Enhance Your Business with Reliable Online Signature Legitimacy for Business Associate Agreements

How to eSign a document: online signature legitimacy for Business associate agreement

hello and welcome to our webinar on understanding HIPAA compliance requirements for business associates and uh this has been an interesting subject actually and I appreciate it all all of you to have uh come for this webinar and taken out time from schedules especially uh you know this is literally the peak working times so thank you again for being there and um I'll try and make this as much as worth your while and thank you again for uh participating and and be if there is any issues in the volumes or in the audio or something please do drop a line and and my team is there to help sort this out uh at the earliest that is anyway moving ahead so the topic is covered today is what has been given to you in the invite that is uh what is the business associate or who is a business associate and um you know of course I'll be starting off with a base on HIPAA and what is a business associate agreement and how does apply to a business associate and compliance requirements for business associates and what happens when you fail to comply so again so this is going to be very very interesting and um you know in case you're wondering uh how come a topic on you know business associates for HIPAA and what about covered entities or subcontractors and stuff so um as you if you've attended have webinars in the past uh we always have in you know towards the end there's a survey and you can put in your topic uh for what you would like to be covered in our webinars and we've been doing this for like five years now and we always have interesting subjects that we take up in our webinars so most of the time it is people like yourself who have recommended topics that you want to take and this is one of the most uh you know requested topic so here we are with that so thank you again uh so again uh in case you have you are attending any CP points uh please to attend the webinar and you get one CPE and but you need to attend this till the end so that in case there is a query we can respond to it and just to be clear we don't issue any certificates because there are just too many people attending and uh you know we can't really issue certificates to everyone takes up a lot more time and effort on this so but you can retain it and we are training your participation you can always submit it online when you are giving the entries for the CPE and in case there is an audit or a query on that they can write to us and we'll respond likewise all right so going ahead and of course our YouTube channel on the internet and you can look it up and it's a number one channel for compliance resources on PCI DSS HIPAA gdpr soccer and software ethical hacking we have more than 2500 subscribers and uh you know uh you should go to that you can just search in YouTube with time for a sec and uh you can sign into our official Channel and do subscribe and click on the Bell icon don't do half work just click on the Bell icon so you can then get updates because almost every week we issue a new video all right so as you go along do type in your queries in the query box and uh I'll take it up you know uh in life mode and there are many a time there are just too many queries and uh so I'm not able to take it off immediately so in that case I will definitely write to you back all right so going ahead as a company just this is a brief we are there across the world we are there in U.S Canada UK India Singapore and we are as a company only into cyber security and uh you know multiple services that we do like PC ideas many things to do we don't sell any production or Hardware in a software purely into Audits and compliance areas uh okay that's about me I've been like um this is me okay most of you uh okay let me check the attendees okay quite a few of our clients are there all right so um you know I've been there for almost 30 years now um more than 25 other actually and uh 28 something I guess as I remember anyway and so for the past 16 17 years I've been running my company with Stein for a second they are primarily into um Services uh you know like um HIPAA gdpr soccer and soft two PCI DSS and stuff anyway so jumping directly into the content these are some acronyms that we will be using so uh ensure that you are aware of this so that you know you're not wondering what does this mean so Phi would be protected health information this is like uh definition from uh HIPAA in itself and the CE covered entities ba is business associate as I'll be taking and then there's some something called as a baa business associate agreement and so this is the agreement that you sign with the business associate and there is office of civil rights and of course Health and Human Services HHS so these are various departments in the hippo terminologies or the law quadrants as you can say uh moving ahead all right so uh a brief a brief uh background to HIPAA and what it means and what it carries with it so so the delivery of healthcare is a complex anywhere and over the years there's been a few issues also with it and many a Time third parties need to to access the health care you need to perform functions or services for healthcare entities like um we have a few clients who are into um you know helping out companies or organizations in or hospitals for that matter into managing patient information or they are just hosting the online platforms which are used by hospitals for uh you know managing the the client the patient information by insurance providers to keep track of the various uh you know um insurance claims by or by third party agents tpas and insurance agreements in inch by uh by uh organizations so even these service providers have been a client so these are the third parties that need to access and many a time uh those organizations are uh um you know form as a conduit for breach of very sensitive confidential um you know Healthcare information so that's where uh HIPAA health insurance portability and accountability act were was devised so um now historically it's been regulated uh regulated business associates by requiring covered entities to manage them through contractual uh relationships so this is the antecedent to a webinar so uh the covered entities are the directly like the hospitals and the insurance uh agencies organizations or the covered entities and then there are business associates that work with the uh covered entities and of course okay uh if you need some more background to HIPAA and some more Base information on HIPAA do visit our YouTube channel and what can happen is uh once you visit the channel there is a entire playlist on HIPAA um go there and you will see uh you know quite a bit of information quite a bit of webinars covered from the HIPAA perspective and uh you can go through it and that will give you some background to HIPAA and so that said okay I've got Lucy asking for the link all right no no worries ask and you shall receive and for the sake of everyone that's our YouTube channel you go there you go to uh the playlist for HIPAA and there are lots more videos you can visit our website um I've put in my website link also you can go there and uh you can go into blog there's an entire section on HIPAA and there is more than a dozen articles that you purchased that you have published on our blog and various uh you know International magazines which you'll find the links over there so they'll cover a lot of Basics and even intricate topics on HIPAA anyway so coming back to the topic so in 2009 Congress made business associate directly accountable to Regulators for compliance right so earlier it was the Congress had only mandated covered entities and it made their problem to manage their business associates but from 2009 onwards Congress made business associate directly accountable to The Regulators where earlier it was not so uh and these changes and then more updates are done to the HIPAA regulation they are finalized by 2013 right and uh all right once like somebody's again asked me for my website uh one sec all right that's my company website again so I hope this helps anyway moving ahead okay so then um just to give a background on this again Hippa was formulated in 1996 so it has been a very very long journey for HIPAA right so it was regulated the the compliance was regulated by the Department of Health and Human Services HHS and then enforced where the OCR office of civil rights is a background to it okay and one sec all right so HIPAA compliance requires business associates to and covered entities to follow set rules that are internet to protect and secure protected health information and so again there is a definition for what is covered under uh health information and what is not and there is a provision for anonymized um you know or masked health information that is not covered under the purview but as I said I cannot get into the basics of HIPAA at this time I really encourage you to visit our YouTube and then get into the playlist of HIPAA and there are some basic uh you know interactive topic also over there so again the this regulatory requirement was introduced to protect the Privacy security and integrity of protected health information um now not every organization is subject to HIPAA regulation so there is some requirement in the sense that uh no matter you know if you're if you are in touch with uh anonymized information or you are uh you know directly not getting access to Patient personal you know health information so in that case there there this cannot be applicable to you this law is not applicable to you this regulation is not applicable to you and also not all HIPAA rules apply to every uh organization so it could be that uh you know there are the you you are some some requirements are simply not applicable to you like any any standard with whether it is PCI or sock one or software even ISO for that matter there are uh you know based on your business um you know business process there could be some uh you know requirements which are not applicable to you so you need uh to have a proper review of your systems to confirm as to what is applicable to you and what is not happening to you all right so uh for example in some cases you might not directly be able to access uh you know um the health information so we have some clients wherein what they're doing is they are directly logging on to the client information to the client uh location like the hospitals and insurance agencies and then processing the information over there nothing comes back to them like there is we have clients where literally nothing no uh client information or health information enters their premises so in that case you know um protecting or you know stored Healthcare information simply doesn't apply to them right so in that case only the the transmission part or protecting information in transit might apply to them but data in dim as it is called Data in motion might uh might be applicable to them and data at rest which is stored information would not directly be applicable to them so this is just an idea of some regulation which might not be applicable to everyone so based on your business processes uh you know it could be that um more strict or less strict rules are applied applied to you based on your roles and responsibilities right and so um as per HIPAA as per the HHS Health and Human Services Hippa is applicable to everyone whether you are a covered entity or a business associate or a subcontractor business associate all it is applied to everyone right so there are no exceptions wherever it goes it's applicable right so um okay now who needs to comply with health information so these are just some examples so Healthcare Providers including doctors clinics hospitals psychologists chiropractors nursing home pharmacist dentist so uh even the small doctors having small practices HIPAA is applicable to them so it is um you see from the beginning of this webinar I've only been speaking about hospitals and insurance agencies um so it's not just only and only them it doesn't mean that only it is applicable to them anywhere where a patient information um is traveling or is there they are HIPAA is applicable to them right and even the health health plans which could be health insurance companies hmos company Health Plan providers government programs such as Medicare and Medicaid everyone it is applied and the last category is where the the bulk of uh you know hippopotic already comes because all these hospitals and insurance agencies or even for that matter Healthcare Providers have to have numerous hundreds upon hundreds of third-party service providers like billing service providers repricing companies Community Health uh you know a management provided us information system providers value-added Healthcare Services telecommunication providers transcription like um you know I I remember when this Outsourcing boom happened in the you know early 2000s from that time you know um late 90s early 2000s and the one of the first things that that is that will happen at that time from that time itself was the medical transcription so doctors were uh you know their their prescriptions were scanned and sent and there would be some agencies in an organization sitting in countries like India or Philippines and other countries where they'll be sitting and basically be transcribing those information that is scribbled on notes into uh you know the systems online you know so even those come under it right uh oh oh man okay sorry Melissa and uh okay I think I stopped my for some reason my my slides had Frozen I'm sorry about that oh man okay is it just uh from getting back to the slide to the slides perspective all right so um okay this is what I had covered I'm sorry about this okay this is what who needs to comply with the healthcare providers and uh this is what was being shown online I'm sorry again my for some reason my slides have frozen but there it is so thanks for flagging it and do keep me posted in case you are facing any issues in seeing the content all right uh so thanks again and so okay who needs to comply with HIPAA that you can see and now coming to the core as to who is a business associate like we had seen earlier that there was uh even though you know the business associate and what is the business associate so a business associate is a uh individual or an organization please pay attention to this it can even be an individual having maybe one or two uh you know companies in the back end and they are providing some information or give you a single person also providing some information or some uh support to a covered entity and perform certain activities on their behalf and involves them in accessing the uh Phi which is for processing storing of disclose protected health information Phi the full form protected health information and so um it can even be see as I've given in my previous Slide the healthcare Clearing Houses or organizations which is providing back-end support to the healthcare providers or Healthcare Health Plan Health Plan providers so a third party size provider is considered as a HIPAA a business associate only when it gets Phi for a service that's providing to the covered entity okay so any and all what I'm trying to say my friends is that any and all third party service providers are not considered as a HIPAA business associate all right so it is not that anybody and everybody who's maybe providing say catering information a catering services or maybe um you know desktop support services or any of those type of maybe supplying some Hardware or software to organizations or maybe doing some software development for organizations without uh to a covered entity like a hospital or an insurance provider with no direct access to the information uh the the uh so any and all third party providers of covered entities do not fall into the category of a business associate unless they have access to Phi right um and this is the third part the this is actually what you've done is that you've taken up many of those FAQs or those questions that you get from our clients so all those people who are working at those hospitals and chiropractic clinics or doctor clinics or insurance providers they are not a business associate so a third party service provider who has access to Phi is called as a business associate okay so uh since business associates use Phi uh just like a covered entity they too are required to come to comply with many of the outline HIPAA requirements so HIPAA also sets a standard for how Phi should be kept private and secure um you know within the healthcare industry and even by the third party service providers so I hope you are getting just to summarize this a business associate uh is a third party service provider who has access to the Phi for a service that it is providing to the peer to the covered entity right so uh now since it will have the same information that the covered entity has access to so HIPAA requirements that is required to be done by the covered entity are required to be covered done now by business associate also right and these are some examples of business associates so uh you can you can see the listing there is uh medical billing companies Law Offices accounting firms trading Services IIT vendors health insurance companies medical transcription companies collection agencies IIT Consultants anyone right so um what do I mean by uh let me give an an obtuse uh an example for example a few of our clients you know what they're doing now they're providing a very valuable service that is they are to these hospitals and even to you know insurance companies they are providing uh you know server support services desktop support services or patching services or Incident Management Services or database Management Services so they do not directly have access to the card to the uh you know uh to the Phi protected health information they are providing all these Services remotely and they don't have access to the database also but because they are providing a critical service that can impact the security of a covered entities you know environment they are also required to be coming they are also called as a business associate and they need to comply with the HIPAA requirements all right so um now coming coming to the next thing a subcontractor business associate so what happens is a covered entity is like all those um you know medical service providers doctors Physicians chiropractors psychologists or whatever and on of course hospitals and insurance agencies third party uh you know sorry TPA third party agencies for the the insurance providers all those companies so they have service providers called as business associates now those business associates might further delegate some activity to an outside agency it could be simply like you know managing their infrastructure or maybe Outsourcing a part of that activity that it is supposed to be providing to the covered entity to further down chain right so that's a subcontractor business associate so just as a business associate subcontractors to have to comply with the same HIPAA requirements right so just as a business associate is expect to assign a baa that is a business associate agreement with the business covered entities in the same way in the the the the down the chain the third level second fourth level or whatever business associate subcontractors are also expected to sign a baa with their business associates right so many a time a business associate for some covered entity can be a business Associated and for some other cover as uh government entity can be a subcontractor business associate because there is someone else above him or Upstream right so some examples of business associate subcontractors are accountants attorneys Email encryption providers file sharing and shredding companies IIT vendor so it depends where in the chain are you it can be the same services that a business Associated is providing but if you are one level down the line you're a subcontract right so there is not uh you know so the same thing as we had seen earlier there cannot be uh uh you know it could be if I take it in this way that a backup storage vendor if a backup storage vendor is directly providing a service to the covered entity he uh that organization will be a business associate but if now this organization is providing to business associate or for covered entity then that organization becomes a subcontracted business associate okay so how does HIPAA rules apply to business associates so by the law the primary the HIPAA privacy rule applies only to the covered entities but since most of the healthcare providers and Health Plan providers Outsource their their functions to a third party now uh you know it is this Privacy Rule allows the cover entity to disclose to the business associate that is the outsourced vendors but then there has to be some sort of an assurance that the business associate is uh you know giving or treating that data with the same level of seriousness if not more that is provided by the covered entity so the currently the hipaa's Privacy Rule security rule Beast notification rules are applicable to everyone that is a covered entity and the business associate so here is now we look at the breakdown for each HIPAA rule for the business associate these are a few things uh this is like a mine of information I cannot get into each one of them but this gives an idea about what tools apply how what uh you know hipparu's applied to business associates also all right uh so the HIPAA security so security rule applies to both business covered entities and business associates so this includes everything right the administrative technical physical safeguards everything applies to the covered entities and business associate Privacy Rule there is some uh you know uh exceptions over here now privacy rules except for a few mentioned in the security room um it's it's not fully applicable to a business associate so a covered entity might say um you see Let me Give an example so the The Collection mechanisms and managing or ensuring that the data is fully complete and error free and all those things might not be the role of the business associate but is expected to be done by the covered entity but what is going to be the ruling provision over here will be the agreement that is shared between the current entity and the business associate wherein the covered entity makes clear what is the roles and responsibility of the business associate now my friends this is a two-edged sword right so I give this as a note of a warning to both the covered entities and the business associate to be very careful what is required to be done as a roles and responsibility you can have a good RAC irrc chart wherein you identify what will be the rules and responsibilities or covered Equity or the business associate let there be no open-ended Provisions or requirements be very clear because if it is not clear um you know it will be like a ping pong thing in case something goes wrong and in more cases than not it could be the covered entity's responsibility to have not clarified very clearly to the business associate what are the requirements right so if you're a covered entity be extra careful because if you are not specifying the rules very clearly to a business associate you will not be able to uh you know defend yourself in case unfortunately God forbid there is a require there is an issue or a breach similarly uh if you are a business associate be very careful on what has been written in the business associate agreement in case it is much more an overbearing so in that case you might end up taking more risk then you have actually signed for it could be that there could be some Provisions that the covered entity is doing but has put up still some responsibility on your head so be very clear on the Privacy Provisions that is being expected from you so Privacy Rule would even apply in case the business associate has a subcontractor and another subcontractor below it so the longer the chain the Privacy Rule from the covered entity should be the uh the The Benchmark uh you know of what is required from a baa and the subcontractor business associate agreement that is signed up down the chain now Bridge notification that you know under this HIPAA requires that HIPAA covered entities should ensure that the business associate complies with the bridge notification rule now in as per the Omnibus rules I will there's a slide on this going ahead uh the business associate has to report to the covered entity of any sort of breach it has to be done within 60 days of when you became aware or new or should have known about the breach so uh you cannot say oh there was an alert coming but I never saw it that's not going to fly so within 60 days which is a very big time actually for you to even ensure that things are actually a breach and not really a false alarm and that notice must include all the details the covered entity needs of reach reporting and as per the agreement be the the business associate may require expirating notice or more direct involvement in the breach response so don't wait for 60 days in that sense right and the sooner you report it the better it is for you it shows due diligence on your behalf now since I mentioned the Omnibus rules which is like an overarching requirement and the Omnibus rules was basically passed to strengthen the protection of the Phi especially in electronic form as well as give patients more access to the health information now this rule Omnibus rule was basically passed to ensure that you know earlier the only people whose head was there on the guillotine was a covered entity right and whose head was online but now with the Omnibus amendment being done to HIPAA even the business associate and their subcontractors and their subcontractors all are directly liable to the human uh you know Health and Human Services Department to the office of civil rights for any negligence or issues so it is not just a covered entity but the entire chain comes in question so some of the privacy rules and security Now apply directly to the businesses associate instead of going via the uh you know the covered entity so um this is a note of warning again that I can give to the business associate and the subcontractors so let not the you know just look at the covered entity what has been written in the agreement or the business associate agreement that we have there are some requirements that is applicable directly to you so in case there are something that is the covered entity has not written in your in the agreement but it it is directly mentioned for you as per the HIPAA regulation then you better be doing it you cannot say it was not documented so I didn't do it right so ensure that a good review is done of your processes as as per the entire HIPAA security rule Privacy Rule breach notification rules and within that the administrative technical physical safeguards everything all right and so um Omnibus as you know that's a great statement Omnibus ruled legitimately enforces this requirement upon business associate Beyond simply signing a business associate agreement right so by with this the the the business associates and their contractors can we directly be fined penalized audited by the DHS and the HHS that is Health and Human Services Department of Health and Human Services so it's uh without without going through the covered entities right so it is not just the covered entities on the line now everybody's response what is the business associate agreement it's a contract between the health HIPAA covered entities and their business associates or subcontractor which outlines a type of Phi being released to the business associate and the permitted users or and disclosures of Phi weather business associate so HIPAA also permits covered entities to disclose Phi only to help the covered entity carry out the business so all the data that's shared is has to be on a need to know now the disclosure of Phi is permissible only under a signed baa contract so without a baa contract a covered entity is not allowed to sign to uh you know share any information with any sort of Associates all contractors so in this agreement all the the roles and responsibilities obligations uh what can be done with the data what has been disclosed how the data should be secured everything should be covered in this and HIPAA requires that covered entities only and only work with those organizations or business associates with whom they have signed an arrangement right without a contract a covered entity without a business associate agreement a covered entity is not allowed legally it's illegal to work with a business associate now again with the HIPAA Omnibus rule this requirements extend to the business associates also so now business associates cannot have uh you know subcontractors without an agreement in place so with the Omnibus rule the the the the OCR that is the office of civil rights could directly audit the business associates on non-compliance and directly catch their neck in case they have worked with subcontractors without an agreement in place or without taking into account the provisions of the baa that they have signed that they have signed with the covered entity let's go um the HHS the Health and Human Services on its website is very clear the the Privacy this is what is written that the Privacy Reynolds require that a covered entity or clean security satisfactory assurances from its business associate that the business associate will appropriately Safeguard the Phi it receives on or creates on behalf of the covered entity all this thing has to be in writing in the form of a contract or agreement between the covered entity and the business associate well this thing has to be fairly exhaustive and uh better you go in for some legal counseling or go in with some Consulting organization which is got good background in formulating such agreements and at the same time and the business associate should also be very clear as to what will happen in case they are failing to comply with the requirements of HIPAA is remember again as per the Omnibus rules the OCR or the office of civil rights can directly uh you know catch audit penalize business associates directly without going to the covered entities now again for a covered entity without having having a agreement in place they can they can be penalized it is illegal as I said earlier so uh let's assume you are a business associate and um for some reason okay I'm just I'm making this obtuse thing the cover identity for some weird reason has not signed the agreement with you does that mean that you are all scot-free and nothing will happen absolutely not first of all yes the covered agreement the covered entity will be in trouble from the OCR office of civil rights but at the same time you are expected to compile the HIPAA security role even if there is no agreement in place even if there is a violation you will be held accountable you will be held responsible you will be penalized by OCR that is the office of civil rights now at the same time if I turn the tables around um you know the covered entity if in case you sign an agreement with the business associate doesn't mean you are scot-free and if anything happens you can simply wave your hand and say go talk to my business associate they made a mess now you remember Outsourcing the key is that responsibility you might have given somebody someone the responsibility of doing a task but the accountability is still with you the in case there is a bridge the OCR and the HHS can definitely ask you as to what has been your due care and diligence steps to ensure that you have uh you know to ensure that your business associate is adhering to the requirement of the vaa right how did you ensure that the business Associated Supply HIPAA compliant prior to entering into an agreement like like this is so so interesting like uh just a few days back uh I think you know two days back rather we we had this call like uh you know I I was [Music] I got a call in the middle of the day rather and there was this guy was very you know desperately on the phone um you know wanted to sign up with us because he needed somebody to help them get their agreements in place check their compliance and play issue the audit report so that they can sign up a large contract apparently with a healthcare provider so the covered entity has to check that your that their uh that their providers are sufficiently hip-hop compliant now what should be included in the business associate agreement that should be what is permitted of for use and disclosure what can be done with the data limitation on use and disclosure so in case they get into an agreement with a subcontractor what can they do with the data what can they disclose to outside entities or not then save security and safety require uh safeguards for Phi for the ephi uh ephr would be e would be the electronics so Phi could even be printouts all right so uh report uh how to report on authorized use and disclosure how to report security incidents how the breach notification requirements like you may say that even though HIPAA requirements is for 60 days I wanted to report to me within say five days that is your call and the reports for copies of Phi in case there is an issue whatever is there that is stored with them and then uh whether they are permitted to have subcontractors if there is a subcontractor what is allowed under subcontracting and accessing the limit and grants the Phi and then amendments to the bhi what can they do as an amendment to the PHI records to the secretaries that they have how to return or destroy the Phi at termination of the contract and determination Provisions then uh um you know the the look at the fourth point right delegation of covered entities duties so if you are a covered entity and you are getting a baa in place so in that case what sort of duties of yours have you delegated to the baa to the VA the business associate that has to be very clear so the ba the business associate knows very clearly what it is getting into so non-secretary Provisions uh often Incorporated in the ba so that could be management and administration requirements how the data aggregation is happening the insurance coverage like you might say as a covered entity that is uh you need to have so so much and so much Insurance in place and of course the privacy laws and requirements because the privacy laws might not directly the Privacy Rule might not fully apply to the business associate that's there and then of course the time frames and anything else that could be there it could be non-disclosures it could be the skill sets of the people uh who would be working on the data you might mandate some specific Network architecture like you may say that uh your business associates should set up a a dedicated Network the zone for himself for your work or could be you know maybe um an ad Gap Network or maybe you want them to use a specific type of a VPN or maybe two factors a specific type of encryption so all these are non-staguitary requirements that can get uh Incorporated in the baa and then what could be the failure points for the ba you know business associate agreements first of all uh you know we have seen this so many times that is covered entities assuming that since they have assigned a baa means that there is compliance in place now even if you are a covered entity or you're a business associate if you are signing up for something for outsourcing downline so if you're covered entity then cover then associating with a ba or if you're a business associate then subcontracting it to a subcontracted being a business associate so in that case assuming that they are already HIPAA compliant no you it's your responsibility to confirm and get the acknowledgment in reacting that they have got HIPAA compliance in place I would suggest you to ask them for their audit reports for their compliance attestation by some good certifying not certifying because there is no HIPAA certification um so some good auditing agency who've done their compliance audits so for example we do it so that way or failure to sign a ba with the subcontractors many a time it is like only the ba business associate and the covered entities have a good ba in place but a subcontractor is basically just have a master Services agreement which is not in line with the ba we have seen this also there is a the business associate has a custom contractor now the business associate has a covered entity also so they the covered entity ba the the baa is very good the business associate agreement is very sharp very strong very well written but the agreement between the business associate and the subcontractor is very likely written more like a formality types and that's like asking for failure now incomplete ba elements it could be like all the provisions not covered or maybe the template that is used is very more like a master Services agreement overall types you know uh but not really uh addressing the HIPAA requirements that we had seen earlier so this is something which is like a legal requirement don't take this lightly now what happens when a business associate fails to comply with HIPAA now business associate will be held liable as we saw earlier under the Omnibus provisions now because they have already signed a ba in place even if not the as per Omnibus requirements they are they will be held liable now as per the hhi HHS that's the health and human services website it says that um you know any sort of failure to comply uh with the uh to provide the secretary with records and compliance requirements um you know will be held uh you know as a negligence and then uh it it also authorizes the HHS and the OCR to take retaliarity uh action against any individual or persons for filing a HIPAA complaint and then participating in an organization is uh you know or if we need to comply with the requirements of the security rule or failure to provide Bridge notification or impermissible uses and disclosures of Phi for example cross use so for example if I am um you know I am an insurance agency and I have the insurance information of my purse of some people I cannot use that information so I'm a business associate and I'm also selling instruments and uh or you know I'm also selling say motor car insurance so I I take the health information from some covered entity and then I use that information to sell motor car insurance to those people so that is a cross use which is totally prohibited I'm just giving an example right or maybe using that information to sell some medication uh to those uh you know affected people of whose health information I have in place so it could be some oncological drugs or it could be some AIDS drugs or something like that that I uh that I try to sell to them directly or give them some you know some support on that or whatever that is like impermissible use and disclosure of Phi right so this is very very serious and OCR really takes us in a very very serious manner so so there could be a failure to make reasonable efforts to limit the Phi to minimum necessary this is also considered as a breach then failure to provide an accounting or disclosures like what disclosures happened how many times it happened to whom it happened many a time not many a time a few times you've seen organizations even trying to hide uh some sort of you know breaches not trying to be to behave as if it never happened or any sort of failure to enter into business associate arguments with with subcontractors that create or receive Phim on their behalf or failure to take reasonable steps to address a material breach or violation of the subcontractors uh associate agreements that's where the HHS Health and Human Services Department can step in and take retaliatory action penalize you even send you to jail or something I don't know all right compliance challenge for business associates one is the ambiguity in understanding the applicability of HIPAA publication so um how do I say this okay we have seen a few um in a business associate agreements wherein the business associates are smaller companies and those covered entities are large Giants and they have written everything under the sun and put them accountable on the business associates and many a time to get business the business associate or the subcontractors simply sign the contract because those terms are open-ended and no matter what happens the covered entity can wrap it on your head so this is really serious it can actually result in you going bankrupt um being sent to jail for if it is really serious in case there is a breach it can it can even be that's not really your fault but it's there in the agreement as your responsibility right so challenge to comply and track multiple VA so this is another thing many uh business associates have multiple business associate agreement this is a very serious issue guys so we we have many clients who sign multiple Bas across multiple clients and then they might have different Provisions but the environment is the same how are you going to take care of it some clients might say that you need uh two-factor authentication some client might say it's not required some clients might say that you need to have open VPN for VPN access some clients might say use Fortinet like someone might say we use aes256 someone might say no you use aes512 or 2048 or someone might say use asymmetric algorithm someone might say use symmetric algorithms for algorithms for encryption of data so again the lack of reports resources to to support frequent audits because uh covered entities and business associates are required to ensure down the line people uh you know Associates of theirs our business partners are there is down the line are complying with hepatic permits so they might even do audits of their own and then multiple subcontractor Bas and keeping an accurate count of subcontract BS because it's large covered entities or even business associates have numerous dozens and dozens of subcontractors and business associates so keeping track of who's doing what where ensuring compliance so it's like a two-aged sword so um I hope you can draw that mental picture on this so this is very serious where you know uh keeping track of multiple Bas with your Upstream uh covered entity and then keeping track of multiple be a subcontracted Bas Downstream of you so all these things can be a major mess and compliance but that cannot be an excuse that you can give in case God forbid there is a breach so HIPAA compliance checklist of business associates number one business associate agreement with covered entities you need to have this in place a very clear agreement and then down the stream subcontractor ba as we saw now now implementing the safety Safeguard security safeguards for Phi and ephi having the right security policies and procedures doing a very effective objective security risk assessment doing an administrative assessment then implementing policies and processes to comply with the privacy rules uh again depending on the agreements that you sign because not if you're a business associate not everything might apply to you in privacy now HIPAA training for business associates is also very important as any standard it requires Personnel to be trained then a process for reporting of security incidents and breaches and also if you need to have a process for reporting then you need to have an incident response plan in place then records and documentation of compliance evidences then policy and process relating to returning altering destroying all of Phi and epha this last this last point that is written I would like to maybe you know bring your mind to this we have seen many business Associates where they don't have a good plan for data retention and Disposal many a time whenever you have seen a few times where it don't have any sort of written and they say we just perpetually maintain it and our covered entities is fine but that's remember this increases your exposure in case there is a breach then you will be required to justify as to why you are storing Decay roll payment information sorry patient information with you so have a good process in place for regular data retention scans and Disposal then develop a very cohesive security and privacy policy as per HIPAA requirement not just a generic one then have an internal audit process depending on the situation it could be quarterly some process is quarterly half yearly yearly whatever and document records for evidence because without evidence you just have a policy in place it's going to be meaningless then establish your incident response plan establish British notification processes and again the established a process for handling returning and destruction of Phi very very important very important you need to even have evidence as to how did you get rid of the data training and awareness program and then last but not the least higher compiled compliance consultant this is very important because this is the law this is a legal requirement you might oversee something or you might um you know overestimate or will underestimate some requirements all right that brings me to the end I really hope that this was uh worthwhile for you which went over slightly overboard with the time and as we're renting there's a survey participation request you put in a lot of time and money in getting the uh these webinars out do take a few minutes to just will take you like 30 seconds to fill up the sheet to just you know make the tick marks do give us your feedback on what you think about the webinar whether it met your expectations and uh whether you have any comments or suggestions or future um you know webinars and in case you're watching this on YouTube do leave a nice comment uh on your experience um and of course thank you again for sharing a valuable time and that's our contact information do drop us line in case you have any further queries um um okay I got um you know I got a nice query from Urban I'm really what will be the best time to ask you a question about if you should have asked so far my friend you should have asked me and I would have answered you but but uh yeah about HIPAA or PCI please so what I would suggest Urban is that I have messaged you my email address uh foreign yes and what you can do is you can uh you know drop me a line and I will respond to you directly and whatever your queries are you should have asked me my friend I would have answered you and that's what makes our webinar so interesting because people ask questions anyway so thank you again and have a wonderful day ahead take care and God bless you bye