Associates?

A Professional Corporation Stinson, Mag & Fizzell (402) Services Identified in Privacy Regulations legal actuarial accounting consulting data aggregation management administrative accreditation financial services end of list - no others Who are your Business Associates?

A Professional Corporation Stinson, Mag & Fizzell (402) Members of your workforce are not your Business Associates Covered Entities can be Business Associates of other Covered Entities Business Associates

A Professional Corporation Stinson, Mag & Fizzell (402) What’s in a Name? Business Partner –proposed privacy regulations Trading Partner – code sets and transactions Chain of Trust Agreements – proposed security standards Business Associates

A Professional Corporation Stinson, Mag & Fizzell (402) Education Survey tools Inventory existing contracts How to Identify your Business Associates:

A Professional Corporation Stinson, Mag & Fizzell (402) Who has authority to execute contracts? (don’t forget satellite locations, affiliated entities) Where are existing contracts kept? How many oral contracts are “out there?” Are you the Covered Entity or the Business Associate? How to Identify your Business Associates (cont’d) :

A Professional Corporation Stinson, Mag & Fizzell (402) Is the use/disclosure of PHI really necessary? Always ask this question:

A Professional Corporation Stinson, Mag & Fizzell (402) Is the use/disclosure of PHI necessary for B/A to carry out its own function or is B/A carrying out function on behalf of the C/E? Now, let’s complicate things:

A Professional Corporation Stinson, Mag & Fizzell (402) Disclosures to B/A is an exception to the general rule under HIPAA: No use/disclosure unless there’s an exception in the regulations. Disclosures to Business Associates

A Professional Corporation Stinson, Mag & Fizzell (402) A C/E may disclose PHI to a B/A and may allow a B/A to create or receive PHI on its behalf, if the C/E obtains satisfactory assurance that the B/A will appropriately safeguard the PHI. Disclosures to Business Associates

A Professional Corporation Stinson, Mag & Fizzell (402) “SATISFACTORY ASSURANCE”

A Professional Corporation Stinson, Mag & Fizzell (402) “Satisfactory Assurance” requires a written contract or other written agreement or arrangement with the B/A that meets the requirements of § (e) Disclosures to Business Associates

A Professional Corporation Stinson, Mag & Fizzell (402) Requirements under § (e) Establish the B/A’s permitted/required uses and disclosures of PHI Contract may not authorize the B/A to use/further disclose PHI in a manner that would violate the regulations if done by the C/E Has the C/E agreed to any restrictions on its own uses/disclosures?

A Professional Corporation Stinson, Mag & Fizzell (402) B/A Contract must provide that the B/A will: Not use/further disclose PHI other than as permitted/required by the contract or as required by law; Use “appropriate safeguards” to prevent use/disclosure of PHI other than as provided for by its contract. § (e)

A Professional Corporation Stinson, Mag & Fizzell (402) B/A Contract must provide that the B/A will: (cont’d) Report to the C/E any use/disclosure of PHI not provided for by its contract; Ensure that any agents, including subcontractors, agree to same restrictions; § (e)

A Professional Corporation Stinson, Mag & Fizzell (402) B/A Contract must provide that the B/A will: (cont’d) Make PHI available in accordance with § (access to individuals); Make PHI available for amendment and incorporate any amendments in accordance with § ; § (e)

A Professional Corporation Stinson, Mag & Fizzell (402) B/A Contract must provide that the B/A will: (cont’d) Make available the information required for the C/E to provide an accounting of disclosure pursuant to § ; Make its internal practices, books and records relating to use/disclosure of PHI available to HHS Secretary; § (e)

A Professional Corporation Stinson, Mag & Fizzell (402) B/A Contract must provide that the B/A will: (cont’d) Return or destroy all PHI upon termination of the contract – if not feasible to return/destroy, then the contractual protections must be extended to limit any further uses/disclosures; § (e)

A Professional Corporation Stinson, Mag & Fizzell (402) B/A Contract must provide that the B/A will: (cont’d) Authorize termination of the contract by C/E if C/E entity determines that the B/A has violated a material term of the contract; and § (e)

A Professional Corporation Stinson, Mag & Fizzell (402) B/A Contract should also provide that the B/A will: (cont’d) Retain records for 6 years (enables the C/E to comply with its own duties under Individual Rights)

A Professional Corporation Stinson, Mag & Fizzell (402) Intended Third Party Beneficiary clause is NOT required under final privacy regulations A Welcome Change from the Proposed Regulations

A Professional Corporation Stinson, Mag & Fizzell (402) Business Associate contracts MAY permit: The B/A to use/disclose PHI for the proper management and administration of the B/A or to carry out the legal responsibilities of the B/A.

A Professional Corporation Stinson, Mag & Fizzell (402) If you are the B/A, you might want to include this permissible provision. Business Associate contracts

A Professional Corporation Stinson, Mag & Fizzell (402) C/E is NOT in compliance with § (e): C/E knew of a pattern of activity or practice of the B/A that constituted a breach – unless C/E took “reasonable steps” to cure the breach. Covered Entity’s Compliance

A Professional Corporation Stinson, Mag & Fizzell (402) If C/E’s “reasonable steps” were unsuccessful, C/E must: Terminate the contract; or If termination is not feasible, report the problem to the HHS Secretary. Covered Entity’s Compliance

A Professional Corporation Stinson, Mag & Fizzell (402) What does this mean? C/E must have knowledge of the breach C/E liable if it fails to respond (cure, terminate and/or report) Covered Entity’s Compliance

A Professional Corporation Stinson, Mag & Fizzell (402) Identify potential B/A situations. –Are you the C/E? –Are you the B/A? –Is PHI really necessary? Steps to Compliance

A Professional Corporation Stinson, Mag & Fizzell (402) Is a B/A contract required? –Is there already a contract in place? –When/how does it terminate? –What is required to amend it? Steps to Compliance

A Professional Corporation Stinson, Mag & Fizzell (402) Privacy Addendum Whole new agreement Placeholder language Individualize B/A requirements as needed Steps to Compliance

A Professional Corporation Stinson, Mag & Fizzell (402) Coordinate with Security/Code Sets Compliance Efforts Steps to Compliance

A Professional Corporation Stinson, Mag & Fizzell (402) JOIN THE NE-SNIP PRIVACY WORK GROUP! Steps to Compliance

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.