HIPAA Business Associates: How the regulations are changing, and what you need to do right now

Why Should You Attend:

The new HIPAA Business Associate rules change the game for HIPAA compliance responsibility. Now BAs will need to be in compliance with HIPAA Privacy and Security protections, and must also treat all their contractors as BAs as well, meaning that new agreements must be established between parties that have not formerly been required to have formal agreements, and existing agreements must be amended.

In this webinar, we will discuss how responsibilities have changed and how the changes affect both Business Associates and Covered Entities. We will discuss what goes into a compliant HIPAA Business Associate agreement, including what's required and what's advisable to protect parties in the event of breaches. The new regulatory language for HIPAA business associates (as proposed) will be explained and discussed.

The speaker will cover what goes into a compliance plan, how to develop it and prepare for a HIPAA audit. The new HIPAA penalty structure will be discussed, including new criminal penalties for individuals involved with wrongful disclosures, new mandatory penalties for willful neglect of compliance (starting at $10,000 and going up), and the new, four-tier penalty structure and definitions.

Learning Objectives:

• Learn about the new requirements for HIPAA Business Associates.
• Find out what is changing in the regulations for Business Associates.
• Learn how the definition of BA has been significantly expanded.
• Learn what goes into a proper Business Associate Agreement.
• Find out about the new, higher enforcement penalties.
• Learn about the new violation categories.
• Learn about being prepared for a HIPAA Compliance Audit.

Areas Covered in the Seminar:

I. Old Ways, New Ways - Changes to the Rules

• Origins of Changes to Business Associate Rules
• New Definitions of Business Associates
• Contractors of Business Associates

II. New Requirements and Changed Requirements for HIPAA Business Associates

• HITECH Act Required Capabilities
• Required Amendments to BAAs
• BAA Provisions to Consider
• Transitioning to the New Rules

III. Enforcement and Audits

• New HIPAA Violation Categories
• New HIPAA Penalty Structure
• Preparing for HIPAA Audits

Free Handouts:

The CMS 2008 Information Request for Security Compliance Reviews form will be provided as an example of what might be asked in an audit.

Who Will Benefit:

• Information Security Officers
• Risk Managers
• Compliance Officers
• Privacy Officers
• Health Information Managers
• Information Technology Managers
• Medical Office Managers
• Chief Financial Officers
• Systems Managers
• Legal Counsel, and Operations Directors
• Medical offices, practice groups, hospitals, academic medical centers insurers, business associates (shredding, data storage, systems vendors, billing services, etc.)

Instructor Profile:

Jim Sheldon-Dean, is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a variety of health care providers, businesses, universities, small and large hospitals, urban and rural mental health and social service agencies, health insurance plans, and health care business associates. He serves on the HIMSS Information Systems Security Workgroup, co-chairs the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and co-chairs the WEDI HIPAA Updates and Privacy and Security Meaningful Use sub-workgroups. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at AHIMA national and regional conventions and WEDI national conferences, and before the New York Metropolitan Chapter of the Healthcare Financial Management Association, Health Information Management Associations of New York City, New York State, Virginia, and Vermont, the Connecticut Hospital Association, and the Hospital and Health System Association of Pennsylvania. Sheldon-Dean has nearly 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master's degree from the Massachusetts Institute of Technology.

Topic Background:

In the past, business associates of HIPAA covered entities were not directly covered under HIPAA and were required to conduct themselves only according to the contract with the covered entity being served. The American Recovery and Reinvestment Act of 2009 (ARRA) establishes new requirements for business associates (BAs) who handle the protected health information of covered entities under HIPAA. In addition, Federal Breach Notification requirements for health information directly impact the relationship of covered entities, business associates, and their subcontractors.

New HIPAA regulations proposed and expected to be finalized by the end of 2011 put HIPAA business associates and their subcontractors directly under the HIPAA rules and make them responsible for the privacy and security of the information they handle, as well as liable for violations under the rules. Now BAs will need to be in compliance with HIPAA Privacy and Security protections, and must also treat all their contractors as BAs as well, meaning that new agreements must be established between parties that have not formerly been required to have formal agreements, and existing agreements must be amended. And the business associate definition now is expanded to include entities such as health information exchanges, regional health information organizations, and e-prescribing gateways.

Under the proposed regulations, specific language must be incorporated in all HIPAA BA agreements, and ARRA requires that business associates can be subject to random compliance audits by the US Department of Health and Human Services. HIPAA breach notification requirements enacted in 2009 also apply to business associates, which means that all existing agreements must be examined to ensure that liability, indemnification, and notification are properly covered in the agreements.

Follow us :