Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.

Slides:



Advertisements
Similar presentations
H OGAN & H ARTSON, L.L.P.
Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
Walking Through the Breach Notification Process - Beginning to End HIPAA COW Presentation and Panel April 8, 2011.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Informed Consent and HIPAA Tim Noe Coordinating Center.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
HIPAA Trading Partners, Legal Relationships October 2, 2001 presented by Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.
Privacy and Security Laws for Health Care Organizations Presented by Robert J. Scott Scott & Scott, LLP
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Building a Privacy Foundation. Setting the Standard for Privacy Health Insurance Portability and Accountability Act (HIPAA) Patient Bill of Rights Federal.
Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
A Professional Corporation Stinson, Mag & Fizzell (402) Business Associates 101 Jennifer Wolfe Jerram, B.S.N., J.D.
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
HIPAA Certified LLC 1 6th National HIPAA Summit JCAHO and NCQA and HIPAA Business Associates Friday, March 28, 2003.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
HIPAA Security Final Rule Overview
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
©2002 by the National Committee for Quality Assurance NCQA: HIPAA Business Associate Presentation to the 6th National HIPAA Summit March 28, 2003 Patricia.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
©2002 by the National Committee for Quality Assurance NCQA and HIPAA “A match made in ?” The Fifth National HIPAA Summit Sharon King Donohue, JD General.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
Paul T. Smith Davis Wright Tremaine LLP
HIPAA PRIVACY RULE IMPLEMENTATION – WHAT’S UP AFTER 4/14/03?
Disability Services Agencies Briefing On HIPAA
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
Presentation to The Fourth National HIPAA Summit
HIPAA Security Standards Final Rule
Business Associate Contracts: Time Is Running Out . . .
Drew Hunt Network Security Analyst Valley Medical Center
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Enforcement and Policy Challenges in Health Information Privacy
Making Your IRBs and Clinical Investigators HIPAA-Ready
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Presentation transcript:

Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004

22 Background: JCAHO/NCQA and HIPAA JCAHO and NCQA are business associates to the organizations they accredit NCQA is also a researcher – using data gathered as a BA JCAHO and NCQA have developed the Privacy Certification for Business Associates (PCBA) program See BA issues from both sides

33 HIPAA Myths Business associates do not have to comply with the federal HIPAA regulations Business associates only have to have contracts with covered entities How many have heard these? How many believe it?

44 Why Comply with HIPAA? Enforcement Issue –Federal government may not enforce BA compliance, but states that adopt the federal regulations as the standard of care are likely to apply them to all organizations PR Issue –Public breaches of privacy or security could damage or destroy a company’s reputation Business Issue –Covered entities need partners they can trust Not to mention – it’s the right thing to do!

55 How to Comply with HIPAA? According to the Privacy and Security regulations: –Business associates have to provide “satisfactory assurances” that they will “appropriately safeguard” PHI (45 CFR (b) (1) and 45 CFR (e) (1)) In both cases, specific BA provisions are scarce –Include establishing allowable uses and disclosures, implementing “appropriate safeguards,” reporting breaches to the covered entity, ensuring agents and subcontractors follow suit and cooperating with investigations

66 What Do BA Requirements Really Require? Terminology is vague, definitions may come in the future Must determine on our own the reasonable steps for a BA to take to work effectively with covered entities HIPAA regulations can be expected to create minimum “best practices” that all organizations can be expected to follow What to do?

77 Privacy Certification for Business Associates A joint initiative of NCQA and JCAHO A voluntary, private evaluation mechanism to provide business associates with a method of demonstrating satisfactory assurances of PHI protections to covered entities

88 Proposed Standards Closely track HIPAA privacy regulations Also include security requirements required by privacy Developed with input from multistakeholder Advisory Committee Categories include: –Administration –Use and Disclosure –Individual Rights

99 Use the Same Framework In creating our program, we asked the questions: –How can the BA “back-up” the provisions of the BA contract? –What areas of a BA/covered entity relationship not addressed in the contract? –What processes must BAs have, no matter –How do you comply with differing covered entity requirements? –To what standard do you hold BAs?

10 Basic BA Requirements Create infrastructure for PHI protection Determine routine business needs involving use, disclosure and storage of PHI Implement policies, procedures and processes for those routine business needs Coordinate with covered entities to determine unique needs Monitor, test, revise and refine processes over time BAs should be expected to meet same standards as covered entities, when performing the same functions

11 Creating Infrastructure Analyze business processes –Where is PHI coming in from covered entities? –How is PHI being transmitted to covered entities, agents, subcontractors and workforce members? –How/where is PHI stored? –Can PHI be inadvertently sent during routine business processes? Gaps? – close them Risk identified? – set up plan to deal with them

12 Creating Infrastructure - II Create Infrastructure to protect PHI –Determine documentation requirements for the BA’s processes –Set up physical and electronic access controls –Set oral PHI standards –Implement procedures for visitors –Create process to identify and mitigate PHI protection breaches –Set sanction policy for those breaches

13 Creating Infrastructure - III Train staff on general requirements –Overall PHI/HIPAA training –Include basic privacy and security –Explain why this affects your business –Include all workforce members Implement specific training –Based on role, type of PHI accessed, uses and disclosures of PHI needed –Tailor to departmental/unit needs Create reminder system

14 Setting Daily P&P Focus on areas of routine use and disclosure of PHI Establish policies, procedures and processes to handle Set minimum necessary standards for internal uses and disclosures to agents and subcontractors –May need to adapt for specific covered entity requirements

15 Authorizations Determine if any routine business needs require authorizations If so, work with covered entities – who is responsible for obtaining? If covered entity responsible, BA should set up process to check whether authorization in place before disclosing If BA responsible, create authorization form and process for ensuring they are obtained when needed

16 Consumer/Individual Rights Individuals can access PHI, and request amendments, restrictions, confidential communications and accountings of disclosures BAs, depending on business processes, will have to deal with at least some of these –Accountings of disclosures –Restrictions on use/disclosure agreed to by covered entity

17 Consumer/Individual Rights - II Analyze business processes –Does the BA contact consumers? May get requests directly – where do you send them? Confidential communications – how do you account for these? –How will restrictions on use and disclosure affect BA’s processes? Do you have a system to track and handle these – when agreed to by covered entity?

18 Consumer/Individual Rights - III Analyze business processes –Does the BA hold any portions of the designated record set? How will BA provide access? How will amendments be incorporated? How will amendment denials be incorporated? –Does the BA disclose PHI? How are disclosures tracked? How will accountings be generated?

19 Consumer/Individual Rights - IV Coordination is the Key –Work with covered entities to determine which organization is responsible for different aspects of consumer rights –Set up processes accordingly, remembering The covered entity could disappear tomorrow – what happens if the BA is the only holder of the PHI? Even if BA does not directly deal with consumers, covered entity decisions on restrictions, amendments and other rights can affect BA’s business

20 Contracts/Agreements Covered entities responsible for obtaining contracts/agreements BAs can help by internally tracking: –Are there existing covered entity clients/customers without contracts at all? –When are contracts up for renewal? Before or after April 2004? –Which covered entities have contacted the BA with a BA contract or addendum? Should the BA have its own contract?

21 Contracts/Agreements - II Study contract provisions –Are there any that will interfere with routine business operations? –Are there other options to provide same protection but streamline BA’s processes? –Are there areas covered entity should have included but didn’t? Set up system to alert staff to specific covered entity requirements

22 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.