COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTSQuick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements

2

Agenda

Overview and Background of the HIPAA Omnibus Final Rule

Compliance Issues and Practical Solutions for Business Associates and Subcontractors

Questions and Answers

Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com

703-683-9600

http://www.compliance.com/

OVERVIEW AND COMPLIANCE ISSUES

4

HIPAA Omnibus Final Rule

The HIPAA Omnibus Final Rule, which had a compliance date of September 23, 2013, made significant modifications to the following areas of relevance to business associates and subcontractors: Business associate (BA) definition and

liabilities Business associate agreements (BAAs) Breach notification Enforcement


703-683-9600


5

Business Associate Definition Under the Omnibus Final Rule, a BA is defined as a

person who “creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered entity (CE).”

The Omnibus Final Rule clarifies that the following additional entities fall under the definition of BA: Patient safety organizations Health information organizations E-prescribing gateways Vendors of personal health records Any person/entity that provides data transmission services to

a CE and requires routine access to the PHI Any person/entity that stores or maintains PHI on behalf of a

CE whether or not they routinely access the PHICopyright © 2013, Strategic Management Services, LLC. All Rights Reserved.

www.compliance.com 703-683-9600


6

Business Associate Liability

The Omnibus Final Rule extends direct liability to BAs for compliance with the HIPAA Security Rule and certain Privacy Rule provisions. BAs must: Develop policies and procedures. Conduct a risk analysis. Train members of the workforce on their

responsibilities under HIPAA. Provide breach notification to covered entities. Sign subcontractor business associate

agreements (subcontractor BAAs) with subcontractors.


703-683-9600


7

Subcontractors

Under the Omnibus Final Rule, a subcontractor is defined as a person to whom a BA delegates a function, activity or service that involves PHI and that was initially delegated to the BA by the CE. Subcontractors have the same responsibilities

and liabilities as the BA. These responsibilities and liabilities are defined

through the subcontractor BAA.


703-683-9600


8

Business Associate Agreements A CE must execute a BAA with each of its BAs. A BA must execute a subcontractor BAA with each

of its subcontractors. The Omnibus Final Rule requires that CEs and BAs

update their BAAs to include additional content. General deadline: September 23, 2013

BAAs that were executed after January 25, 2013 or were renewed or modified between March 26, 2013 and September 23, 2013.

Transition Rule deadline: September 22, 2014 BAAs that were in effect prior to January 25, 2013 and were

not renewed or modified between March 26, 2013 and September 23, 2013.


703-683-9600


PRACTICAL SOLUTIONS

10

Contract Management Process

Contract Management

Process


703-683-9600


PRACTICAL SOLUTIONS FOR CONTRACT PLANNING

12

Contract Planning

Have you reviewed your arrangements with third parties to identify those that are subject to HIPAA? Does the arrangement involve the creation,

receipt, maintenance or transmission of PHI on behalf of a CE?

Have you determined your role in each covered arrangement? Are you a BA or a subcontractor?


703-683-9600


13

Arrangements

Covered Entity

Business Associate

Business Associate

Subcontractor

Subcontractor A

Subcontractor B


703-683-9600


14

Contract Planning

Have you reviewed your existing subcontractor BAAs to determine the compliance deadline to which they are subject? September 23, 2013 (General) September 22, 2014 (Transition Rule)

Have you prioritized your existing subcontractor BAAs to update those that do not qualify for the Transition Rule first?


703-683-9600


15

Contract Planning

Prioritize your contracts

Evaluate Multi-Year Automatic Renewals Evergreen

September 23, 2013

September 22, 2014


703-683-9600


16

Contract Planning

How will you ensure the most up-to-date version of the BAA/subcontractor BAA is used? Where is it stored? Do the appropriate people know how/where to access it?

Who is authorized to sign BAAs/subcontractor BAAs on behalf of your organization?

Who is responsible for tracking and maintaining signed BAAs/subcontractor BAAs? How are they logged? Where are they stored? How are expiration dates tracked?

Who is responsible for updating contracts pursuant to regulatory or organizational changes?


703-683-9600


17

Contract Planning

Delegate Develop a Remediation Team

Contracting Representative Privacy Officer Security Officer Compliance Officer Legal Representative

Create a work plan Implement

Execute your work planCopyright © 2013, Strategic Management Services, LLC. All Rights Reserved.



18

Sample Work Plan

Task Timeframe Personnel

Assigned

Status

Create and/or revise BAA/subcontractor BAA template

Day 1-15

Identify existing BAAs/subcontractor BAAs

Day 1-15

Renegotiate existing BAA/subcontractors BAAs

Day 15-30

Create BAA Policy/Subcontractor BAA Policy

Day 30 and beyond

Remediation Work Plan


703-683-9600


19

BAA/Subcontractor BAA Policy

BAA/Subcontractor BAA Policy Privacy and Security requirements State requirements Procedures related to:

Determination of business associate/subcontractor status

Initiation of business associate/subcontractor status

Tracking and Maintenance of BAA/subcontractor BAA

TemplateCopyright © 2013, Strategic Management Services, LLC. All Rights Reserved.



PRACTICAL SOLUTIONS FOR CONTRACT DEVELOPMENT

21

Contract Development

Have you incorporated the following into your BAAs/subcontractor BAAs? Omnibus Final Rule Requirements

BAAs must contain language requiring the BA or subcontractor to:

Comply with Security Rule; Report breaches to CE in accordance with breach

notification rules; Ensure subcontractors agree to the same restrictions that

apply to BAs with respect to PHI; and Comply with any Privacy Rule requirements applicable to

the CE in the performance of the service. HHS Sample BAA Provisions:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.htmlCopyright © 2013, Strategic Management Services, LLC. All Rights Reserved.


http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html


22

Contract Development

Have you incorporated the following into your BAAs subcontractor BAAs? Applicable state laws

Have you… Conducted a preemption analysis? Determined which state laws are more stringent than

HIPAA? In each case, included the more stringent law in the

subcontractor BAA? Reviewed state definitions of “protected” or “sensitive”

health information? Examples

California Texas


703-683-9600


23

Additional Tips

Beyond HIPAA/State Laws – additional elements to include in BAAs/subcontractors BAAs All requirements contained in the BAA your organization

signed with the CE Contract expiration date Data breach notification requirements

Timeliness Response and reporting

Restrictions related to subcontracting Training requirements Policies and procedures Indemnification/reimbursement of incident response

costsCopyright © 2013, Strategic Management Services, LLC. All Rights Reserved.



PRACTICAL SOLUTIONS FOR CONTRACT EXECUTION

25

Contract Execution

How do you ensure that… Your organization is in compliance with the

terms of the BAAs/subcontractors BAAs are signed with upstream entities?

Your BAs/subcontractors are in compliance with the terms of the BAAs/subcontractor BAAs they have signed with your organization?


703-683-9600


26

Contract Execution

Audits of BAs and subcontractors Internal Assessments

Verify compliance with BAA/Subcontractor BAA Policy Verify compliance with HIPAA privacy and security requirements Verify compliance with risk analysis Maintenance of documentation

External Assessments Request for BAs and subcontractors policies and procedures with

respect to privacy and security of PHI. E.g. Breach Notification Policy

Request BA or subcontractor to demonstrate how it will respond to an Office for Civil Rights investigation.

Request training updates: Date of last training Training content Percent completion


703-683-9600


STRATEGIC MANAGEMENT HIPAA SERVICES FOR BUSINESS

ASSOCIATES & SUBCONTRACTORS

28

Strategic Management Services HIPAA Services for Business Associates

and Subcontractors State Regulatory Analyses Policy and Procedures Risk Assessments Gap Analysis Training Advisory Services Auditing and Monitoring


703-683-9600


29

Take Home Message

Prioritize Delegate Implement


703-683-9600


30

Contact Information

Betta Sherman, MPP, CHC, Senior Associate [email protected]

Camella Boateng, MPH, CHC, Vice President [email protected]

Suzanne Charleston, Vice President of Business Development [email protected]


703-683-9600

mailto:[email protected]




Documents

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements