Business Associate HIPAA Compliance Impact on the Business Associate and Covered Entities

Joe DylewskiHealth Care Management

© 2012 Health Care Management

HIPAA, HITECH, and The Business Associate

Relationships with Healthcare Entities and Medical Practices

Next StepsSummary and Q/A


MSPs

MSSPs

IT Service Providers

600K +


▪ Defining the “certain functions or activities”

▪ Disclosures▪ Services▪ Reasonable and Appropriate Safeguards


HIPAA

Title II

Administrative Simplification

Electronic Data

Interchange (Transaction

and Code Sets)

Privacy RuleSecurity

Rule

Administrative Safeguards

45 CFR 164.308

Physical Safeguards

45 CFR 164.310

Technical Safeguards

45 CFR 164.312


What is HITECH? HITECH - The Health Information

Technology for Economic Recovery and Reinvestment Act of 2009 Meaningful Use Education HIPAA Enforcement


What changed relative to HIPAA? Physician Attestation for Meaningful Use Improved Enforcement HIPAA ignorance no longer tolerated Business Associates now have the same

HIPAA responsibilities as the Covered Entities they service


Key Statistics

CategoryTotal

BreachesNo BA

InvolvedBA

Involved

Percent of Total 100% 79% 21%

Total Individuals Affected 21,021,132 8,917,133 12,103,99

9

Percent of Total 100% 42% 58%

Average Individuals per Breach 43,076 23,101 118,667

Source :U.S. Department of Health and Human Services HIPAA Breach Notifications – September 2009 to May 2012 © 2011 ATMP Solutions© 2012 Health Care Management

“By exercising reasonable diligence would not

have known”

“Due to Willful

Neglect if the violation

is not corrected”

“Due to Willful

Neglect if the violation is corrected”

“Due to Reasonable Cause and not Willful Neglect”

Increasing Degree of HIPAA Compliance Effort

Decreasing Degree of HIPAA Compliance Risk


Business Associate is taking

necessary steps to

compliance

No Business Associate Contract in place

Business Associate Contract in Place

Business Associate

has Conducte

d Risk Assessme

nt

Increasing Degree of HIPAA Compliance Effort by Covered Entity and Business Associate

Decreasing Degree of HIPAA Compliance Risk to Covered Entity

Business Associate proof of HIPAA

Compliance


Is the Covered Entity responsible for their Business Associate’s HIPAA Compliance, or vice versa? No

Is the Covered Entity responsible for engaging in relationships with HIPAA Compliant Business Associates? Yes

If the Business Associate claims HIPAA Compliance, does this imply that the Covered Entity is HIPAA Compliant? No

© 2011 ATMP Solutions© 2012 Health Care Management

Solution Complian

ce

Institutional

Compliance

Electronic Medical Record

HIPAA Compliant EMR Hosted in a HIPAA Compliant Facility

EMR Company HIPAA Compliance with respect to internal operating policies


Private Cloud / Data Center


Health Information Exchange

(HIE)


(HIE)

EMR

Physician Practice

IT Services

Document Destruction

Insurance Company

Health System

Lab

DR Site





(HIE)


(HIE)

EMR

Physician Practice

IT Services


Insurance Company

Health System

Lab

DR Site





(HIE)


(HIE)

EMR

Physician Practice

IT Services


Insurance Company

Health System

Lab

DR Site


Compliance

Privacy / Security

Policy Proof


United States Department of Health and Human Services Office of Civil Rights

Individual state’s Office of The Attorney General


Treat HIPAA compliance with the same degree of diligence and urgency as Accounting, Taxes, and the IRS

Start with a simple checklist of areas that need to be addressed A.K.A. - Risk Assessment


Questions and Answers

[email protected]


Business Associate HIPAA Compliance Impact on the Business Associate and Covered Entities

Business

atmp solutions management

covered entity responsible

business associates

covered entities theyservice

risk assessment

reasonable neglect

percent of total100

steps summary