HIPAA Training by Smith Anderson and Element Health Consortium
HIPAA Compliance for Business Associates
Presented
by:
Robert Shaw
Overview
• HIPAA Overview
• Business Associates and Covered Entities
• The Privacy Rule
• The Security Rule
Key HIPAA Terms
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Health Information Technology for Economic and Clinic Health (HITECH) Act
• Covered Entities (CEs)
• Business Associates (BAs)
• Protected health information (PHI)
○ ePHI in electronic form
• Department of Health and Human Services (HHS) Office of Civil Rights (OCR)
What is HIPAA?
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
• Privacy Rule
• Security Rule
• Health Information Technology for Economic and Clinical Health (HITECH) Act (2009)
• Breach Notification Rule
• Omnibus Rule
Covered Entities
• Health care providers who conduct HIPAA standard electronic transactions
• Health plans
• Health care clearinghouses
Business Associates
• Perform functions or activities that involve accessing, creating, receiving, maintaining, or transmitting PHI on a CE's behalf.
• Include a BA's subcontractors that create, receive, maintain, or transmit PHI on the BA's behalf.
• HITECH
Implications to BAs
Business Associate Agreements (BAAs)
A CE may disclose PHI to a BA if the BA contractually agrees in a BAA to:
• Use PHI only for specified purposes.
○ Safeguard PHI from misuse.
○ Address data breaches and security incidents.
○ Help CEs comply with applicable privacy and data protection laws.
○ Hold their subcontractors to the same standards.
○ Not use or further disclose PHI other than as permitted by the BA or required by law
Protected Health Information (PHI)
Individually identifiable information that relates to:
• An individual's past, present, or future physical or mental health or condition.
• The provision of health care to an individual.
• The past, present, or future payment for an individual's health care.
Examples: Name, contact information, birth date, Social Security number, payment details, service dates, prescriptions, diagnoses, or provider notes.
HIPAA Privacy Rule
• Policies and Procedures
• Train workforce members
• Designate Privacy Officer
• Mitigate harmful effects from violations
Minimum Necessary Standard
• Applies when CEs and BAs use, disclose, or request PHI.
• Limits PHI uses and disclosures to the minimum necessary to accomplish the intended purpose.
• Has exceptions, including disclosures for:
• Treatment purposes.
• Legal requirements.
• Individuals or their representatives.
• Authorizations.
• HHS investigation, review, or enforcement.
HIPAA Security Rule
• Establishes a minimum set of standards to protect the confidentiality, integrity, and availability of ePHI that a CE or BA creates, receives, maintains, or transmits.
• Specifies various safeguards.
• Applies equally to CEs and BAs.
Examples of Security Incidents
• Stolen passwords, access credentials, or devices.
• Physical break-ins.
• Viruses, malware, ransomware, hacking, or network intrusions.
• Social engineering and phishing.
• Unauthorized internal or external access to ePHI.
• Improper media disposal.
Security Rule Compliance
• Internal risk analysis includes reasonable and appropriate policies and procedures based on company size, technological capability, and contractual obligations (i.e., BAAs)
• Maintain written records of required activities
• Review and update periodically
Safeguards
• The Security Rule includes administrative, physical, and technical safeguards and organizational requirements.
• Safeguards are divided into standards.
• Some standards include required or addressable implementation specifications.
Safeguards (continued)
• Administrative Safeguards- applicable to daily operations, workforce members’ access
• Physical Safeguards- facility access controls, workstation use and security
