• No results found

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

N/A
N/A
Protected

Academic year: 2021

Share "Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?"

Copied!
70
0
0

Loading.... (view fulltext now)

Full text

(1)

Am I a Business Associate?

Do I want to be a Business Associate?

What are my obligations?

(2)

Today’s eLunch Presenters

Marion Goldberg Health Care Washington, D.C. mgoldberg@winston.com Tom Mills Health Care Washington, D.C. tmills@winston.com

(3)

Covered Entitty

 Health Plan

 Health Care Clearinghouse

 Health Care Provider that engages in electronic

(4)

Prior to the HITECH Act

 Business Associates were not in HIPAA statute

 HHS invented Business Associate so that Covered

Entities could not wiggle out of HIPAA obligations by contracting out services

(5)

Prior to HITECH ACT

 Under HIPAA regulations: Covered Entity was

required to enter into a Business Associate contract with its Business Associates

 Business Associate contract = Business Associate

Agreement (“BAA”)

 If the BAA met all regulatory requirements, the

Covered Entity did not have liability for acts (or omissions) of its Business Associate

 Compliant BAA

(6)

HITECH Act - 2009

 HITECH Act brought Business Associates under most

HIPAA requirements

 New regulations: Requirements also apply to

subcontractors (Business Associates of Business Associates)

(7)

Business Associate – Post HITECH Act

 Becomes a Business Associate by definition not by

contract

 Liability attaches when meets the definition of

Business Associate

(8)

Business Associates

 Need to know who are your Business Associates  Need to know if you are a Business Associate

(9)

What is a Business Associate?

 Provides services for or on behalf of a Covered Entity  Creates, receives, maintains, or transmits protected

health information

 For a function or activity regulated the HIPAA privacy

(10)

What is a Business Associate Post

HITECH Act?

 Provides services to or for a covered entity that

involves the disclosure of PHI from the Covered Entity or another Business Associate:

 legal  actuarial  accounting  consulting  data aggregation  management administrative

(11)

 A Health Information Organization

 E-prescribing Gateway, or other provider of data

transmission services

 Provider of a personal health record on behalf of a

covered entity

What is a Business Associate Post

HITECH Act?

(12)

 claims processing or administration

 data analysis, processing, or administration,  utilization review,

 quality assurance

 patient safety activities  billing

 benefit management

What is a Business Associate Post

HITECH Act?

(13)

 Shredding company

 Copier repair company if copier retains PHI  Record storage company

 Cloud storage company

 Bank other than for check clearing and credit card

services

What is a Business Associate Post

HITECH Act?

(14)

 Subcontractor of a Business Associate

 Subcontractor of a subcontracted Business

Associate, all the way downstream

What is a Business Associate Post

HITECH Act?

(15)

Who is not a Business Associate?

 A health care provider who receives disclosures from by

a covered entity concerning the treatment of the individual.

 A plan sponsor who receives disclosures from a group

health plan (or health insurance issuer or HMO) if the disclosures comply with HIPAA

(16)

Who is not a Business Associate?

 A government agency that receives PHI to determine

eligibility for, or enrollment in, a government health plan that provides public benefits and is

administered by another government agency, or collecting PHI for these purposes as permitted by HIPAA

(17)

Who is not a Business Associate

 A conduit

 Post Office  FedEx

 UPS

 Local courier service

 Bank that provides check clearing  Credit card company

(18)

Business Associates

 Must have a Business Associate Agreement

 Covered Entity gets BAA with its Business Associates  Business Associates (not Covered Entities) get BAA

with subcontractors, who are now Business Associates (all the way downstream)

(19)

Business Associates

 A Covered Entity is liable for the acts (and omissions)

of its Business Associate

 AND

 A Business Associate is liable for the acts (and

omissions) of its Business Associate IF

(20)

Business Associates

 A Covered Entity is liable for the acts (and omissions)

of its Business Associate AND

 A Business Associate is liable for the acts (and

omissions) of its Business Associate IF

 The Business Associate is an agent of the Covered

(21)

Liability for Business Associates

 A Covered Entity is liable for the acts (and omissions)

of its Business Associate AND

 A Business Associate is liable for the acts (and

omissions) of its Business Associate IF

 The Business Associate is an agent of the Covered

Entity or contracting Business Associate

(22)

Liability for Business Associates

 But only liability for the Business Associate with

whom you contract, not the downstream Business Associate(s)

(23)

Liability for Business Associates

 No exception for compliant BAA and no knowledge

(24)

Liability for Business Associates

 So, Covered Entities and Business Associates must

(25)

Federal Common Law of Agency

 Problem: no Federal common law of agency for

HIPAA

 Guidance from HHS in the preamble to the January

25, 2013 regulations

 Fact specific – taking into account the totality of the

(26)

Business Associates - Agency

 Essential factor- whether the Covered Entity has the

right to control the Business Associate’s conduct in performing the service

(27)

Business Associate – Agency - Control

 Authority of the Covered Entity to give interim

instructions or directions

 Whether the Covered Entity can direct how the work is done  Whether the BAA requires the Business Associate to make

PHI available based on instructions from the Covered Entity

 Doesn’t matter if Covered Entity has exercised the

(28)

Business Associates – Agency Control

 Indication of lack of control if only avenue for

control is to sue for breach of contact or amend the contract

(29)

Scope of Agency

 Time, place and purpose of the Business Associate’s

conduct

 Whether a Business Associate engaged in a course of

conduct subject to the Covered Entity’s control

 Whether Business Associate's conduct is commonly

done by a Business Associate to accomplish the service performed on behalf of the Covered Entity

 Whether or not the Covered Entity reasonably

expected the Business Associate would engage in the conduct in question

(30)

Business Associates – Agency Control

 Skill required – greater the skill, less likelihood of

control

 Example – small Covered Entity hires Business

Associate to de-identify PHI

 Not likely the Covered Entity has the skill to give interim

(31)

Business Associate – Agency Control

 Nature of Services

 No agency relationship likely if the Covered Entity is legally

or otherwise prevented from performing the service

 Covered entity cannot perform the activities of The Joint

Commission or other accrediting organization

(32)

Business Associate – Agency Control

 Nature of Services

 No agency relationship likely if the Covered Entity is legally

or otherwise prevented from performing the service

 Covered entity cannot perform the activities of The Joint

Commission or other accrediting organization

BUT

 If the Covered Entity contracts out or delegates an obligation

under HIPAA service to a vendor, the vendor is likely an agent (but depends on the ability to control the

(33)

Business Associates - Agency

 Not likely an agency relationship

 Accounting services  Legal services

(34)

Business Associates - Agency

 Likely an agency relationship

 Billing services  Cleaning service

(35)

Business Associates - Agency

 Scope of Agency

 Agent must be acting within the scope of the agency

 Agency relationship may exist even if the Covered Entity

does not retain the right or authority to control every aspect of the Business Associate’s activities

 Factors

 Time, place and purpose of agent’s conduct

 Whether engaged in a course of conduct subject to the Covered

Entity’s control

 Whether conduct is commonly performed by an agent to

accomplish the service

(36)

Business Associates - Agency

 Can be an agent even if:

 Covered Entity does not retain the right or authority to

control every aspect of the Business Associate’s activities

 Covered Entity does not exercise the right of control but it

holds the authority to exercise that right

 The Covered Entity and Business Associate are a distance

(37)

Business Associates - Agency

 Covered Entity is only liable for conduct of the

Business Associate that is within the scope of the agency

 But, the conduct is within the scope of the agency if the

conduct occurs during the performance of the assigned task or incident to the task, regardless of carelessness, a mistake, or if the Business Associate disregarded an instruction

 A Covered Entity would be liable for an impermissible disclosure

of PHI even by a Business Associate even if the disclosure was contrary to clear instructions

(38)

Business Associate - Agency

 Outside scope of the agency

 If conduct is solely for the benefit of the Business Associate

or a third party

 If course of conduct is not intended to serve any purpose of

(39)

Security Rule Obligations

 Ensure the confidentiality, integrity and availability

of PHI

 Protect against any reasonably anticipated threats or

hazards to the security or integrity of PHI

 Protect against any reasonably anticipated uses or

disclosures of such information that are not permitted or required under the Privacy Rule

(40)

Security Rule Obligations

 Business Associates must comply with safeguards for

electronic PHI:

 Administrative Safeguards  Physical Safeguards

(41)

Security Rule Obligations

 Business Associate must take into account:

 Business Associate’s size, complexity, and capabilities of

the covered entity or business associate

 Business associate’s technical infrastructure, hard-ware,

and software security capabilities

 The costs of security measures

 The probability and criticality of potential risks to

(42)

Security Rule Obligations

 Appoint a Security Official

 Security policies and procedures  Conduct a risk analysis

(43)

Security Rule Obligations

 Employee training

 Document compliance

 Business Associate Agreement with Business

(44)

Business Associates – Privacy Rule

 Required disclosures

 As required by law

 To the Secretary of HHS to evaluate compliance by a Covered

Entity or Business Associate

 To the Covered Entity

 To the Individual or Individual’s designee to respond to

request for access to individual’s PHI or request for electronic PHI

(45)

Business Associate Uses and Disclosures

 As permitted by the Business Associate Agreement

 Business Associate cannot benefit from uses and disclosures

(46)

Business Associates – Privacy Rule

 Restrictions on Use or Disclosure

 Sale of PHI

(47)

Minimum Necessary Standard

 Only the minimum necessary to accomplish the task

 Applies to uses and disclosures  One exception – treatment

 Business Associate must comply with Covered

Entity’s minimum necessary standards and Business Associate Agreement

 Be careful of what you provide, you can always

(48)

Business Associate Reporting

 Must report own and subcontractors’ breaches to

(49)

Business Associate Agreement Grandfather

 If BAA in effect prior to January 25, 2013, have until

earlier of a renewal or amendment to underlying agreement or September 22, 2014

 Otherwise, earlier of renewal or amendment of

underlying agreement or September 23, 2013

 Evergreen contract renewal is not deemed a renewal

(50)

Business Associate Agreement Grandfather

 Just applies to need to enter into a new agreement  Does not affect requirement to comply with the

(51)

Tiers of Violations – Tier 1

 For a violation in which it is established that the

covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the provision was violated

 Penalty $100 - $50,000 per violation

(52)

Tiers of Violations

Reasonable diligence means the business care and

prudence expected from a person seeking to satisfy a legal requirement under similar circumstances

(53)

Tiers of Violations – Tier 2

 Violation in which it is established that the violation

was due to reasonable cause and not willful neglect

 Penalty $1,000- $50,000 per violation

(54)

Tiers of Violations

Reasonable cause means an act or omission in

which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an

administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect

(55)

Tiers of Violations

Willful neglect means conscious, intentional failure

or reckless indifference to the obligation to comply with a HIPAA provision.

(56)

Tiers of Violations – Tier 3

 Violation in which it is established that the violation

was due to willful neglect and was corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred

 Penalty $10,000-50,000 per violation

(57)

Tiers of Violations Tier 4

 For a violation in which it is established that the

violation was due to willful neglect and was not

corrected during the 30-day period beginning on the first date the covered entity or business associate

liable for the penalty knew, or, by exercising

reasonable diligence, would have known that the violation occurred

 Penalty at least $50,000 per violation  Annual maximum is $1,500,000

(58)

How to count violations

 Varies

 Multiple individuals – number of individuals  Occurs over time period – number of days

 If impermissible disclosure and safeguards violation,

two separate violations times number of individuals/days

(59)

Factors in determining penalty

 Nature and extent of violation (including number of

individuals)

 Nature and extent of the harm (financial,

reputational, physical)

 History of prior compliance

 Financial condition (both that may have hindered

compliance and regarding the penalty)

 OCR has discretion

(60)

What is a Breach?

 Unauthorized use or disclosure that compromises

(61)

Breach Notification

 Most improper disclosures will have to be disclosed  Harm standard no longer applies

(62)

Breach Notification

 If there is improper use or disclosure, a breach is

presumed unless can show low probability PHI has been compromised

 Burden is on Covered Entity or Business Associate to

(63)

Breach Notification

 If the information may relate to multiple covered

(64)

Breach Notification Risk Assessment

 Factors

 Type of information

 Amount of information  Who received it

 Whether can be identified  How it could be used

(65)

Breach Notification Timing

 Without unreasonable delay but not more than 60

days

 Timing begins when anyone in the workforce knows

or should have known of the breach

 If breach is by a Business Associate, beginning of

notice period depends on whether Business Associate is an agent (lots of legalese)

(66)

Breach Notification

 To each affected Individual

 To the Secretary of HHS – if 500 or more individuals

involved (she posts the breach on her web site)

 To the media – if more than 500 residents in one

(67)

Breach Notifications – 500+ by Type

 Theft 51%  Unauthorized Access/Disclosure 20%  Loss 14%  Hacking/IT Incident 7%  Improper Disposal 5%  Unknown 3%

(68)

Breach Notification – 500+ Breaches by

Location of Breach

 Laptop 23%

 Paper Records 22%

 Desktop Computer 15%

 Portable Electronic Device 14%  Network Server 11%

 Other 10%  Email 3%

(69)
(70)

References

Related documents

(b) To the extent that Business Associate determines that a Breach of Unsecured PHI has occurred, Business Associate shall provide written notice, on behalf of the Covered

If Business Associate receives Protected Health Information from Covered Entity in a Designated Record Set, then Business Associate agrees to provide access, at the request of

(a) Since the Business Associate is or shall provide services as necessary to perform its obligations to the Covered Entity [as set forth in _________________ (the “Services

» Statement that to the extent BA carries out one or more CE’s obligations under the HIPAA Privacy Rule, BA shall comply with the requirements of HIPAA that apply to CE in

But data aggregation “means, with respect to protected health information created or received by a business associate in its capacity as the business associate of a covered

and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of

This Business Associate Agreement shall become effective on the Effective Date and shall terminate when all of the PHI provided by Covered Entity to the Business Associate,

The Privacy Rule requires that a covered entity ‘‘miti- gate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of [PHI]