HIPAA Business Associate Compliance and Dangers

This webinar is for HIPAA Covered Entities (CEs) and Business Associates (BAs). Criminals increasingly focus cyber-attacks on BAs because one hit can give them access to the PHI of all the BA’s customers. The growth of serious BA PHI breaches affecting tens of millions of patients put the spotlight on BA HIPAA compliance, attracting HHS Office for Civil Rights investigations and aggressive private class action lawsuits filed within days of a breach targeting BAs and their CE customers. CEs that did nothing wrong can still be held liable to pay the same civil money penalty as their BA for the BA’s HIPAA violation under the Federal Common Law of Agency which is included in the HIPAA Enforcement Rule.

Simple steps, often overlooked but easy to follow, enable CEs and BAs to protect against costs and damage to their reputations caused by violations of HIPAA Rules that apply to BAs. The chain of HIPAA compliance starts with a CE. It extends to a BA that provides a CE with services involving PHI. And the chain of compliance continues on down to any subcontractors of a BA that perform services involving PHI. BA subcontractors are defined by HIPAA as BAs and are fully liable for compliance.

• CEs must obtain “satisfactory assurances” from each BA, documented in writing, that the BA complies with HIPAA before disclosing PHI to the BA or allowing the BA to create, receive, maintain, or transmit PHI on their behalf.
• BAs must obtain “satisfactory assurances” from each Subcontractor BA, documented in writing, that the Subcontractor BA complies with HIPAA before permitting the Subcontractor BA to perform services involving PHI.

This webinar explains the interconnected HIPAA compliance responsibilities and liabilities of CEs and BAs. HIPAA Rules that apply to both are easy to follow, step-by-step, when you know the steps.

HIPAA Rules that apply to CEs in dealing with BAs and that BAs must follow are discussed and explained including:

• Serious Business Associate HIPAA Violations

A brief review of current OCR BA Enforcement and Class Action lawsuits based on BA HIPAA violations

• Explanation of how HIPAA Rules apply to BAs
  • Security, Privacy, and Breach Notification Rules
• Business Associate Agreements and the Key Agency Issue – Don’t make your BA or Subcontractor BA your legal agent by mistake as many do
• CE Due Diligence for BAs and BA Due Diligence for Subcontractor BAs

Who’s in Charge? – Responsibility & Authority – Responsibility of Senior Management and Owners – Delegation of Authority for development and implementation of a BA HIPAA compliance program

CEs can find themselves fully liable for HIPAA violations committed by BAs and BAs for violations committed by Subcontractors under the little-known Federal Common Law of Agency. However, risks associated with BA HIPAA compliance can be managed calmly and confidently by following the HIPAA Rules that are easy to follow, step-by-step.

CEs should attend to see what to look for in Due Diligence, how to obtain HIPAA-required satisfactory assurances that a BA is complying with HIPAA, and avoid liability by inadvertently making a BA their agent.

BAs should attend this webinar to see exactly what they must do to comply with HIPAA Rules – Security, Privacy, and Breach Notification Rules. And what to look for in Due Diligence and how to obtain HIPAA-required satisfactory assurances that a Subcontractor BA is complying with HIPAA while avoiding liability by inadvertently making a Subcontractor BA their agent  

Covered Entities of all types who disclose PHI to BAs and allow BAs to create, receive, maintain, and transmit PHI on their behalf

Business Associates of all types including for example:

• Billing and Coding companies
• Practice Management Companies
• IT Vendors
• Data Storage firms (electronic and paper)
• Secure and unsecured providers of PHI email and text message services
• Vendors of patient satisfaction surveys
• PHI record retrieval and release of information vendors
• Law  and Accounting Firms
• Health Plan Third-Party Administrators
• CE Owner – CEO – COO Compliance Manager
• Board of Directors – for-profit and non-profit CEs
• Healthcare Practice Manager
• Administrator, Long-Term Care Facility
• BA Owner – CEO – COO
• Security and Privacy Officers
• Compliance, Information Security, and Risk Management Directors
• Business Manager
• Attorney – General Counsel, Associate General Counsel, Inside Compliance Attorney, Outside Health Law Attorney