1 Agenda Background

advertisement
New HIPAA Regulations Webinar Series:
Business Associate Obligations
Presented by
Stephanie Cason & Anthony R. Miles
Stoel Rives Health Care Group
1
HIPAA Regulations Webinar Series – February 13
Wednesday, February 13,
Business Associate Obligations
2013
Agenda
• Legal background and update
• BA or not BA? That is the question
– Who is a business associate?
– Who is NOT a business associate?
•
•
•
•
Compliance obligations
Consequences of non-compliance
Contracting considerations
Compliance checklist
2
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
Background
• Original HIPAA Statute applied directly only to
Covered Entities
• HHS lacked authority to regulate or directly
enforce HIPAA’s p
protections on Individually
y
Identifiable Health Information in the hands of
vendors to Covered Entities disclosed
• “Business Associate (“BA”) concept created by
HHS to force flow-down of Privacy Rule
protections to vendors
3
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
1
Update
• The Health Information Technology in Economic &
Clinical Health (“HITECH”) Act, Title XIII of the American
Recovery and Reinvestment Act of 2009, P.L. 111-5
(2/17/2009) changed this landscape:
• Modifies HIPAA making
g BAs directly
y responsible
p
for compliance
p
with certain parts of HIPAA
• Subjects BAs to direct enforcement for noncompliance
• Changes enforcement structure from complaint-driven to
independent agency responsibility
• Includes nondiscretionary penalties
4
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
Update (cont.)
• Regulatory Developments
• August 2009: Interim Final Breach Notification Rule (74 FR
42750)
• October 2009: Interim Final Enforcement Rule (74 FR 52613)
• July 2010: Proposed Omnibus Rule (76 FR 31425)
• January 25, 2013: Final Omnibus Rule issued (78 FR 5566)
• March 26, 2013: Effective Date for Omnibus Rule
• September 23, 2013: Compliance Date for Omnibus Rule
• September 23, 2014: End of deemed compliance period for BA
agreements not amended or renewed before Compliance Date.
5
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
Who is a business associate?
• Omnibus Rule significantly expands
definition of BA
• Changed the first prong of BA definition
– From:
F
““uses or di
discloses
l
iindividually
di id ll
identifiable health information”
– To: “creates, receives, maintains, or transmits
PHI”
6
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
2
Who is a business associate?
• Second prong of BA definition remains
mostly the same
– BA is someone who provides certain identified
services involving disclosure of PHI (previous
definition used IIHI)
7
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
Who is a business associate?
• Adds specifically included entities:
– Providers of data transmission services that
requires routine access to PHI
• Health Information Organization
• E-prescribing Gateway
– Entity that offers personal health records on
behalf of covered entity
– Subcontractor
8
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
Who is a business associate?
• Subcontractors
– Directly regulates subcontractors with PHI
– Includes anyone to whom a BA delegates a
function activity
function,
activity, or services and who is not a
member of the BA’s or covered entity’s
workforce
– Flows all the way down the chain
9
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
3
Who is NOT a business
associate?
• Omnibus Rule excludes (under specified circumstances):
– Health care providers
– Plan sponsors
– Government agencies
– Covered entities participating in OHCA
– External researchers
– IRBs
– Financial institutions
– Contractors treated as members of the Workforce
10
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
Special Consideration
• Conduits not BAs
– Conduit = transportation but no access other than on
infrequent basis to support transportation
• U.S. Postal Service
• FedEx
• Internet Service Provider
– Limited to transmission services (whether paper or
electronic)
– May Store PHI temporarily, but must only have
transient (not persistent) opportunity to access same
11
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
Special Consideration
• Conduit does NOT include entity that maintains PHI on
behalf of a CE
• Applies regardless of whether entity maintaining PHI
actually accesses views it
– Affects document storage companies
• Iron Mountain
• American Data Guard
– Implications for electronic archiving and cloud service providers
12
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
4
Special Consideration
• Business Associate status arises as a
matter of law
– Not dependent on whether parties have
entered into appropriate agreement
– BA independently subject to requirements,
enforcement and penalties
– Absence of agreement = instance of
noncompliance for both BA and CE
13
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
Covered Entity Responsibilities
• Ensure appropriate contracts in place with
Business Associates
– BA Agreement for first level BA
– Data Use Agreement (limited data set)
• Disclose or allow BA to create, receive,
maintain or transmit PHI only in
accordance with underlying services
agreement or as otherwise permitted
14
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
BA Compliance Obligations
• BAs independently responsible for
compliance with:
– Security Rule
– Breach Notification Rule (especially 45 CFR
§164.410)
– Certain aspects of the Privacy Rule
• Only where provided in the standards themselves
– Contracting with Covered Entities and
Subcontractors
15
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
5
BA Compliance Obligations
• Limit uses and disclosures
– Pursuant to HIPAA (e.g., Minimum Necessary)
– Pursuant to business associate contracts
• Notify breaches of unsecured PHI
• Provide copies of designated record set to CE or
upstream BA to respond to requests for access
– Includes making records available in electronic form
• Disclose records to HHS for HIPAA investigation
• Provide accounting of disclosures
16
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
BA Compliance Obligations
• BA must contractually agree to the following:
– Safeguards for PHI
– Report impermissible uses and disclosures of PHI beyond just
breaches of unsecured PHI, including security incidents
– Ensure appropriate agreements with subcontractors
– Provide designated record set maintained in hard copy to
respond to request for access
– Make PHI available for amendment and incorporate
amendments
– Return or destroy PHI upon termination
• New model contract terms issued by HHS
17
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
BA Compliance Obligations
• BAs may NOT:
– Sell PHI without an authorization
– “Sale” includes indirect remuneration
– Excludes disclosures for
•
•
•
•
Public health
Research
Treatment and payment
Activities a BA takes on behalf of a covered entity,
18
if made to or by another BA
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
6
Consequences of
Noncompliance
• Independently subject to audit and
enforcement action by HHS-OCR
• Statutory penalties apply even if did not
know and by reasonable diligence would
not have known
• Contract termination
• Challenges in obtaining business from
Covered Entities
19
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
Contracting Considerations
• Most provisions still scripted in regulations:
– New model contract provisions:
– http://www.hhs.gov/ocr/privacy/hipaa/understanding/c
overedentities/contractprov.html
• Long-standing drafting issues remain:
– Definition of PHI should be limited to information
received from or created, maintained, used, disclosed
or transmitted for or on behalf of Covered Entity
– Provide notice of mundane “Security Incidents” in
20
document
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
Contracting Considerations
• New issues for negotiation
– Indemnity
• Breach and notification costs
• Penalties
• Downstream noncompliance
– Responsibility for Minimum Necessary determinations
• Determine based on nature of services
• De-identification raises special issues
• Additional guidance forthcoming per HITECH § 13405(b)
– Data access and disclosure accounting
21
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
7
Compliance Checklist
Covered Entities should:
 Identify BA agreements to be renewed/amended before 9/23/13
 Prepare form of amendment for existing BAAs to include new
required provisions
 Update Existing BAA form to include new required provisions
 Evaluate whether other vendor relationships now require BAAs
 Review definition of marketing and “sale of PHI” and evaluate
whether any existing BAA service agreements require amendment
 Revise BAA policies, procedures and training to address new
requirements
22
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
Compliance Checklist
Business Associates should:
 Revise form BAA to include new provisions
 Prepare amendment for existing BAAs
 Inventory vendor and subcontractor relationships to ensure all have
BAAs
 Revise/Develop policies and procedures for compliance with
Security Rule and applicable Breach Notification and Privacy Rule
requirements
 Update and provide revised training
23
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
Resources
• Final Omnibus Rule
– https://www.federalregister.gov/articles/2013/01/25/20
13-01073/modifications-to-the-hipaa-privacy-securityenforcement-and-breach-notification-rules-under-the
• New
N
model
d l BA contract provisions:
i i
– http://www.hhs.gov/ocr/privacy/hipaa/understanding/c
overedentities/contractprov.html
• HHS-OCR HIPAA FAQ Responses
– http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html
24
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
8
Questions?
Stephanie Cason
Associate
STOEL RIVES LLP
900 SW 5th Avenue
Avenue,
Suite 2600
Portland, OR 97204
Direct 503.294.9868
sacason@stoel.com
Anthony R. Miles
Partner
STOEL RIVES LLP
600 University Street,
Suite 3600
Seattle, WA 98101
Direct: (206) 386-7577
armiles@stoel.com
25
HIPAA Regulations Webinar Series – February 13
Business Associate Obligations
9
Download