Avoiding an Expensive Mistake: Identifying and Managing HIPAA Business Associate Relationships

Ensure HIPAA Compliance by Managing Relationships with Business Associates That Access PHI

Healthcare providers and health plans, called “covered entities” (CEs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), must manage their relationships with their vendors that have access to personal data about patients, or protected health information (PHI). These vendors, known as business associates (BAs), have particular responsibilities under HIPAA, as do the CEs. Recent settlements that highlight the need for HIPAA-compliant BA agreements include Oregon Health & Science University’s $2.7-million agreement with the U.S. Department of Health and Human Services Office for Civil Rights (OCR); North Memorial Health Care’s $1.55-million agreement; Raleigh Orthopaedic Clinic, P.A.’s $750,000 agreement; and the agreement of Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a BA to six skilled nursing facilities, with HHS OCR to a $650,000 HIPAA settlement after the theft of a CHCS mobile device compromised the PHI of hundreds of nursing home residents.

How to determine whether a vendor is a BA, ways to address disagreements as to whether a vendor is a BA, and the responsibilities of each party in safeguarding patients’ sensitive information are all common issues that both BAs and CEs face. Add to that the required and optional elements of a business associate agreement (BAA), and it’s a full-time job just keeping up with all the ways HIPAA regulates this relationship.

This session with healthcare attorneys Rick Hindmand, Esq., and Gerard Nussbaum, Esq., will provide physicians, healthcare attorneys, executives and administrators, and anyone working closely with HIPAA requirements with a balanced view into both the CE’s and the vendor or BA’s perspective. Using real world examples of challenges that CEs and BAs face, Rick and Gerard will teach you how to effectively address BA requirements under HIPAA and avoid becoming the next OCR settlement headline.

You will learn how to establish a rational and manageable approach to identifying business associates and how to comply with HIPAA requirements. Vendors will gain a better insight into the expectations of CEs and how to work with their customers to assure a smooth and efficient approach to protecting patients’ PHI.

This session will address relevant parts of HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act (part of American Recovery and Reinvestment Act of 2009), and the HIPAA Privacy, Security and Breach Notification Rules.

Session Highlights

• How to identify BA relationships and document the BA determination
• An overview of critical HIPAA basics
• How to manage access and exposure to PHI
• Business associate agreements – required and key optional terms
• How to address uncertainties and disagreements as to whether a vendor is a BA
• What a CE must do to properly supervise a BA
• Review key security safeguards
• Business associate breaches and HIPAA settlements
• How to handle notification from a BA that there has been a breach
• How to address vendors who provide services to BAs (down-the-chain analysis of subcontractor BAs)

Session Agenda

• HIPAA Basics – HIPAA background
  • Key terms
  • HITECH implications
  • Other laws and regulations
  • BA obligations
  • Security rule
• Business Associate (BA) relationship
  • Who is a BA
  • Documentation of BA relationship
  • The Business Associate Agreement (BAA)
• Business Associate breaches
  • Breach notification
  • HIPAA settlements
• Resolving BA relationship uncertainties
• Key security safeguards
  • Encryption
  • User management
  • Malicious activity detection
  • Integrity and availability
  • Insurance and indemnification
  • Risk analysis
• Supervising the BA
  • Leveraging third parties
  • Contractual terms and recourse
  • Striking the right balance
  • Incident response

Who Should Attend

• Physicians and other clinicians
• Medical office managers and staff
• Ambulatory surgery center administrators
• Nursing home and long-term care facility owners and administrators
• Administrators and owners of home health services agencies
• Health plan administrators
• Executives, managers and others involved with vendors providing services to healthcare providers or health plans
• Individuals and companies providing computer support services to healthcare entities
• Email and hosting services providers
• Directors of social services agencies
• Health system community provider relationship administration
• Cloud services vendors
• Attorneys, consultants and accountants representing healthcare providers, health plans and vendors

Order Below or Call 1-866-458-2965 Today