SlideShare una empresa de Scribd logo

Who Is A HIPAA Business Associate ?

Dan Wellisch
Dan Wellisch

White Paper distributed at our May 2018 meeting of the Chicago Technology For Value-Based Healthcare Meetup Group - https://www.meetup.com/Chicago-Technology-For-Value-Based-Healthcare-Meetup/

Atención sanitaria
1 de 8
Descargar para leer sin conexión
Who is a HIPAA business associate?
Who is a HIPAA business associate? McDonald Hopkins Business associates need to take appropriate steps to comply with the HIPAA Rules. A wide range of vendors and contractors that perform services or other functions for health care providers or health plans face substantial obligations and potential liabilities as business associates under the Privacy, Security and Breach Notification Rules (HIPAA Rules) issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Therefore, it is crucial for covered entities, as well as anyone performing services or functions involving protected health information (PHI) for covered entities or business associates, to identify all of their business associate relationships so they can take appropriate actions to comply with the HIPAA Rules. As we will discuss in this white paper, whether a service provider is a business associate under the HIPAA Rules will depend on the relationship of the parties, the nature of the services and whether the activities involve the use, disclosure, transmission, or maintenance of PHI. Take action All parties to any contract or other arrangement involving PHI in connection with the performance of services or functions by anyone (other than the covered entity’s workforce) should review their arrangements to determine whether a business associate relationship has been or will be created, as well as whether a business associate agreement is in place and, if so, whether revisions are warranted. Business associates (as well as covered entities) need to take appropriate steps to comply with the HIPAA Rules. Background The HIPAA Rules allow covered entities to disclose PHI to business associates, and allow business associates to create and receive PHI on behalf of the covered entity, subject to the terms of a business associate agreement between the parties. PHI is defined broadly to encompass individually identifiable health information relating to the health of an individual or to the provision of, or payment for, health care services. For purposes of the HIPAA Rules, a covered entity is a health care provider (such as a hospital, physician practice, laboratory or pharmacy) that transmits health information electronically in connection with billing or other transactions covered by the HIPAA administrative simplification rules, a health plan or a health care clearinghouse (such as certain medical billing companies that process and submit claims to health plans). In general, an individual (other than a member of the covered entity’s workforce) or organization that performs or furnishes any function, activity or service for or on behalf of a covered entity involving the use or disclosure of PHI is a business associate. The HIPAA Rules define a covered entity’s workforce as employees, volunteers, trainees, and others acting under the covered entity’s direct control, regardless of whether they are paid. Historically, business associates were contractually required to maintain the privacy, and protect the security, of PHI as provided in their business associate agreements – that is, if they entered into a business associate agreement. But until recently, business associates were not subject to sanctions under the HIPAA Rules for noncompliance with their business associate agreements or HIPAA Rules. The HITECH Act and Omnibus Rule On Feb. 17, 2009, President Barack Obama signed into law the American Recovery and Reinvestment Act of 2009, which included the Health Information Technology for Economic and Clinical Health Act (HITECH). This expanded the HIPAA obligations and exposure of business associates by applying various HIPAA Rules directly to business associates, requiring business associates to comply with breach notification requirements and subjecting them to civil and criminal penalties for HIPAA violations. Nearly four years later, 2
Who is a HIPAA business associate? McDonald Hopkins the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued the Omnibus Rule, which amended the HIPAA Rules and took effect in 2013. In addition to implementing various provisions of the HITECH Act by applying the HIPAA Rule obligations directly to business associates, the Omnibus Rule extended the business associate definition to new categories of business associates, including cloud vendors and other companies that store or transmit PHI, as well as subcontractors of business associates. The Omnibus Rule also required the amendment of business associate agreements to incorporate the new standards and expanded the potential liability of covered entities to include exposure for the acts and omissions of a business associate if the business associate is deemed to be an agent of the covered entity and the acts or omissions are within the scope of the agency. Expanded business associate definition The HIPAA Rules, as amended by the Omnibus Rule, define business associate as any individual (other than a member of the covered entity’s workforce) or organization that either: • Creates, receives, maintains, or transmits PHI on behalf of a covered entity or an organized health care arrangement for a function or activity regulated under the HIPAA administrative simplification rules, such as claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, or repricing. • Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of PHI. The Omnibus Rule added the following new categories of business associates: • Those who store or otherwise maintain PHI. • Health Information Organizations (HIOs), e-prescribing gateways and others who provide data transmission services to a covered entity and require routine access to PHI. • Anyone who offers a personal health record to individuals on behalf of a covered entity. • Subcontractors of business associates if (i) the business associate delegates to the subcontractor a function, activity or service that the business associate has agreed to perform for the covered entity, or for another business associate, and (ii) any of the delegated functions, activities or services involve the creation, receipt, maintenance, or transmission of PHI. Though covered entities and business associates are required to enter into business associate agreements, anyone who performs services or functions that fit within the definition of business associate will be subject to the business associate obligations under the HIPAA Rules, even if no business associate agreement is signed. Therefore, business associates (as well as covered entities) have a proactive obligation to identify their business associate relationships and satisfy the HIPAA Rules in connection with those relationships. Subcontractor business associates The expansion of business associate obligations to subcontractors was done to avoid a lapse of privacy and security protections when business associates share PHI with their subcontractors. Anyone, other than a member of a covered entity’s or business associate’s workforce, who assists a business associate in performing a function, activity or service involving PHI for a covered entity may potentially be subject to the HIPAA Rules as a subcontractor business associate. 3
Who is a HIPAA business associate? McDonald Hopkins A subcontractor may be deemed a business associate if at least part of a delegated task is within the business associate’s responsibilities to the covered entity, although not all those who access PHI in providing services for a business associate will become business associates. For example, a business associate’s disclosure of PHI for its (and not the covered entity’s) management and administration would not create a subcontractor business associate relationship. However, the HIPAA Rules would still require reasonable assurances that the PHI will be held confidentially and will not be disclosed except as required by law or for the purposes of the disclosure, and agreement to notify the business associate if the recipient of the PHI becomes aware that confidentiality of the PHI has been breached. Moreover, a business associate will be allowed to use or disclose PHI for its management and administration only if the business associate agreement allows such use or disclosure. HIPAA obligations and potential liability can extend to subcontractors who have no direct connection or relationship with any covered entity, no matter how far the PHI flows down the chain from business associate to subcontractors or how little the subcontractor knows about the relationship with the covered entity. To understand how this works, consider the following scenario: Business associate A engages subcontractor B to perform part of business associate A’s responsibilities involving the covered entity’s PHI. Subcontractor B in turn delegates some of its responsibilities involving the PHI to subcontractor C, and subcontractor C delegates part of its responsibilities to subcontractor D. In this case, subcontractors B, C and D (as well as business associate A) would all be considered business associates of the covered entity and the HIPAA business associate obligations would extend down the chain from business associate A to subcontractors B, C and D. A subcontractor may be deemed a business associate if at least part of a delegated task is within the business associate’s responsibilities to the covered entity, although not all those who access PHI in providing services for a business associate will become business associates. 4 In these circumstances, business associate agreements would be required between: 1. The covered entity and business associate A 2. Business associate A and subcontractor B 3. Subcontractor B and subcontractor C 4. Subcontractor C and subcontractor D The extension of business associate status to subcontractors can ensnare unsuspecting individuals and organizations because prior to the Omnibus Rule subcontractors were untouched by the HIPAA Rules. Many could still be unaware that they are performing functions for covered entities or dealing with PHI. Subcontractor Dntractor D Subcontractor C BAAntractor C Subcontractor B BAAontractor B Business associate A BAA Covered Entity BAA
Who is a HIPAA business associate? McDonald Hopkins Data transmission and storage The Omnibus Rule added maintenance of PHI to the functions that trigger business associate status. For example, a data storage company that has access to PHI in either hard copy or digital form is a business associate even if the storage company never views the PHI or does so only on a random or infrequent basis. Before the Omnibus Rule, OCR had indicated that a document storage company would not be considered a business associate if the PHI was maintained in closed and sealed containers and the document storage company did not access the PHI ( other than incidental access, such as when a box becomes damaged and needs to be repackaged). Now, a medical practice that stores old medical records in an off-site location needs a business associate agreement with the storage company. With regard to data transmission services that trigger business associate status, the Omnibus Rule specifies two types of service providers: HIOs (i.e., organizations such as health information exchanges that oversee and govern the exchange of health-related information among organizations) and e-prescribing gateways. The definition also includes others who provide data transmission services to covered entities relating to PHI and require access to PHI on a routine basis. OCR draws a distinction between data transmission services that require access to PHI on a routine basis and are therefore deemed to be business associates, and conduits, which are not business associates. This is a fact specific determination based on the nature of the services provided and the extent to which the service provider needs access to PHI to perform its data transmission services for the covered entity. OCR interprets the conduit exception narrowly and limits it to mere courier services, such as the U.S. Postal Service, UPS and their electronic equivalents, such as ISPs that provide mere data transmission services. In light of the catch-all data transmission provision, the addition of maintenance of PHI as a business associate function, the Omnibus Rule preamble commentary and OCR’s recent guidance on cloud computing (see below), the business associate definition now casts a wide net that can include service providers, such as cloud vendors, internet service providers (ISPs), application service providers (ASPs) and document storage companies that previously may not have been regarded as business associates. Cloud service providers In its October 2016 guidance on cloud computing, OCR confirmed that a cloud services provider that creates, receives, maintains or transmits electronic PHI (ePHI) on behalf of a covered entity is a HIPAA business associate even if all ePHI is encrypted and the cloud service provider does not have the encryption key. A cloud service provider that subcontracts to perform similar functions on behalf of the business associate involving ePHI is also a business associate. OCR has specifically reminded covered entities and business associates that using a cloud service provider to maintain ePHI without entering into a business associate agreement violates the HIPAA Rules. In addition, risk analysis and risk management need to account for ePHI stored in the cloud, whether on servers within the U.S. or overseas. OCR recognizes that in some cases a cloud service provider may not know that a covered entity or upstream business associate is using the cloud service in connection with ePHI, and therefore may not be in a position to satisfy its business associate obligations under the HIPAA rules. The guidance clarifies that upon becoming aware that it is maintaining ePHI, a cloud service provider must comply with the HIPAA Rules or securely return the OCR interprets the conduit exception narrowly and limits it to mere courier services, such as the U.S. Postal Service, UPS and their electronic equivalents, such as ISPs that provide mere data transmission services. 5
Who is a HIPAA business associate? McDonald Hopkins ePHI to the customer (or destroy it, if agreed). OCR notes that the 30 day period to correct noncompliance (in order to qualify for an affirmative defense under the HIPAA Rules) begins when the cloud service provider knows or should have known that a covered entity or business associate is maintaining ePHI in its cloud. OCR recommends that cloud service providers document their compliance, or their return or destruction of ePHI. Business associates in the crosshairs OCR’s $650,000 settlement in June 2016 with a business associate, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), demonstrated that it is serious about taking strong enforcement action and imposing severe penalties against business associates for failure to implement safeguards as required under the HIPAA Rules. The CHCS settlement continued OCR’s expansion of its enforcement focus on business associates, following a string of OCR settlements that held covered entities responsible for failing to enter into business associate agreements with their business associates or for failing to update a pre-Omnibus Rule business associate agreement. It is also important to keep in mind that business associates are potentially subject to OCR’s HIPAA audits. Moreover, state attorneys general and the Federal Trade Commission have also taken enforcement action against business associates. Conclusion A threshold issue in HIPAA compliance for any organization is identifying all of its business associate relationships, whether as a covered entity, upstream business associate or downstream business associate. In some cases this relationship may be apparent, and in other instances it may require some analysis. With expanded business associate obligations, scrutiny and related exposure, it is more important than ever to recognize all business associate relationships and ensure that appropriate safeguards are implemented. With expanded business associate obligations, scrutiny and related exposure, it is more important than ever to recognize all business associate relationships and ensure that appropriate safeguards are implemented. 6
Who is a HIPAA business associate? McDonald Hopkins Not a business associate Examples of businesses and individuals that are typically not considered business associates: • An individual who performs services as part of the workforce of a covered entity • A health care provider, to the extent that disclosures of PHI by another covered entity concern the treatment of the individual • A plan sponsor (such as an employer), with respect to various disclosures from its group health plan • Financial and banking institutions when performing only payment processing activities • A janitorial service performing traditional functions • Maintenance and repair personnel (other than working on systems holding PHI) • Conduits (e.g., U.S. Postal Service and its electronic equivalents) • Researchers (unless engaged to perform activities regulated by the HIPAA Rules) Typically a business associate Examples of service providers that are typically business associates when accessing or maintaining PHI, except when acting as members of the workforce of the covered entity or of another business associate: • Medical transcription companies • Answering services • Document storage or disposal (shredding) companies • Patient safety or accreditation organizations • Companies involved in claims processing, repricing or collections (e.g., medical billing companies) • Health information exchanges (HIEs), e-prescribing gateways and other HIOs • Cloud service providers • Third party administrators and pharmacy benefit managers • Data conversion, de-identification and data analysis service providers • Utilization review and management companies Sometimes a business associate Examples of service providers that are sometimes business associates, depending on the underlying relationships, whether they access PHI and the functions involved: • Accounting firms • Auditors • Law firms • Consulting firms • Software vendors and consultants • Financial institutions (if engaging in accounts receivable or other functions extending beyond payment processing) • ISPs and ASPs • Companies providing personal health records (business associate if providing personal health records on behalf of a covered entity) • Researchers (if performing HIPAA functions for a covered entity) 7
© 2017 McDonald Hopkins LLC All Rights Reserved This Publication is designed to provide current information for our clients, friends and their advisors regarding important legal developments. The foregoing discussion is general information rather than specific legal advice. Because it is necessary to apply legal principles to specific facts, always consult your legal advisor before using this discussion as a basis for a specific action. Have more questions about who is a HIPAA business associate? Contact the author of this white paper: Rick Hindmand 312.642.2203 rhindmand@mcdonaldhopkins.com Questions about healthcare or data privacy and cybersecurity? Contact Rick or any one of these McDonald Hopkins attorneys: Richard Cooper 216.348.5438 rcooper@mcdonaldhopkins.com James Giszczak 248.220.1354 jgiszczak@mcdonaldhopkins.com Dominic Paluzzi 248.220.4356 dpaluzzi@mcdonaldhopkins.com

Recomendados

HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations OnRamp
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2Suzanne Guggenheim
 
HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upDavid Sweigert
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
HIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideHIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideWirehead Technology
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simpleJose Ivan Delgado, Ph.D.
 
Compliance planning for hipaa 2
Compliance planning for hipaa 2Compliance planning for hipaa 2
Compliance planning for hipaa 2complianceonline123
 
The New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and ResponsibilituesThe New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and Responsibilituescomplianceexpert
 

Recomendados

HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations OnRamp
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2Suzanne Guggenheim
 
HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upDavid Sweigert
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
HIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideHIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideWirehead Technology
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simpleJose Ivan Delgado, Ph.D.
 
Compliance planning for hipaa 2
Compliance planning for hipaa 2Compliance planning for hipaa 2
Compliance planning for hipaa 2complianceonline123
 
The New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and ResponsibilituesThe New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and Responsibilituescomplianceexpert
 
HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?Conference Panel
 
Keeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantKeeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantCarbonite
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfShelly Megan
 
On ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOn ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOnRampAccess
 
HiPAA info
HiPAA infoHiPAA info
HiPAA infoRob Jones
 
Which of the following statements is true of HIPAA rules.docx
Which of the following statements is true of HIPAA rules.docxWhich of the following statements is true of HIPAA rules.docx
Which of the following statements is true of HIPAA rules.docxwrite30
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxVistaInfosec
 
HIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and DangersHIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and DangersConference Panel
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingvrgill22
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rulemihinpr
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?Power Admin LLC
 
Defining a process for gathering information pertaining to a hipaa.docx
Defining a process for gathering information pertaining to a hipaa.docxDefining a process for gathering information pertaining to a hipaa.docx
Defining a process for gathering information pertaining to a hipaa.docxwrite31
 
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfHIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfSuccessiveDigital
 
Overview of hipaa & tools for hipaa compliance
Overview of hipaa & tools for hipaa complianceOverview of hipaa & tools for hipaa compliance
Overview of hipaa & tools for hipaa complianceSquare 9
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI Risk Services
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
HIPAA Omnibus Presentation
HIPAA Omnibus PresentationHIPAA Omnibus Presentation
HIPAA Omnibus PresentationCompliancy Group
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & SecurityNational Pharmacy Technician Association
 
How to Ensure HIPPA Compliance
How to Ensure HIPPA ComplianceHow to Ensure HIPPA Compliance
How to Ensure HIPPA ComplianceHanna Global
 
Measuring, Mismeasuring, and Remeasuring - Creating Meaningful Key Performanc...
Measuring, Mismeasuring, and Remeasuring - Creating Meaningful Key Performanc...Measuring, Mismeasuring, and Remeasuring - Creating Meaningful Key Performanc...
Measuring, Mismeasuring, and Remeasuring - Creating Meaningful Key Performanc...Dan Wellisch
 
The Role Of Community-Based Organizations in Achieving Population Health Goals
The Role Of Community-Based Organizations in Achieving Population Health GoalsThe Role Of Community-Based Organizations in Achieving Population Health Goals
The Role Of Community-Based Organizations in Achieving Population Health GoalsDan Wellisch
 

Más contenido relacionado

Similar a Who Is A HIPAA Business Associate ?

HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?Conference Panel
 
Keeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantKeeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantCarbonite
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfShelly Megan
 
On ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOn ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOnRampAccess
 
Which of the following statements is true of HIPAA rules.docx
Which of the following statements is true of HIPAA rules.docxWhich of the following statements is true of HIPAA rules.docx
Which of the following statements is true of HIPAA rules.docxwrite30
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxVistaInfosec
 
HIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and DangersHIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and DangersConference Panel
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingvrgill22
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rulemihinpr
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?Power Admin LLC
 
Defining a process for gathering information pertaining to a hipaa.docx
Defining a process for gathering information pertaining to a hipaa.docxDefining a process for gathering information pertaining to a hipaa.docx
Defining a process for gathering information pertaining to a hipaa.docxwrite31
 
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfHIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfSuccessiveDigital
 
Overview of hipaa & tools for hipaa compliance
Overview of hipaa & tools for hipaa complianceOverview of hipaa & tools for hipaa compliance
Overview of hipaa & tools for hipaa complianceSquare 9
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceTrueVault
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
HIPAA Omnibus Presentation
HIPAA Omnibus PresentationHIPAA Omnibus Presentation
HIPAA Omnibus PresentationCompliancy Group
 
How to Ensure HIPPA Compliance
How to Ensure HIPPA ComplianceHow to Ensure HIPPA Compliance
How to Ensure HIPPA ComplianceHanna Global
 

Similar a Who Is A HIPAA Business Associate ? (20)

HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?
 
Keeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantKeeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-Compliant
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdf
 
On ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentationOn ramp hipaa-omnibus-presentation
On ramp hipaa-omnibus-presentation
 
HiPAA info
HiPAA infoHiPAA info
HiPAA info
 
Which of the following statements is true of HIPAA rules.docx
Which of the following statements is true of HIPAA rules.docxWhich of the following statements is true of HIPAA rules.docx
Which of the following statements is true of HIPAA rules.docx
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docx
 
HIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and DangersHIPAA Business Associate Compliance and Dangers
HIPAA Business Associate Compliance and Dangers
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy training
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rule
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
 
Defining a process for gathering information pertaining to a hipaa.docx
Defining a process for gathering information pertaining to a hipaa.docxDefining a process for gathering information pertaining to a hipaa.docx
Defining a process for gathering information pertaining to a hipaa.docx
 
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdfHIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
HIPAA-Compliant App Development Guide for the Healthcare Industry.pdf
 
Overview of hipaa & tools for hipaa compliance
Overview of hipaa & tools for hipaa complianceOverview of hipaa & tools for hipaa compliance
Overview of hipaa & tools for hipaa compliance
 
HNI U: HIPAA Essentials
HNI U: HIPAA EssentialsHNI U: HIPAA Essentials
HNI U: HIPAA Essentials
 
Application Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA ComplianceApplication Developers Guide to HIPAA Compliance
Application Developers Guide to HIPAA Compliance
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
HIPAA Omnibus Presentation
HIPAA Omnibus PresentationHIPAA Omnibus Presentation
HIPAA Omnibus Presentation
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
 
How to Ensure HIPPA Compliance
How to Ensure HIPPA ComplianceHow to Ensure HIPPA Compliance
How to Ensure HIPPA Compliance
 

Más de Dan Wellisch

Measuring, Mismeasuring, and Remeasuring - Creating Meaningful Key Performanc...
Measuring, Mismeasuring, and Remeasuring - Creating Meaningful Key Performanc...Measuring, Mismeasuring, and Remeasuring - Creating Meaningful Key Performanc...
Measuring, Mismeasuring, and Remeasuring - Creating Meaningful Key Performanc...Dan Wellisch
 
The Role Of Community-Based Organizations in Achieving Population Health Goals
The Role Of Community-Based Organizations in Achieving Population Health GoalsThe Role Of Community-Based Organizations in Achieving Population Health Goals
The Role Of Community-Based Organizations in Achieving Population Health GoalsDan Wellisch
 
Health Industry Cybersecurity Best Practices
Health Industry Cybersecurity Best PracticesHealth Industry Cybersecurity Best Practices
Health Industry Cybersecurity Best PracticesDan Wellisch
 
Driving Data to Cut Healthcare Costs
Driving Data to Cut Healthcare CostsDriving Data to Cut Healthcare Costs
Driving Data to Cut Healthcare CostsDan Wellisch
 
US Healthcare Reform Landscape - Addendum to June 2018 Presentation to the Ch...
US Healthcare Reform Landscape - Addendum to June 2018 Presentation to the Ch...US Healthcare Reform Landscape - Addendum to June 2018 Presentation to the Ch...
US Healthcare Reform Landscape - Addendum to June 2018 Presentation to the Ch...Dan Wellisch
 
Payer Analytics In A Shifting Healthcare Landscape - June Presentation To Chi...
Payer Analytics In A Shifting Healthcare Landscape - June Presentation To Chi...Payer Analytics In A Shifting Healthcare Landscape - June Presentation To Chi...
Payer Analytics In A Shifting Healthcare Landscape - June Presentation To Chi...Dan Wellisch
 
Chronic Care Management - Implemented By TimeDoc - May 2018
Chronic Care Management - Implemented By TimeDoc - May 2018Chronic Care Management - Implemented By TimeDoc - May 2018
Chronic Care Management - Implemented By TimeDoc - May 2018Dan Wellisch
 
Managing HIPAA Business Associate Relationships - April 24, 2018
Managing HIPAA Business Associate Relationships - April 24, 2018 Managing HIPAA Business Associate Relationships - April 24, 2018
Managing HIPAA Business Associate Relationships - April 24, 2018 Dan Wellisch
 
Using Models For Analytically-Driven Cultural Transformation
Using Models For Analytically-Driven Cultural TransformationUsing Models For Analytically-Driven Cultural Transformation
Using Models For Analytically-Driven Cultural TransformationDan Wellisch
 
Analyzing Breast Cancer Dataset with Azure Machine Learning Studio
Analyzing Breast Cancer Dataset with Azure Machine Learning StudioAnalyzing Breast Cancer Dataset with Azure Machine Learning Studio
Analyzing Breast Cancer Dataset with Azure Machine Learning StudioDan Wellisch
 
Simple Linear Regression: Step-By-Step
Simple Linear Regression: Step-By-StepSimple Linear Regression: Step-By-Step
Simple Linear Regression: Step-By-StepDan Wellisch
 
Helping Health Healthcare: Financial Decision Support
Helping Health Healthcare: Financial Decision SupportHelping Health Healthcare: Financial Decision Support
Helping Health Healthcare: Financial Decision SupportDan Wellisch
 
AWS Machine Learning Workshop
AWS Machine Learning WorkshopAWS Machine Learning Workshop
AWS Machine Learning WorkshopDan Wellisch
 
What Are The All Payer Claims Databases (SCPDs) And What Could Be Used For?
What Are The All Payer Claims Databases (SCPDs) And What Could Be Used For?What Are The All Payer Claims Databases (SCPDs) And What Could Be Used For?
What Are The All Payer Claims Databases (SCPDs) And What Could Be Used For?Dan Wellisch
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion Dan Wellisch
 
Using Predictive Analytics For Care Management And Coordination
Using Predictive Analytics For Care Management And CoordinationUsing Predictive Analytics For Care Management And Coordination
Using Predictive Analytics For Care Management And CoordinationDan Wellisch
 
Rcm (Revenue Cycle Management)
Rcm (Revenue Cycle Management)Rcm (Revenue Cycle Management)
Rcm (Revenue Cycle Management)Dan Wellisch
 
Driving to consumerism
Driving to consumerismDriving to consumerism
Driving to consumerismDan Wellisch
 
Using The Hadoop Ecosystem to Drive Healthcare Innovation
Using The Hadoop Ecosystem to Drive Healthcare InnovationUsing The Hadoop Ecosystem to Drive Healthcare Innovation
Using The Hadoop Ecosystem to Drive Healthcare InnovationDan Wellisch
 

Más de Dan Wellisch (19)

Measuring, Mismeasuring, and Remeasuring - Creating Meaningful Key Performanc...
Measuring, Mismeasuring, and Remeasuring - Creating Meaningful Key Performanc...Measuring, Mismeasuring, and Remeasuring - Creating Meaningful Key Performanc...
Measuring, Mismeasuring, and Remeasuring - Creating Meaningful Key Performanc...
 
The Role Of Community-Based Organizations in Achieving Population Health Goals
The Role Of Community-Based Organizations in Achieving Population Health GoalsThe Role Of Community-Based Organizations in Achieving Population Health Goals
The Role Of Community-Based Organizations in Achieving Population Health Goals
 
Health Industry Cybersecurity Best Practices
Health Industry Cybersecurity Best PracticesHealth Industry Cybersecurity Best Practices
Health Industry Cybersecurity Best Practices
 
Driving Data to Cut Healthcare Costs
Driving Data to Cut Healthcare CostsDriving Data to Cut Healthcare Costs
Driving Data to Cut Healthcare Costs
 
US Healthcare Reform Landscape - Addendum to June 2018 Presentation to the Ch...
US Healthcare Reform Landscape - Addendum to June 2018 Presentation to the Ch...US Healthcare Reform Landscape - Addendum to June 2018 Presentation to the Ch...
US Healthcare Reform Landscape - Addendum to June 2018 Presentation to the Ch...
 
Payer Analytics In A Shifting Healthcare Landscape - June Presentation To Chi...
Payer Analytics In A Shifting Healthcare Landscape - June Presentation To Chi...Payer Analytics In A Shifting Healthcare Landscape - June Presentation To Chi...
Payer Analytics In A Shifting Healthcare Landscape - June Presentation To Chi...
 
Chronic Care Management - Implemented By TimeDoc - May 2018
Chronic Care Management - Implemented By TimeDoc - May 2018Chronic Care Management - Implemented By TimeDoc - May 2018
Chronic Care Management - Implemented By TimeDoc - May 2018
 
Managing HIPAA Business Associate Relationships - April 24, 2018
Managing HIPAA Business Associate Relationships - April 24, 2018 Managing HIPAA Business Associate Relationships - April 24, 2018
Managing HIPAA Business Associate Relationships - April 24, 2018
 
Using Models For Analytically-Driven Cultural Transformation
Using Models For Analytically-Driven Cultural TransformationUsing Models For Analytically-Driven Cultural Transformation
Using Models For Analytically-Driven Cultural Transformation
 
Analyzing Breast Cancer Dataset with Azure Machine Learning Studio
Analyzing Breast Cancer Dataset with Azure Machine Learning StudioAnalyzing Breast Cancer Dataset with Azure Machine Learning Studio
Analyzing Breast Cancer Dataset with Azure Machine Learning Studio
 
Simple Linear Regression: Step-By-Step
Simple Linear Regression: Step-By-StepSimple Linear Regression: Step-By-Step
Simple Linear Regression: Step-By-Step
 
Helping Health Healthcare: Financial Decision Support
Helping Health Healthcare: Financial Decision SupportHelping Health Healthcare: Financial Decision Support
Helping Health Healthcare: Financial Decision Support
 
AWS Machine Learning Workshop
AWS Machine Learning WorkshopAWS Machine Learning Workshop
AWS Machine Learning Workshop
 
What Are The All Payer Claims Databases (SCPDs) And What Could Be Used For?
What Are The All Payer Claims Databases (SCPDs) And What Could Be Used For?What Are The All Payer Claims Databases (SCPDs) And What Could Be Used For?
What Are The All Payer Claims Databases (SCPDs) And What Could Be Used For?
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion
 
Using Predictive Analytics For Care Management And Coordination
Using Predictive Analytics For Care Management And CoordinationUsing Predictive Analytics For Care Management And Coordination
Using Predictive Analytics For Care Management And Coordination
 
Rcm (Revenue Cycle Management)
Rcm (Revenue Cycle Management)Rcm (Revenue Cycle Management)
Rcm (Revenue Cycle Management)
 
Driving to consumerism
Driving to consumerismDriving to consumerism
Driving to consumerism
 
Using The Hadoop Ecosystem to Drive Healthcare Innovation
Using The Hadoop Ecosystem to Drive Healthcare InnovationUsing The Hadoop Ecosystem to Drive Healthcare Innovation
Using The Hadoop Ecosystem to Drive Healthcare Innovation
 

Último

2024 PCP #IMPerative Updates in Rheumatology
2024 PCP #IMPerative Updates in Rheumatology2024 PCP #IMPerative Updates in Rheumatology
2024 PCP #IMPerative Updates in RheumatologySidney Erwin Manahan
 
🍑👄Ludhiana Escorts Service☎️98157-77685🍑👄 Call Girl service in Ludhiana☎️Ludh...
🍑👄Ludhiana Escorts Service☎️98157-77685🍑👄 Call Girl service in Ludhiana☎️Ludh...🍑👄Ludhiana Escorts Service☎️98157-77685🍑👄 Call Girl service in Ludhiana☎️Ludh...
🍑👄Ludhiana Escorts Service☎️98157-77685🍑👄 Call Girl service in Ludhiana☎️Ludh...dilpreetentertainmen
 
The Events of Cardiac Cycle - Wigger's Diagram
The Events of Cardiac Cycle - Wigger's DiagramThe Events of Cardiac Cycle - Wigger's Diagram
The Events of Cardiac Cycle - Wigger's DiagramMedicoseAcademics
 
💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...
💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...
💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...India Call Girls
 
❤️Zirakpur Escorts☎️7837612180☎️ Call Girl service in Zirakpur☎️ Zirakpur Cal...
❤️Zirakpur Escorts☎️7837612180☎️ Call Girl service in Zirakpur☎️ Zirakpur Cal...❤️Zirakpur Escorts☎️7837612180☎️ Call Girl service in Zirakpur☎️ Zirakpur Cal...
❤️Zirakpur Escorts☎️7837612180☎️ Call Girl service in Zirakpur☎️ Zirakpur Cal...Sheetaleventcompany
 
Ulhasnagar Call girl escort *88638//40496* Call me monika call girls 24*
Ulhasnagar Call girl escort *88638//40496* Call me monika call girls 24*Ulhasnagar Call girl escort *88638//40496* Call me monika call girls 24*
Ulhasnagar Call girl escort *88638//40496* Call me monika call girls 24*Mumbai Call girl
 
mental health , characteristic of mentally healthy person .pptx
mental health , characteristic of mentally healthy person .pptxmental health , characteristic of mentally healthy person .pptx
mental health , characteristic of mentally healthy person .pptxPupayumnam1
 
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...Sheetaleventcompany
 
Gorgeous Call Girls In Pune {9xx000xx09} ❤️VVIP ANKITA Call Girl in Pune Maha...
Gorgeous Call Girls In Pune {9xx000xx09} ❤️VVIP ANKITA Call Girl in Pune Maha...Gorgeous Call Girls In Pune {9xx000xx09} ❤️VVIP ANKITA Call Girl in Pune Maha...
Gorgeous Call Girls In Pune {9xx000xx09} ❤️VVIP ANKITA Call Girl in Pune Maha...Sheetaleventcompany
 
Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...
Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...
Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...Sheetaleventcompany
 
❤️Chandigarh Escort Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ C...
❤️Chandigarh Escort Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ C...❤️Chandigarh Escort Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ C...
❤️Chandigarh Escort Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ C...Rashmi Entertainment
 
❤️Chandigarh Escorts☎️9814379184☎️ Call Girl service in Chandigarh☎️ Chandiga...
❤️Chandigarh Escorts☎️9814379184☎️ Call Girl service in Chandigarh☎️ Chandiga...❤️Chandigarh Escorts☎️9814379184☎️ Call Girl service in Chandigarh☎️ Chandiga...
❤️Chandigarh Escorts☎️9814379184☎️ Call Girl service in Chandigarh☎️ Chandiga...Sheetaleventcompany
 
DME deep margin elevation brief ppt.pptx
DME deep margin elevation brief ppt.pptxDME deep margin elevation brief ppt.pptx
DME deep margin elevation brief ppt.pptxmcrdalialsayed
 
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...India Call Girls
 
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...Sheetaleventcompany
 
💞 Safe And Secure Call Girls chhindwara 🧿 9332606886 🧿 High Class Call Girl S...
💞 Safe And Secure Call Girls chhindwara 🧿 9332606886 🧿 High Class Call Girl S...💞 Safe And Secure Call Girls chhindwara 🧿 9332606886 🧿 High Class Call Girl S...
💞 Safe And Secure Call Girls chhindwara 🧿 9332606886 🧿 High Class Call Girl S...India Call Girls
 
💞 Safe And Secure Call Girls Mysore 🧿 9332606886 🧿 High Class Call Girl Servi...
💞 Safe And Secure Call Girls Mysore 🧿 9332606886 🧿 High Class Call Girl Servi...💞 Safe And Secure Call Girls Mysore 🧿 9332606886 🧿 High Class Call Girl Servi...
💞 Safe And Secure Call Girls Mysore 🧿 9332606886 🧿 High Class Call Girl Servi...India Call Girls
 
science quiz bee questions.doc FOR ELEMENTARY SCIENCE
science quiz bee questions.doc FOR ELEMENTARY SCIENCEscience quiz bee questions.doc FOR ELEMENTARY SCIENCE
science quiz bee questions.doc FOR ELEMENTARY SCIENCEmaricelsampaga
 
💸Cash Payment No Advance Call Girls Kolkata 🧿 9332606886 🧿 High Class Call Gi...
💸Cash Payment No Advance Call Girls Kolkata 🧿 9332606886 🧿 High Class Call Gi...💸Cash Payment No Advance Call Girls Kolkata 🧿 9332606886 🧿 High Class Call Gi...
💸Cash Payment No Advance Call Girls Kolkata 🧿 9332606886 🧿 High Class Call Gi...India Call Girls
 
Independent Call Girls Service Chandigarh Sector 17 | 8868886958 | Call Girl ...
Independent Call Girls Service Chandigarh Sector 17 | 8868886958 | Call Girl ...Independent Call Girls Service Chandigarh Sector 17 | 8868886958 | Call Girl ...
Independent Call Girls Service Chandigarh Sector 17 | 8868886958 | Call Girl ...Sheetaleventcompany
 

Último (20)

2024 PCP #IMPerative Updates in Rheumatology
2024 PCP #IMPerative Updates in Rheumatology2024 PCP #IMPerative Updates in Rheumatology
2024 PCP #IMPerative Updates in Rheumatology
 
🍑👄Ludhiana Escorts Service☎️98157-77685🍑👄 Call Girl service in Ludhiana☎️Ludh...
🍑👄Ludhiana Escorts Service☎️98157-77685🍑👄 Call Girl service in Ludhiana☎️Ludh...🍑👄Ludhiana Escorts Service☎️98157-77685🍑👄 Call Girl service in Ludhiana☎️Ludh...
🍑👄Ludhiana Escorts Service☎️98157-77685🍑👄 Call Girl service in Ludhiana☎️Ludh...
 
The Events of Cardiac Cycle - Wigger's Diagram
The Events of Cardiac Cycle - Wigger's DiagramThe Events of Cardiac Cycle - Wigger's Diagram
The Events of Cardiac Cycle - Wigger's Diagram
 
💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...
💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...
💞 Safe And Secure Call Girls Prayagraj 🧿 9332606886 🧿 High Class Call Girl Se...
 
❤️Zirakpur Escorts☎️7837612180☎️ Call Girl service in Zirakpur☎️ Zirakpur Cal...
❤️Zirakpur Escorts☎️7837612180☎️ Call Girl service in Zirakpur☎️ Zirakpur Cal...❤️Zirakpur Escorts☎️7837612180☎️ Call Girl service in Zirakpur☎️ Zirakpur Cal...
❤️Zirakpur Escorts☎️7837612180☎️ Call Girl service in Zirakpur☎️ Zirakpur Cal...
 
Ulhasnagar Call girl escort *88638//40496* Call me monika call girls 24*
Ulhasnagar Call girl escort *88638//40496* Call me monika call girls 24*Ulhasnagar Call girl escort *88638//40496* Call me monika call girls 24*
Ulhasnagar Call girl escort *88638//40496* Call me monika call girls 24*
 
mental health , characteristic of mentally healthy person .pptx
mental health , characteristic of mentally healthy person .pptxmental health , characteristic of mentally healthy person .pptx
mental health , characteristic of mentally healthy person .pptx
 
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
Delhi Call Girl Service 📞8650700400📞Just Call Divya📲 Call Girl In Delhi No💰Ad...
 
Gorgeous Call Girls In Pune {9xx000xx09} ❤️VVIP ANKITA Call Girl in Pune Maha...
Gorgeous Call Girls In Pune {9xx000xx09} ❤️VVIP ANKITA Call Girl in Pune Maha...Gorgeous Call Girls In Pune {9xx000xx09} ❤️VVIP ANKITA Call Girl in Pune Maha...
Gorgeous Call Girls In Pune {9xx000xx09} ❤️VVIP ANKITA Call Girl in Pune Maha...
 
Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...
Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...
Call Girl In Indore 📞9235973566📞Just Call Inaaya📲 Call Girls Service In Indor...
 
❤️Chandigarh Escort Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ C...
❤️Chandigarh Escort Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ C...❤️Chandigarh Escort Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ C...
❤️Chandigarh Escort Service☎️9815457724☎️ Call Girl service in Chandigarh☎️ C...
 
❤️Chandigarh Escorts☎️9814379184☎️ Call Girl service in Chandigarh☎️ Chandiga...
❤️Chandigarh Escorts☎️9814379184☎️ Call Girl service in Chandigarh☎️ Chandiga...❤️Chandigarh Escorts☎️9814379184☎️ Call Girl service in Chandigarh☎️ Chandiga...
❤️Chandigarh Escorts☎️9814379184☎️ Call Girl service in Chandigarh☎️ Chandiga...
 
DME deep margin elevation brief ppt.pptx
DME deep margin elevation brief ppt.pptxDME deep margin elevation brief ppt.pptx
DME deep margin elevation brief ppt.pptx
 
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
💞 Safe And Secure Call Girls gaya 🧿 9332606886 🧿 High Class Call Girl Service...
 
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
❤️Call Girl In Chandigarh☎️9814379184☎️ Call Girl service in Chandigarh☎️ Cha...
 
💞 Safe And Secure Call Girls chhindwara 🧿 9332606886 🧿 High Class Call Girl S...
💞 Safe And Secure Call Girls chhindwara 🧿 9332606886 🧿 High Class Call Girl S...💞 Safe And Secure Call Girls chhindwara 🧿 9332606886 🧿 High Class Call Girl S...
💞 Safe And Secure Call Girls chhindwara 🧿 9332606886 🧿 High Class Call Girl S...
 
💞 Safe And Secure Call Girls Mysore 🧿 9332606886 🧿 High Class Call Girl Servi...
💞 Safe And Secure Call Girls Mysore 🧿 9332606886 🧿 High Class Call Girl Servi...💞 Safe And Secure Call Girls Mysore 🧿 9332606886 🧿 High Class Call Girl Servi...
💞 Safe And Secure Call Girls Mysore 🧿 9332606886 🧿 High Class Call Girl Servi...
 
science quiz bee questions.doc FOR ELEMENTARY SCIENCE
science quiz bee questions.doc FOR ELEMENTARY SCIENCEscience quiz bee questions.doc FOR ELEMENTARY SCIENCE
science quiz bee questions.doc FOR ELEMENTARY SCIENCE
 
💸Cash Payment No Advance Call Girls Kolkata 🧿 9332606886 🧿 High Class Call Gi...
💸Cash Payment No Advance Call Girls Kolkata 🧿 9332606886 🧿 High Class Call Gi...💸Cash Payment No Advance Call Girls Kolkata 🧿 9332606886 🧿 High Class Call Gi...
💸Cash Payment No Advance Call Girls Kolkata 🧿 9332606886 🧿 High Class Call Gi...
 
Independent Call Girls Service Chandigarh Sector 17 | 8868886958 | Call Girl ...
Independent Call Girls Service Chandigarh Sector 17 | 8868886958 | Call Girl ...Independent Call Girls Service Chandigarh Sector 17 | 8868886958 | Call Girl ...
Independent Call Girls Service Chandigarh Sector 17 | 8868886958 | Call Girl ...
 

Who Is A HIPAA Business Associate ?

  • 1. Who is a HIPAA business associate?
  • 2. Who is a HIPAA business associate? McDonald Hopkins Business associates need to take appropriate steps to comply with the HIPAA Rules. A wide range of vendors and contractors that perform services or other functions for health care providers or health plans face substantial obligations and potential liabilities as business associates under the Privacy, Security and Breach Notification Rules (HIPAA Rules) issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Therefore, it is crucial for covered entities, as well as anyone performing services or functions involving protected health information (PHI) for covered entities or business associates, to identify all of their business associate relationships so they can take appropriate actions to comply with the HIPAA Rules. As we will discuss in this white paper, whether a service provider is a business associate under the HIPAA Rules will depend on the relationship of the parties, the nature of the services and whether the activities involve the use, disclosure, transmission, or maintenance of PHI. Take action All parties to any contract or other arrangement involving PHI in connection with the performance of services or functions by anyone (other than the covered entity’s workforce) should review their arrangements to determine whether a business associate relationship has been or will be created, as well as whether a business associate agreement is in place and, if so, whether revisions are warranted. Business associates (as well as covered entities) need to take appropriate steps to comply with the HIPAA Rules. Background The HIPAA Rules allow covered entities to disclose PHI to business associates, and allow business associates to create and receive PHI on behalf of the covered entity, subject to the terms of a business associate agreement between the parties. PHI is defined broadly to encompass individually identifiable health information relating to the health of an individual or to the provision of, or payment for, health care services. For purposes of the HIPAA Rules, a covered entity is a health care provider (such as a hospital, physician practice, laboratory or pharmacy) that transmits health information electronically in connection with billing or other transactions covered by the HIPAA administrative simplification rules, a health plan or a health care clearinghouse (such as certain medical billing companies that process and submit claims to health plans). In general, an individual (other than a member of the covered entity’s workforce) or organization that performs or furnishes any function, activity or service for or on behalf of a covered entity involving the use or disclosure of PHI is a business associate. The HIPAA Rules define a covered entity’s workforce as employees, volunteers, trainees, and others acting under the covered entity’s direct control, regardless of whether they are paid. Historically, business associates were contractually required to maintain the privacy, and protect the security, of PHI as provided in their business associate agreements – that is, if they entered into a business associate agreement. But until recently, business associates were not subject to sanctions under the HIPAA Rules for noncompliance with their business associate agreements or HIPAA Rules. The HITECH Act and Omnibus Rule On Feb. 17, 2009, President Barack Obama signed into law the American Recovery and Reinvestment Act of 2009, which included the Health Information Technology for Economic and Clinical Health Act (HITECH). This expanded the HIPAA obligations and exposure of business associates by applying various HIPAA Rules directly to business associates, requiring business associates to comply with breach notification requirements and subjecting them to civil and criminal penalties for HIPAA violations. Nearly four years later, 2
  • 3. Who is a HIPAA business associate? McDonald Hopkins the U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued the Omnibus Rule, which amended the HIPAA Rules and took effect in 2013. In addition to implementing various provisions of the HITECH Act by applying the HIPAA Rule obligations directly to business associates, the Omnibus Rule extended the business associate definition to new categories of business associates, including cloud vendors and other companies that store or transmit PHI, as well as subcontractors of business associates. The Omnibus Rule also required the amendment of business associate agreements to incorporate the new standards and expanded the potential liability of covered entities to include exposure for the acts and omissions of a business associate if the business associate is deemed to be an agent of the covered entity and the acts or omissions are within the scope of the agency. Expanded business associate definition The HIPAA Rules, as amended by the Omnibus Rule, define business associate as any individual (other than a member of the covered entity’s workforce) or organization that either: • Creates, receives, maintains, or transmits PHI on behalf of a covered entity or an organized health care arrangement for a function or activity regulated under the HIPAA administrative simplification rules, such as claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, or repricing. • Provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity, if the service involves the disclosure of PHI. The Omnibus Rule added the following new categories of business associates: • Those who store or otherwise maintain PHI. • Health Information Organizations (HIOs), e-prescribing gateways and others who provide data transmission services to a covered entity and require routine access to PHI. • Anyone who offers a personal health record to individuals on behalf of a covered entity. • Subcontractors of business associates if (i) the business associate delegates to the subcontractor a function, activity or service that the business associate has agreed to perform for the covered entity, or for another business associate, and (ii) any of the delegated functions, activities or services involve the creation, receipt, maintenance, or transmission of PHI. Though covered entities and business associates are required to enter into business associate agreements, anyone who performs services or functions that fit within the definition of business associate will be subject to the business associate obligations under the HIPAA Rules, even if no business associate agreement is signed. Therefore, business associates (as well as covered entities) have a proactive obligation to identify their business associate relationships and satisfy the HIPAA Rules in connection with those relationships. Subcontractor business associates The expansion of business associate obligations to subcontractors was done to avoid a lapse of privacy and security protections when business associates share PHI with their subcontractors. Anyone, other than a member of a covered entity’s or business associate’s workforce, who assists a business associate in performing a function, activity or service involving PHI for a covered entity may potentially be subject to the HIPAA Rules as a subcontractor business associate. 3
  • 4. Who is a HIPAA business associate? McDonald Hopkins A subcontractor may be deemed a business associate if at least part of a delegated task is within the business associate’s responsibilities to the covered entity, although not all those who access PHI in providing services for a business associate will become business associates. For example, a business associate’s disclosure of PHI for its (and not the covered entity’s) management and administration would not create a subcontractor business associate relationship. However, the HIPAA Rules would still require reasonable assurances that the PHI will be held confidentially and will not be disclosed except as required by law or for the purposes of the disclosure, and agreement to notify the business associate if the recipient of the PHI becomes aware that confidentiality of the PHI has been breached. Moreover, a business associate will be allowed to use or disclose PHI for its management and administration only if the business associate agreement allows such use or disclosure. HIPAA obligations and potential liability can extend to subcontractors who have no direct connection or relationship with any covered entity, no matter how far the PHI flows down the chain from business associate to subcontractors or how little the subcontractor knows about the relationship with the covered entity. To understand how this works, consider the following scenario: Business associate A engages subcontractor B to perform part of business associate A’s responsibilities involving the covered entity’s PHI. Subcontractor B in turn delegates some of its responsibilities involving the PHI to subcontractor C, and subcontractor C delegates part of its responsibilities to subcontractor D. In this case, subcontractors B, C and D (as well as business associate A) would all be considered business associates of the covered entity and the HIPAA business associate obligations would extend down the chain from business associate A to subcontractors B, C and D. A subcontractor may be deemed a business associate if at least part of a delegated task is within the business associate’s responsibilities to the covered entity, although not all those who access PHI in providing services for a business associate will become business associates. 4 In these circumstances, business associate agreements would be required between: 1. The covered entity and business associate A 2. Business associate A and subcontractor B 3. Subcontractor B and subcontractor C 4. Subcontractor C and subcontractor D The extension of business associate status to subcontractors can ensnare unsuspecting individuals and organizations because prior to the Omnibus Rule subcontractors were untouched by the HIPAA Rules. Many could still be unaware that they are performing functions for covered entities or dealing with PHI. Subcontractor Dntractor D Subcontractor C BAAntractor C Subcontractor B BAAontractor B Business associate A BAA Covered Entity BAA
  • 5. Who is a HIPAA business associate? McDonald Hopkins Data transmission and storage The Omnibus Rule added maintenance of PHI to the functions that trigger business associate status. For example, a data storage company that has access to PHI in either hard copy or digital form is a business associate even if the storage company never views the PHI or does so only on a random or infrequent basis. Before the Omnibus Rule, OCR had indicated that a document storage company would not be considered a business associate if the PHI was maintained in closed and sealed containers and the document storage company did not access the PHI ( other than incidental access, such as when a box becomes damaged and needs to be repackaged). Now, a medical practice that stores old medical records in an off-site location needs a business associate agreement with the storage company. With regard to data transmission services that trigger business associate status, the Omnibus Rule specifies two types of service providers: HIOs (i.e., organizations such as health information exchanges that oversee and govern the exchange of health-related information among organizations) and e-prescribing gateways. The definition also includes others who provide data transmission services to covered entities relating to PHI and require access to PHI on a routine basis. OCR draws a distinction between data transmission services that require access to PHI on a routine basis and are therefore deemed to be business associates, and conduits, which are not business associates. This is a fact specific determination based on the nature of the services provided and the extent to which the service provider needs access to PHI to perform its data transmission services for the covered entity. OCR interprets the conduit exception narrowly and limits it to mere courier services, such as the U.S. Postal Service, UPS and their electronic equivalents, such as ISPs that provide mere data transmission services. In light of the catch-all data transmission provision, the addition of maintenance of PHI as a business associate function, the Omnibus Rule preamble commentary and OCR’s recent guidance on cloud computing (see below), the business associate definition now casts a wide net that can include service providers, such as cloud vendors, internet service providers (ISPs), application service providers (ASPs) and document storage companies that previously may not have been regarded as business associates. Cloud service providers In its October 2016 guidance on cloud computing, OCR confirmed that a cloud services provider that creates, receives, maintains or transmits electronic PHI (ePHI) on behalf of a covered entity is a HIPAA business associate even if all ePHI is encrypted and the cloud service provider does not have the encryption key. A cloud service provider that subcontracts to perform similar functions on behalf of the business associate involving ePHI is also a business associate. OCR has specifically reminded covered entities and business associates that using a cloud service provider to maintain ePHI without entering into a business associate agreement violates the HIPAA Rules. In addition, risk analysis and risk management need to account for ePHI stored in the cloud, whether on servers within the U.S. or overseas. OCR recognizes that in some cases a cloud service provider may not know that a covered entity or upstream business associate is using the cloud service in connection with ePHI, and therefore may not be in a position to satisfy its business associate obligations under the HIPAA rules. The guidance clarifies that upon becoming aware that it is maintaining ePHI, a cloud service provider must comply with the HIPAA Rules or securely return the OCR interprets the conduit exception narrowly and limits it to mere courier services, such as the U.S. Postal Service, UPS and their electronic equivalents, such as ISPs that provide mere data transmission services. 5
  • 6. Who is a HIPAA business associate? McDonald Hopkins ePHI to the customer (or destroy it, if agreed). OCR notes that the 30 day period to correct noncompliance (in order to qualify for an affirmative defense under the HIPAA Rules) begins when the cloud service provider knows or should have known that a covered entity or business associate is maintaining ePHI in its cloud. OCR recommends that cloud service providers document their compliance, or their return or destruction of ePHI. Business associates in the crosshairs OCR’s $650,000 settlement in June 2016 with a business associate, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), demonstrated that it is serious about taking strong enforcement action and imposing severe penalties against business associates for failure to implement safeguards as required under the HIPAA Rules. The CHCS settlement continued OCR’s expansion of its enforcement focus on business associates, following a string of OCR settlements that held covered entities responsible for failing to enter into business associate agreements with their business associates or for failing to update a pre-Omnibus Rule business associate agreement. It is also important to keep in mind that business associates are potentially subject to OCR’s HIPAA audits. Moreover, state attorneys general and the Federal Trade Commission have also taken enforcement action against business associates. Conclusion A threshold issue in HIPAA compliance for any organization is identifying all of its business associate relationships, whether as a covered entity, upstream business associate or downstream business associate. In some cases this relationship may be apparent, and in other instances it may require some analysis. With expanded business associate obligations, scrutiny and related exposure, it is more important than ever to recognize all business associate relationships and ensure that appropriate safeguards are implemented. With expanded business associate obligations, scrutiny and related exposure, it is more important than ever to recognize all business associate relationships and ensure that appropriate safeguards are implemented. 6
  • 7. Who is a HIPAA business associate? McDonald Hopkins Not a business associate Examples of businesses and individuals that are typically not considered business associates: • An individual who performs services as part of the workforce of a covered entity • A health care provider, to the extent that disclosures of PHI by another covered entity concern the treatment of the individual • A plan sponsor (such as an employer), with respect to various disclosures from its group health plan • Financial and banking institutions when performing only payment processing activities • A janitorial service performing traditional functions • Maintenance and repair personnel (other than working on systems holding PHI) • Conduits (e.g., U.S. Postal Service and its electronic equivalents) • Researchers (unless engaged to perform activities regulated by the HIPAA Rules) Typically a business associate Examples of service providers that are typically business associates when accessing or maintaining PHI, except when acting as members of the workforce of the covered entity or of another business associate: • Medical transcription companies • Answering services • Document storage or disposal (shredding) companies • Patient safety or accreditation organizations • Companies involved in claims processing, repricing or collections (e.g., medical billing companies) • Health information exchanges (HIEs), e-prescribing gateways and other HIOs • Cloud service providers • Third party administrators and pharmacy benefit managers • Data conversion, de-identification and data analysis service providers • Utilization review and management companies Sometimes a business associate Examples of service providers that are sometimes business associates, depending on the underlying relationships, whether they access PHI and the functions involved: • Accounting firms • Auditors • Law firms • Consulting firms • Software vendors and consultants • Financial institutions (if engaging in accounts receivable or other functions extending beyond payment processing) • ISPs and ASPs • Companies providing personal health records (business associate if providing personal health records on behalf of a covered entity) • Researchers (if performing HIPAA functions for a covered entity) 7
  • 8. © 2017 McDonald Hopkins LLC All Rights Reserved This Publication is designed to provide current information for our clients, friends and their advisors regarding important legal developments. The foregoing discussion is general information rather than specific legal advice. Because it is necessary to apply legal principles to specific facts, always consult your legal advisor before using this discussion as a basis for a specific action. Have more questions about who is a HIPAA business associate? Contact the author of this white paper: Rick Hindmand 312.642.2203 rhindmand@mcdonaldhopkins.com Questions about healthcare or data privacy and cybersecurity? Contact Rick or any one of these McDonald Hopkins attorneys: Richard Cooper 216.348.5438 rcooper@mcdonaldhopkins.com James Giszczak 248.220.1354 jgiszczak@mcdonaldhopkins.com Dominic Paluzzi 248.220.4356 dpaluzzi@mcdonaldhopkins.com