Business Associates & HITECH Deep Dive - WEDI€¦ · Agenda Business Associates & HITECH Deep Dive...
-
Upload
nguyenthuan -
Category
Documents
-
view
221 -
download
1
Transcript of Business Associates & HITECH Deep Dive - WEDI€¦ · Agenda Business Associates & HITECH Deep Dive...
Business Associates & HITECH
Deep Dive
Joseph R. McClure, Esq. Legal Counsel, Siemens Medical Solutions USA, Inc.
WEDI Privacy & Security Co-Chair
October 4, 2013
Agenda
Business Associates & HITECH Deep Dive
● Who is a Business Associate ?
● Business Associate Decision Tree
● Specific Business Associate Examples/Issues
● Subcontractor Flow-Down Obligations and Implications
● Business Associates and the Privacy Rule
● Covered Entity Obligations with Respect to Business Associates
● BA Agreements and Transition Period Under the Final Rule
● Additional Resources
Who is a Business Associate?
● Final Rule: An entity that “…creates, receives, maintains, or
transmits [PHI] for a function or activity regulated by [HIPAA]…” on
behalf of a CE
● Final Rule expanded the definition of BAs to include:
● Health Information Organizations
● E-prescribing Gateways
● PHR providers on behalf of a CE
● Patient Safety Organizations
● Data Transmission Service Provider with routine access to PHI
● Subcontractors that create, receive, maintain, or transmit PHI
on behalf of BAs
● Subcontractor means a person whom a BA delegates a function,
activity, or service, other than in the capacity of a member of the
workforce of such BA
BA Decision Tree
4. Is the PHI being disclosed to a government agency pursuant to an official investigation (e.g., CMS, OCR, OSHA, FDA, Health Department, etc.)?
No
No
No
No
Yes
Business Associate Agreement is NOT needed.
Yes
Yes
Yes
Yes
No
2. Is the PHI being disclosed to a healthcare provider for treatment purposes (e.g., primary/referring physician, contract physicians or specialists, contract nursing staff, contract rehab staff, ambulance, home health, dentist, etc.)?
1. Is Protected Health Information (PHI) being disclosed to a person or entity other than in the capacity as a member of the covered entity’s workforce?
3. Is the PHI being disclosed to a health plan for payment purposes, or to a health plan sponsor with respect to disclosures by a group health plan?
(Continued on the next slide)
5. Is the PHI being disclosed to another covered entity that is part of an organized healthcare arrangement in which the originating covered entity participates?
BA Decision Tree (cont’d)
8. Will the other person or entity be able to access PHI on a routine basis, AND/OR is there a possibility that the PHI in the person or entity’s custody or control could be compromised (e.g., data storage vendor, document shredding company, or other, etc.)?
No
No
Business Associate Agreement IS needed. Entities specifically included under HITECH: - Health Information Organizations - E-prescribing Gateways - Data transmission vendors with routine access to PHI - Personal Health Record vendors that offer a PHR to individuals on behalf of a covered entity - Subcontractors that create, receive, maintain, or transmit PHI for or on behalf of a business associate
Yes
Yes
Yes
6. Does the other person or entity create, receive, maintain or transmit PHI for a function or activity regulated by HIPAA, including: claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefits management, practice management, and repricing?
7. Does the other person or entity provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services where the provision of such services involves disclosure of PHI to the person or entity?
Business Associate Agreement is NOT needed.
No
(Continued from the previous slide)
BA Decision Tree (cont’d)
● The BA Decision Tree closely follows the definition of “business
associate” at 45 CFR § 160.103.
● The tool will answer many questions, but just as the definition
itself is open to different interpretations, it may still be necessary
to supplement the analysis with other information .
● Organizations may still need to review additional guidance from
OCR regarding the kinds of organizations that are considered
BAs and when a BA Agreement may be needed.
● See Omnibus Final Rule Preamble Comments, Fed. Reg. Vol.
78, No. 17, pp.5571-75, January 25, 2013:
http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf
● See Also Business Associate FAQs on OCR website: http://www.hhs.gov/ocr/privacy/hipaa/faq/business_associates/index.ht
ml#businessassociate
BA Decision Tree Considerations
Specific BA Examples/Issues
● Conduit Exception (common carriers) – OCR focuses on:
● Transport of information – that may not necessarily be PHI
● Whether disclosure of PHI is intended by CE; and
● Whether the probability of exposure of PHI is low
● Records Storage Vendors
● Even though disclosure of PHI is not generally intended by CE
● OCR focuses on persistent custody and control of the PHI
● Cloud Computing Vendors that store PHI, but may have no ability to
access the PHI – this issue is still under additional review by OCR
● Janitorial/Custodial Service Providers
● Generally, access to PHI is not intended
● Other safeguards should be in place to protect the PHI
● Confidentiality Agreement may be recommended
Subcontractor Flow-Down
Obligations and Issues
● BAs are required to execute fully compliant Business
Associate Agreements (BAA) with Subcontractors in the same
manner that CEs are required to execute BAAs with BAs
● Like the CE, if the BA is aware of a pattern or practice of its
Subcontractors that would be a material breach of the BAA,
then the BA must take reasonable steps to end the violation or
terminate the agreement, if feasible
● The Final Rule removes the obligation to report a material
breach to the Secretary of DHHS if termination of the
agreement is not feasible
● CEs are NOT responsible to execute BAAs with BA’s
Subcontractors – this is a flow-down obligation
Subcontractor Flow-Down
Obligations and Issues (cont’d)
● How far down the “subcontractor chain” does the obligation to flow-
down continue?
● As far as PHI is being used or disclosed for covered purposes
such that a subcontractor would be considered a BA
● Breach Notification Obligations
● BA must notify the CE upon BA’s discovery (without
unreasonable delay and in no event more than 60 days)
● Subcontractor must notify BA upon Subcontractor’s discovery
● If there are multiple levels, this flow-down would continue
● Ultimately, the CE (the highest level of the chain) is
responsible to notify the individuals and OCR
● BUT – if an agency relationship exists between any entities
at any level, discovery of the breach by a lower level entity
may attach to the entity that is the next level up
● How is “breach” defined in the BAA?
Agency Relationship Considerations
● The Final Rule makes clear that a CE is liable for the acts or
omissions of its BA acting within the scope of “agency”
● BAs are likewise liable for the acts or omissions of its
Subcontractor acting within the scope of “agency”
● This means:
● An entity can be penalized for its agent’s violations
● Knowledge/actions of the agent will be imputed to the
principal (e.g., knowledge of a breach or other violation)
● Federal common law of Agency will govern whether an
agency relationship exists between the parties - regardless of
what the contract actually says
Subcontractor Flow-Down
Obligations and Issues (cont’d)
Agency Relationship Considerations (cont’d)
Subcontractor Flow-Down
Obligations and Issues (cont’d)
● Whether an agency relationship exists will depend on the right
or authority of the CE to control the BAs conduct and
performance based on the right to give interim instructions
● Agency Consideration Factors
● The time, place and purpose of the BAs conduct
● Whether the BA engaged in a course of conduct subject to
control by the CE
● Whether the BA’s conduct is commonly done by a BA
● Whether or not the CE reasonably expected that a BA would
engage in the conduct in question
● This will be a fact-specific analysis and in some cases an
agency relationship may exist simply based on the nature of
the relationship between the CE and BA
Business Associates and the
Privacy Rule
Privacy Changes Under Final Rule that Impact BAs
● HITECH does not impose ALL Privacy Rule obligations upon a BA
● BAs are subject to direct enforcement of HIPAA Privacy obligations
and penalties in the same manner as a CE, BUT only to the extent
required under HITECH – not the HIPAA Privacy Rule itself
● Disclosure of PHI must be kept to limited data set or minimum
necessary
● Health Provider must honor a request by an individual to
restrict disclosure of PHI to a Health Plan if the individual pays
for associated service out-of-pocket in full
● Individual has right to a copy of PHI in an electronic format
● Sale of PHI prohibited unless authorized by individual
● Certain marketing communications require authorizations
Covered Entity Obligations with
Respect to Business Associates
● Is the CE required to audit/monitor its BAs?
● According to OCR, a CE is not required to audit or monitor its
BAs – however, if the CE is aware of a pattern or practice of
the BA in violation of the BAA or HIPAA, the CE must take
reasonable steps to cure the breach or end the violation
● The CE is not required to obtain copies of the BA’s agreements
with the BA’s subcontractors
● CE is not obligated to report violations of the BA to the Secretary
● CE may delegate its HIPAA obligations to its BAs
● The BA is directly liable for compliance with its own direct
obligations under HIPAA and contractually liable to CE for any
other privacy obligations it contractually assumes for the CE
● For example, a BA is not directly obligated under HIPAA to
provide a Notice of Privacy Practice – BUT if the contract with
the CE delegates this HIPAA function to the BA, the BA is
contractually liable to CE to do so in compliance with HIPAA
BA Agreements
BA Agreements (BAA)s Required Provisions
● HITECH stated that required
provisions “…shall be incorporated
into the business associate
agreement…”
● Many CEs and BAs amended BAAs
to track to HITECH statutory changes
by statutory compliance date of
2/18/2010
● If existing BAA is already compliant –
a new BAA is not needed
● Final Rule clarified FOUR provisions
required to be in BAAs to be
compliant with HITECH:
Business Associate must:
1. Comply with the HIPAA
Security Rule
2. Report to Covered Entity
any breach of unsecured
PHI
3. Enter into BAAs with
subcontractors imposing
the same obligations that
apply to the Business
Associate
4. Comply with the HIPAA
Privacy Rule to the extent
Business Associate is
carrying out a Covered
Entity’s Privacy Rule
obligations
BA Agreements (cont’d)
Preparing to Amend BA Agreements
● For HIPAA compliant BAAs executed prior to publication of the
Final Rule (1/25/2013) – Entities may have up to 1 additional
year beyond the 9/23/2013 Compliance Date
● BAAs executed PRIOR to 1/25/2013 that are not set to
terminate or renew before 9/23/2013 – These must be compliant
by the earlier of the renewal date or 9/22/2014
● For new BAAs executed AFTER 1/25/2013 or existing BAAs
scheduled to be renewed before 9/23/2013 – The applicable
compliance date is 9/23/2013
● OCR maintains sample BAA provisions on its website at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/co
ntractprov.html (updated 1/25/2013)
Additional Resources
● WEDI BA Decision Tree: http://www.wedi.org/forms/uploadFiles/35FE7000000DC.filename.7.26
_BA-Decision-Tree_V2.pdf
● WEDI Omnibus Final Rule Impact Assessment Tool: http://www.wedi.org/forms/uploadFiles/35FE400000143.filename.7.26
_HITECH_PS_Omnibus_Final_Rule_01-2013.pdf
● OCR Security Rule Guidance: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securi
tyruleguidance.html
● OCR Enforcement Audit Protocol: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html
● NIST HIPAA Security Rule Tool Kit: http://scap.nist.gov/hipaa/
Questions?
Thank you for your attention!
● Joseph R. McClure, Esq.
Legal Counsel
Siemens Medical Solutions USA, Inc.
WEDI Privacy & Security Co-Chair