Business Associates 101 - PowerPoint PPT Presentation

1 / 39
About This Presentation
Title:

Business Associates 101

Description:

Stinson, Mag & Fizzell. A Professional Corporation. Stinson, Mag ... Individualize B/A requirements as needed. Steps to Compliance. Stinson, Mag & Fizzell ... – PowerPoint PPT presentation

Number of Views:24
Avg rating:3.0/5.0
Slides: 40
Provided by: nes62
Category:

less

Transcript and Presenter's Notes

Title: Business Associates 101


1
Business Associates 101
HIPAA Privacy
  • Jennifer Wolfe Jerram, B.S.N., J.D. email
    jjerram_at_stinson.comwww.stinson.com(402) 342-1700

2
Business Associate - Defined
Where to look in the regulations
  •  160.103 Federal Register, p. 82798
  • Preamble pp. 82475-76
  • Comments p. 82567

3
Business Associate - Disclosure Standard
Where to look in the regulations
  •  164.502(e) Federal Register, p. 82806
  • Preamble p. 82499
  • Comments pp. 82640-45

4
Business Associate - Contract Requirements
Where to look in the regulations
  •  164.504(e) Federal Register, pp. 82808-09
  • Preamble pp. 82503-07
  • Comments pp. 82640-45

5
Who is a Business Associate?
  • A party who will be governed indirectly by
    portions of the HIPAA privacy regulations by
    virtue of his/her/its contractual obligations to
    covered entities.

6
Who are your Business Associates?
  • 2 separate groups under the regulations

7
1st Group Relationship withCovered Entity
Who are your Business Associates?
  • A person or entity who performs or assists in the
    performance of a function or activity involving
    the use or disclosure of PHI on behalf of the
    Covered Entity.

8
Examples include
Who are your Business Associates?
  • Claims processing
  • Data analysis
  • UR
  • QA
  • Billing
  • Others

9
2nd Group Listed Functions
Who are your Business Associates?
  • A person or entity who provides certain
    identified services to the Covered Entity, where
    the provision of services involves disclosure of
    PHI.

10
Services Identified in Privacy Regulations
Who are your Business Associates?
  • legal
  • actuarial
  • accounting
  • consulting
  • data aggregation
  • management
  • administrative
  • accreditation
  • financial services
  • end of list - no others

11
Business Associates
  • Members of your workforce are not your Business
    Associates
  • Covered Entities can be Business Associates of
    other Covered Entities

12
Whats in a Name?
Business Associates
  • Business Partner proposed privacy regulations
  • Trading Partner code sets and transactions
  • Chain of Trust Agreements proposed security
    standards

13
How to Identify your Business Associates
  • Education
  • Survey tools
  • Inventory existing contracts

14
How to Identify your Business Associates (contd)
  • Who has authority to execute contracts? (dont
    forget satellite locations, affiliated entities)
  • Where are existing contracts kept?
  • How many oral contracts are out there?
  • Are you the Covered Entity or the Business
    Associate?

15
Always ask this question
  • Is the use/disclosure of PHI really necessary?

16
Now, lets complicate things
  • Is the use/disclosure of PHI necessary for B/A to
    carry out its own function or is B/A carrying out
    function on behalf of the C/E?

17
Disclosures to Business Associates
  • Disclosures to B/A is an exception to the general
    rule under HIPAA No use/disclosure unless
    theres an exception in the regulations.

18
Disclosures to Business Associates
  • A C/E may disclose PHI to a B/A and may allow a
    B/A to create or receive PHI on its behalf, if
    the C/E obtains satisfactory assurance that the
    B/A will appropriately safeguard the PHI.

19
SATISFACTORY ASSURANCE
20
Disclosures to Business Associates
  • Satisfactory Assurance requires a written
    contract or other written agreement or
    arrangement with the B/A that meets the
    requirements of  164.504(e)

21
Requirements under  164.504(e)
  • Establish the B/As permitted/required uses and
    disclosures of PHI
  • Contract may not authorize the B/A to use/further
    disclose PHI in a manner that would violate the
    regulations if done by the C/E
  • Has the C/E agreed to any restrictions on its own
    uses/disclosures?

22
B/A Contract must provide that the B/A will
 164.504(e)
  • Not use/further disclose PHI other than as
    permitted/required by the contract or as required
    by law
  • Use appropriate safeguards to prevent
    use/disclosure of PHI other than as provided for
    by its contract.

23
B/A Contract must provide that the B/A will
(contd)
 164.504(e)
  • Report to the C/E any use/disclosure of PHI not
    provided for by its contract
  • Ensure that any agents, including subcontractors,
    agree to same restrictions

24
B/A Contract must provide that the B/A will
(contd)
 164.504(e)
  • Make PHI available in accordance with  164.524
    (access to individuals)
  • Make PHI available for amendment and incorporate
    any amendments in accordance with  164.526

25
B/A Contract must provide that the B/A will
(contd)
 164.504(e)
  • Make available the information required for the
    C/E to provide an accounting of disclosure
    pursuant to  164.528
  • Make its internal practices, books and records
    relating to use/disclosure of PHI available to
    HHS Secretary

26
B/A Contract must provide that the B/A will
(contd)
 164.504(e)
  • Return or destroy all PHI upon termination of the
    contract if not feasible to return/destroy,
    then the contractual protections must be extended
    to limit any further uses/disclosures

27
B/A Contract must provide that the B/A will
(contd)
 164.504(e)
  • Authorize termination of the contract by C/E if
    C/E entity determines that the B/A has violated a
    material term of the contract and

28
B/A Contract should also provide that the B/A
will (contd)
  • Retain records for 6 years (enables the C/E to
    comply with its own duties under Individual
    Rights)

29
A Welcome Change from theProposed Regulations
  • Intended Third Party Beneficiary clause is NOT
    required under final privacy regulations

30
Business Associate contracts MAY permit
  • The B/A to use/disclose PHI for the proper
    management and administration of the B/A or to
    carry out the legal responsibilities of the B/A.

31
Business Associate contracts
  • If you are the B/A, you might want to include
    this permissible provision.

32
C/E is NOT in compliance with  164.502(e)
Covered Entitys Compliance
  • C/E knew of a pattern of activity or practice of
    the B/A that constituted a breach unless C/E
    took reasonable steps to cure the breach.

33
If C/Es reasonable steps were unsuccessful,
C/E must
Covered Entitys Compliance
  • Terminate the contract or
  • If termination is not feasible, report the
    problem to the HHS Secretary.

34
What does this mean?
Covered Entitys Compliance
  • C/E must have knowledge of the breach
  • C/E liable if it fails to respond (cure,
    terminate and/or report)

35
Steps to Compliance
  • Identify potential B/A situations.
  • Are you the C/E?
  • Are you the B/A?
  • Is PHI really necessary?

36
Steps to Compliance
  • Is a B/A contract required?
  • Is there already a contract in place?
  • When/how does it terminate?
  • What is required to amend it?

37
Steps to Compliance
  • Privacy Addendum
  • Whole new agreement
  • Placeholder language
  • Individualize B/A requirements as needed

38
Coordinate with Security/Code Sets Compliance
Efforts
Steps to Compliance
39
JOIN THE NE-SNIP PRIVACY WORK GROUP!
Steps to Compliance
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Business Associates 101" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!