Healthcare providers and health plans, called “covered entities” (CEs) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), must manage their relationships with their vendors that have access to personal data about patients, or protected health information (PHI). These vendors, known as business associates (BAs), have particular responsibilities under HIPAA, as do the CEs. Recent settlements that highlight the need for HIPAA-compliant BA agreements include Oregon Health & Science University’s $2.7-million agreement with the U.S. Department of Health and Human Services Office for Civil Rights (OCR); North Memorial Health Care’s $1.55-million agreement; Raleigh Orthopaedic Clinic, P.A.’s $750,000 agreement; and the agreement of Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), a BA to six skilled nursing facilities, with HHS OCR to a $650,000 HIPAA settlement after the theft of a CHCS mobile device compromised the PHI of hundreds of nursing home residents.
How to determine whether a vendor is a BA, ways to address disagreements as to whether a vendor is a BA, and the responsibilities of each party in safeguarding patients’ sensitive information are all common issues that both BAs and CEs face. Add to that the required and optional elements of a business associate agreement (BAA), and it’s a full-time job just keeping up with all the ways HIPAA regulates this relationship.
This session with healthcare attorneys Rick Hindmand, Esq., and Gerard Nussbaum, Esq., will provide physicians, healthcare attorneys, executives and administrators, and anyone working closely with HIPAA requirements with a balanced view into both the CE’s and the vendor or BA’s perspective. Using real world examples of challenges that CEs and BAs face, Rick and Gerard will teach you how to effectively address BA requirements under HIPAA and avoid becoming the next OCR settlement headline.
You will learn how to establish a rational and manageable approach to identifying business associates and how to comply with HIPAA requirements. Vendors will gain a better insight into the expectations of CEs and how to work with their customers to assure a smooth and efficient approach to protecting patients’ PHI.
This session will address relevant parts of HIPAA, the Health Information Technology for Economic and Clinical Health (HITECH) Act (part of American Recovery and Reinvestment Act of 2009), and the HIPAA Privacy, Security and Breach Notification Rules.
Who Should Attend
- Thomas J. Force
Rick Hindmand, Esq. is a healthcare attorney with McDonald Hopkins LLC in its Chicago office, where he focuses his practice on healthcare compliance, reimbursement, data privacy, and corporate and transactional matters. Read more