Definition of “Business Associate” A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. United States Department of Health and Human Services Office of Civil Rights - [ 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] If you would like a copy of the law, send me an email.
Establish the permitted and required uses and disclosures of such information by the business associate The contract may permit the business associate to provide services relating to the health care operations of the covered entity Calls for the implementation of reasonable and appropriate administrative, physical, and technical safeguards to prevent use or disclosure of the information other than as provided for by its contract
Appropriated funds to be provided as individual reimbursement to physicians who adopt and “meaningfully use” Electronic Medical Records Appropriated funds to educate the workforce in Health Information Technology Tightened guidelines and enforcement around HIPAA Add pictures (cement mixer) Add a picture of something that has changed – old style football versus new style football
Physician Attestation for Meaningful Use Meaningful Use measure #15 calls for a HIPAA Risk Assessment and Remediation Improved Enforcement Maximum fines raised from $25, 000 to $1.5MM per calendar year for serious offenses Categories of violations HIPAA ignorance no longer tolerated Business Associates now have the same HIPAA responsibilities as the Covered Entities they service Implied accountability – whether a Business Associate Contract/Agreement is in place or not Breach Notifications include Business Associate and Covered Entity Why the focus on Business Associates?
Drop the first line “total Breach”
Animate by box – from left to right
Animate by box
Animate by questions
Does EMR = Compliance? No Home Health Care / Hospice / Long Term Care Adherence to referring entity’s privacy and security policies HIPAA Compliance with respect to internal operating policies Document Destruction Documented Media Destruction Processes and Policies Document Destruction Company HIPAA Compliance with respect to internal operating policies
Office of Civil Rights Currently developing list of HIPAA Compliance Audit Candidates KPMG has developed the audit process and will begin auditing activities in Fall 2011 Individual state’s Office of Attorney General On behalf of the public Currently completing training through OCR on HIPAA enforcement
Graphic of a guy taking a step Industry calls this a “risk assessment”
Need copies of the rule – send me a message? Seed questions: How much does this cost? Complete turnkey serivces start at $2,500 How long does this take? The risk assessment can be completed within 2 weeks. I understand that HIPAA is a lot of policies. How do I address dveloping all of the policies? We have policy templates and often assist clients in the development.