Add Digital Signature HIPAA Business Associate Agreement with airSlate SignNow

Electronically signing hipaa business associate agreement

welcome to our continuing educational webinar series i am catherine short partnership marketing manager for first healthcare compliance at first healthcare compliance we help you with a comprehensive compliance management solution tailored to your business a hospital hospital network healthcare practice of any size billing company or skilled nursing facility and we help you manage every aspect of a compliance program and our training library provides hundreds of modules that are easy to assign and track as part of our complimentary educational webinar series we bring you experts from around the country to discuss relevant topics in the healthcare industry we are so pleased to have rachel v rose jd mba principal with rachel v rose attorney at law pllc houston texas with us today ms rose has a unique background having worked in many different facets of health care securities and international law and business throughout her career her practice focuses on a variety of cybersecurity healthcare and securities law issues related to industry compliance and transactional work as well as representing plaintiffs in dodd-frank false claims act whistleblower claims which remain under seal ms rose holds an mba with minors in health care and entrepreneurship from vanderbilt university and a law degree from stetson university college of law where she graduated with various honors including the national scribes award and the william f blues pro bono service award ms rose is licensed in texas currently she is the chair of the federal bar association's government relations committee the co-editor of the american health lawyers association's enterprise risk management handbook for healthcare entities 2nd edition as well as the co-author of the books the abcs of acos and what are international business considerations she has been named consecutively to the texas bar college the national women trial lawyers association's top 25 and houstonia magazine's top lawyers for health care ms rose is an affiliated member with the baylor college of medicine center for medical ethics and health policy where she teaches bioethics a copy of the slides is available for download on the control panel feel free to submit questions into the question box on the control panel during the presentation we will address questions at the conclusion of the presentation your paycom and pmi ceu certificates will be emailed to you following the broadcast your paycom certificate will come directly from pacom and your pmi certificate will come from our email there is no need to request either one additional ceu opportunities will be available to bc advantage members following the live broadcast see their website for details a download of the handout is available on the side or upper panel of your screen so rachel thank you so much for being with us today a very warm welcome again thank you catherine it's always my pleasure to collaborate with you and first healthcare compliance i find the breadth and depth of experience you bring to the table in terms of complementary questions and what your goal is for your clients to be in line with mine so i'm very fortunate to be here and thank you for the gracious introduction so today i'm here to talk about hipaa business associate agreements under high tech and before we begin i need to provide the requisite disclaimer the information presented is not meant to constitute legal advice if you have specific questions that are really legal in nature you need to consult an attorney having said that i will take broad questions and the information as we all know during the time of the pandemic in particular is dynamic and fluid so you need to make sure that you continually check the various government agency websites and laws for updates so what are we going to talk about today well first we're going to lead with some recent enforcement actions including those involving business associate agreement next we'll delve into the high tech act and hipaa then we'll segue into the new 2019 hhs fact sheet and you might be saying well rachel this is from 2019 what's new about this fact sheet in reality it's really the first significant update since 2013 and it really lays the foundation for our next section the business associate agreement from there we'll delve into coven and what it means for business associates and subcontractors and we'll end up with some compliance nuggets as i call them as well as some takeaways for mitigating risk and other practical tips so what are some recent enforcement actions and other timely topics well first typically on a regular basis ocr provides enforcement updates on its website and for those of you who are new to healthcare ocr stands for the office for civil rights and that falls under the umbrella of the department of health and human services so ocr has investigated and resolved over 28 000 cases by requiring changes in privacy practices and corrective actions by providing technical assistance to hipaa covered entities and their business associates so what's important about this well during the course of my practice which as catherine noted is pretty broad in scope i've been very fortunate really to see hipaa from a variety of angles and the first angle is that i actually do the risk analyses for corporate clients and physician practices so i've actually done those for business associates and covered entities alike and there are nuances whenever you're doing a risk analysis that covered entities need to be aware of that don't necessarily apply to business associates why because typically unless you're a hybrid covered entity a business associate is not rendering care so that's something to be aware of there having said that there are a lot of nuances associated with the covered entity business associate relationship but i'll delve into the main one later on secondly i have represented both entities in front of ocr when they have received what i call the love letter and the love letter means that ocr has launched an investigation and sometimes as the first paragraph says they merely guide covered entities and business associates if there's a small issue and as we saw at the end of 2019 in some instances they've even given guidance but the entities didn't follow through on the guidance so then something happened they received another complaint they being ocr and so they went back in and the entity ended up with a fine so the first takeaway is if ocr is trying to help you you really want to make sure that you are doing what they're telling you to do to become hipaa compliant secondly they can and do go after entities as we'll see in the next couple of slides and it's important that if you are in a predicament especially a ransomware attack type scenario that you have really confident counsel because it gets very nuanced and most of my discussions with ocr really delve into the law in the technical aspect so i would encourage covered entities and business associates to hire outside counsel and then finally i have brought cases and i've negotiated contracts and i've actually helped defend entities too so i've pretty much seen it from every angle the corrective actions obtained by ocr from these entities have resulted in change that is systemic and that affects all the individuals they serve so that's important as well because the bottom line is a fundamental right to privacy that is granted to all of us in the united states constitution ocr has successfully enforced hippa rules by applying corrective measures in all cases where an investigation indicates non-compliance by the covered entity or their business associate so just because the entity wasn't fined does not mean that there were not costs associated with that non-compliance and as an aside another area that you really need to be conscious of is the class action lawsuit and as we saw with anson blue cross blue shield as well as community health systems those can really be the most costly in terms of your legal expenses and then typically ocr will come in and lob a fine on top of that and anthem's class action settled for approximately 115 million dollars and ocr then came in and levied 116 million or a 16 million dollar penalty excuse me to date ocr has settled or imposed civil monetary penalties in 75 cases resulting in over 116 million dollars and they have investigated complaints against a variety of different entities and what's fascinating is it's not only big entities or small entities they actually find the state of texas for not being compliant with the hipaa rules this is the most recent find to be levied by hhs and this happened at the very end of july of 2020. so basically lifespan health systems affiliated covered entity a not-for-profit health system based in rhode island agreed to pay over a million dollars to ocr and to implement a corrective action plan corrective action plans can also be costly so whenever you're looking at your risk management or enterprise risk management plan you absolutely need to take into account all possible expenses related to a breach basically the key takeaways here are it's hard to believe that in 2020 despite hipaa coming out in 1996 and then the security rule becoming effective in 2005 and the omnibus rule becoming effective in january well it was published in the federal register in january of 2013 and the effective dates were march and then compliance dates were september for most of the provisions of that same year it's amazing to me that there are still so many issues associated with unencrypted laptops and usb drives but on april 21st lifespan and its business associate so here you have that corporate structure where the parent company and the business associate of lifespan ace actually called a penalty on itself so to speak and filed a breach report with otr concerning the theft of an affiliated hospital employees laptop containing e-p-h-i what's important here is the focus on the business associate and it's not uncommon when you break down corporate structures to see a parent company be in a business associate relationship because of the type of interaction with a subsidiary company so you really want to hone in and look at the corporate structure another key related item are the reports that have come out over the last few months regarding cyber attacks and the increase in those in hipaa terms that's obviously malware ransomware and pretty much violating or [Music] taking an opportunity to exploit a vulnerability that becomes a threat and ultimately a breach so here we see that the fbi indicated that between april 1 and april 30 of 2020 there was a 400 percent increase in cyber attacks so that right there is crucial and if you are a covered entity engaged in research and clinical trials there was a recent statement indicating that they're finding more and more state actors meaning foreign countries such as china and russia really honing in on those types of attacks and an example of that was the arrest of the individual working at the houston consulate july 23 2020 in juxtaposition to the example i just gave where we had a fine of over a million dollars this in fact relates to a small health care provider failing to implement multiple hipaa security rule requirements on june 9th of 2011 metro filed a breach report regarding an impermissible disclosure of phi to an unknown email account so what's interesting is this was after the high tech act but before the final omnibus rule the breach affected over 1200 patients ocr's investigation revealed long-standing systemic non-compliance with the hipaa security rule and i'll give you my first hand lens they do they meaning ocr when their investigators really think their teeth into something they don't look at just the immediate breach they go back in time and look at your history of compliance with the technical administrative and physical safeguards so here specifically metro failed to conduct that golden risk analysis failed to implement any hipaa security rule policies and procedures and neglected to provide workforce members with security awareness training until 2016. that is absolutely unbelievable but what else is a little interesting about this particular enforcement action is that the report was made in june 2011 it took nearly nine years for that announcement to be made in a fine of a hundred thousand to be [Music] levied so these can take a long time just as a lawsuit can take a long time so you really need to prepare your clients if they get one of these letters or they sell the quote may of 2019 a three million dollar fine was assessed against touchstone and what's important here is first we are honing in on that risk analysis again second they fail to have business associate agreements in place with vendors including their i.t support vendor and a third-party data center provider as required by hipaa again this is so elementary to hipaa compliance and those requisite technical administrative and physical safeguards as i've said before it just blows my mind that people aren't implementing these fundamental elementary type of precautions and really regulatory requirements but here the medical imaging company agreed to pay over three million dollars and again to adopt that corrective action side note on that is as we know there are also what i call state hipaa laws that are very similar to the federal hipaa law the federal hipaa is used as the floor so state laws cannot be less restrictive than federal hipaa but they can impose more restrictions and we see that in texas with the definition of a covered entity so now that you have the lay of the land in terms of some of the items that hhs ocr focuses on let's give a little background on hipaa and the high tech act so who is under the legal umbrella well first we have covered entities business associates and subcontractors covered entities under federal hipaa fall into three main buckets which i put up on the slide healthcare providers health plans and health care clearing houses from there a covered entity is in privity of contract with a business associate and it's also notable that a business associate agreement is required between a covered entity and a business associate from there we have business associates imprivity of contract with subcontractors or those entities that they contract with again a business associate contract is required now if we go back to some of the language in the various privacy rule regulations and rules that were set forth in the different federal registered notices and role actions basically they refer to this as the link of trust and i like to think of this as a linear relationship and that is the covered entity and then that link to the business associate and then that link to the subcontractor so that's a straight line there are also other arrangements that one can get into for example where you have the covered entity at the top of what i call a triangle or a pyramid so the covered entity would be at the top and for example if they are contracting with two separate business associates they would have going down the size of that triangle a business associate agreement with each of those but the covered entity might say hey business associate one you need to work with business associates too in order to accomplish whatever health care related objective or business related objectives it is that involves protected health information well what you want to do is make sure that there is some type of agreement between ba1 and ba2 and that's to ensure that the requisite technical administrative and physical safeguards are meant that you know what you're going to do in the event of a breach and things of that nature so that can be typically done in the format some people just do the business associate agreement others do a modified business associate agreement because of the type of relationship others do a data use agreement but some of the key provisions are still required and what you really want to make sure of is that you're getting those reasonable assurances and i'll give you my top five items that i tell people to ask for down the line texas house bill 300 has been in effect since september 1st of 2012 and the key here is twofold first it was codified in the texas health and safety code and second it was quantified in the business and commerce code so those are the two places to look for the actual legal implementation of the legislation but the key here is the different definition of a covered entity so instead of limiting the covered entity to the federal hipaa definition they basically said in texas anyone any person who creates receives maintains or transmits protected health information then we go into the federal trade commission and in a way they filled a gap on the federal forefront because the federal trade commission is taxed and has the authority to enforce under the federal trade commission act consumer rights protections and that's absolutely crucial to remember because their breach notification rule is slightly different than federal fipa but i'll delve into that in a moment so here's some of the legislative history august 1996 hipaa is signed into law and it comes about as the need for a consistent framework for transactions and other administrative items is coming more and more to the forefront interestingly the privacy act of 1974 was already in place and obviously that happened 22 years before and then when you start looking at the substance abuse and mental substance abuse mental health service administration also known as samsa you start looking into the ranks at 42 cfr part 2 which for those who deal in this area in particular it's typically known as part two that lost them back to the mid 70s as well and it arose out of the 1960s drug culture and the public policy behind wanting people to go and get treatment and medical help for various types of addiction without their privacy being violated and without having a stigma that was publicly known so that's where the history stems from i have the privacy rule august 14th of 2002 up here the privacy rule itself was actually initially promulgated in december of 2000 in the federal register and then we see what are known as interim rules or other corrections so to speak and that's what happened here so although this was set forth in august of 2002 it became effective in fact in 2003. the security rule applies to electronic protective health information or ephi only again it was first published in the federal register on february 20th of 2003 but did not become effective from a compliance standpoint until 2005. a key difference between the privacy rule and the security rule is that the privacy rule applies to all forms of protective health information and the security rule applies to electronic protected health information in 2002 we see the health information technology for economic and clinical health act come into being and that was part of the american recovery and reinvestment act of 2009. the breach notification rule comes into play in 2009 and as an aside there there have been some changes which came about in april of 2019 whereby the four tiers of penalties underwent some changes so the penalties are tiered in terms of tier one tier two tier three and tier four in tier one through three are the least severe type of actions and least severe types of knowledge requirement and those all underwent major decreases so to speak in the penalty amounts tier 4 remains at 1.5 million so if you're heading in to that batch is something that is important from there we get into the 2010 privacy and security proposed regulations and then finally that omnibus rule and i mentioned january of 2013 the citation for that is 78 federal register 5566 january 25th of 2013. and this is where a lot of business associates in particular and covered entities and subcontractors but really those business associates said oh crap we are now liable expressly liable and as i mentioned in one of the takeaways some entities feel that that liability for business associates actually goes back to the high tech act and that breach notification rule so it's interesting to look and see but if you have an issue before uh 2013 the odds are as some of the enforcement actions have indicated that they will go back and look at your compliance stemming all the way back sometimes to 2005. so there is a good faith basis for being nervous if you didn't have everything in place even before 2013. i mentioned the federal trade commission act and the ftc's health breach notification rule requires certain businesses not covered by hipaa to notify their customers and others if there's a breach of unsecured individually identifiable electronic health information this cannot be understated this really not only applies to hipaa entities but as an aside ftc has brought enforcement actions against hipaa covered entities and business associates as well stemming back to at least 2009 and their penalties have been in the millions so three examples are rite aid cvs and more recently henry shine dental ehr so let me delve into this 2019 hhs fact sheet as i mentioned from the outset although 2019 is not brand new like hot off the press it is relevant in that it was the first release of a fact sheet in over six years that related specifically to a new fact sheet on direct liability of business associates under hipaa and i need to enforce something here fact sheets and guidance are just that their guidance and if you start to delve into a variety of areas of law and government agencies osha for example says even in relation to covid this is guidance and it's not actionable under the law what's relevant here is that ocr did this handy little fact sheet but you can go directly to the security rule which is actionable under the law and find these provisions which i'm going to delve into in the actual law so therefore this isn't just guidance what they've done is given a quick overview and then something that business associates should really take to heart and follow and make sure that they are checking off all of these boxes so in 2013 and this is key because of the title of the presentation under the authority granted by the high tech act ocr issued a final rule and that's the omnibus rule that i've mentioned a couple of times that among other things identified provisions of the hippa rules that apply directly to business associates and for which business associates are directly liable so what is ocr's authority against business associates well as we mentioned they have the same authority to take enforcement action against business associates as they do against covered entities but their authority is limited to those requirements and prohibitions of the hipaa rules that appear on the following list and i pulled some key items but there are several others and i encourage you to visit that link on the previous slide and you'll find a list of all of them so first failure to comply with the requirements of the security rule well for anyone who's ever done a security rule risk analysis you know that there are hundreds of items in the security rule so you may be thinking oh well this isn't that bad there's only yeah what 15 items on the list well each of these items has a lot of sub items and that's the key part again the security rule is really interested in protecting the confidentiality integrity and availability of that sensitive ephi and making sure that the technical administrative and physical safeguard requirements are met failure to provide a breach notification to a covered entity or another business associate business associate does include subcontractors but i always like to separate them out so that it's expressed impermissible use and disclosures of this that should go without saying failure to disclose a copy of electronic phi to either the covered entity the individual or the individual's designee and again related to this presentation whichever is specified in the business associate agreement so what does that mean well for years i've worked with my clients when we refine or draft business associate agreements and if my client happens to be a covered entity i'll say okay if the breach occurs on your end then who are you going to notify you have to notify hhs and you have to notify your business associates that's important to make sure especially with a ransomware attack that it was contained and it did not go and inspect another entity system or if it's a phishing email or another form of malware so that's very very important there conversely if i'm representing a business associate i'll say really the onus is on the covered entity to provide that individual with a copy of their records if they are contracting with you it's better that the patient goes through the covered entity and then they refer it to you to fulfill rather than having the individual contact you directly and what happens there is that the language is very expressed saying that in the event that the business associate is contacted by the individual it will notify the covered entity within 24 hours or if it's a friday the following monday and tell them that a crest a request for a designated health record set or billing has been made along those lines and then from there they go through the appropriate steps with the covered entity to fill out all of the requisite forms and then the covered entity sends those to the business associate and that just keeps everything clean also on the breach notification i've had situations where the business associate agreed to notify hhs directly but it also means you have to notify the covered entity as well so that can't be a one-way street the most prudent way to do it is probably to notify the covered entity and have them notify hhs with an explanation of what transpired that the covered entity was not the source of the breach they were notified by the business associate and they're taking the appropriate steps under the breach notification rule but there are different ways to do it but you need to absolutely make sure that it is spelled out line by line in the business associate agreement otherwise that is an area that hhs questions and indicates whether or not you are in compliance and that's where earlier i mentioned hiring competent counsel because the nuances of the laws that they really drill down into are just that they are quite nuanced and you need to make sure that your attorney is responding accurately because there are exceptions there are other issues that can and do arise and i actually had this happen when dealing with ocr they said well the covered entity is supposed to report the breach and i specifically referenced the cfr and said well in this instance and here's a copy of the business associated agreement that was not contracted to between the parties and that resulted otherwise both entities could have been in trouble ostensibly for not following the loss failure to make reasonable efforts to limit phi to the minimum necessary to accomplish the intended purpose of the use disclosure or request minimum necessary should be in any person's vocabulary who creates receives maintains or transmits protected health information and finally failure to enter into business associate agreements with subcontractors that create receive maintain or transmit phi on their behalf and failure to comply with the implementation specifications for such agreements typically the implementation specifically specifications in these agreements include those rules the privacy rules security rule for each notification rule things of that nature so let's delve into the business associate agreement well here we have the content of the business associate agreement first and foremost you need to know who you are doing business with whether a covered entity or a subcontractor and a few moments ago i mentioned that i have my clients do a less than one page attestation that the other entity signs and what they ask five basic questions and if people don't answer these questions as checking all the boxes i would be trepidatious to enter into an agreement with them so the five questions are do you undergo an annual risk analysis do you have comprehensive policies and procedures that are reviewed on at least an annual basis do you require annual hipaa and security training of your workforce next is your data encrypted at rest and in transit and lastly do you have business associate agreements in place with the entities that you need to have them in place with if people answer no to those then that's a red flag and i would really drill down on those issues indemnification clauses what's important here is that they're not required under the security rule and if you look at the hhs fact sheet that is not one of the requisite items not the fact sheet from 2019 but their previous fact sheets on business associate agreements i'm seeing a lot of them and have for a long time this is a completely separate webinar but there are nuances of indignification clauses that you have to hone in on and i have a couple slides dedicated to that in this presentation choice of law form and venue doesn't match your main contract in your other contract otherwise that is one area that entities will absolutely hone in on in the event of a legal proceeding who notifies hhs in the state agency equivalent we just addressed that on the previous slide and who pays for the notifications to patients the media and government entities especially in the event of a breach that includes more than 500 individuals cloud computing is something to be conscious of as well what access does the cloud entity have to your data and in fact you are required to have a business associate agreement with a cloud computing entity are you using a platform as a service and infrastructure as a service or a software-as-a-service cloud application does the cloud company use at least 256-bit encryption and is a daa signed all of those are absolutely critical the other item to look at is where your data is stored because if it is stored outside of the united states lo and behold you just open yourself up to the laws of other countries and that's something to be very very conscious of as well as state laws such as arizona which really prohibits the offshoring of certain duties related to protected health information so you need to be very very conscious of those types of nuances parents and subsidiaries go back to that lifespan recent enforcement action what is the corporate structure is something you should really hone in on and a few of my clients who have a more elaborate corporate structure we've had business associate agreements put in place and they're worded differently than some of the ones that are used with other business associates because of the relationship between the parent and the business associates so just be very aware of refining your business associate agreement is this a hybrid covered entity or two district corporate entities so are we talking about divisions within a company or are we talking about two distinct corporate entities so common contracts where indemnification provisions emerge we see these in master service agreement service level agreements these are very tech oriented statement of works business associate agreements and asset purchase agreements all of this is very very important so what is the business associate definition i've mentioned it throughout the program however i really want to give that express statement of what it is coming out of the privacy rules and security rules a business associate is a person or entity other than a member of the workforce of a covered entity who performs functions or activities on behalf of or provide certain services to a covered entity that involve access by the business associate to protected health information and as i indicated earlier business associates include a lot of different entities lawyers can be a business associate accountants can be a business associate a person that offers a personal health record to one or more individuals on behalf of a covered entity a subcontractor that creates receives maintains or transmits protected health information and one area to really hone in on especially in light of the 21st century cures act is an app developer and their relationship not only to the covered entity but also potentially to the electronic health record a business associate agreement covered entities may not disclose protected health information to business associates or allow business associates to use phi unless the parties have executed a business associate agreement end of story and that's why hhs really honed in on this a business associate agreement is a contract therefore it is actionable under state contract laws and typically this is one of the items that we find in class action suits and other areas there vas have the same obligation to have agreements in place with subcontractors what is a baa a contract it's required under hipaa and several items must be included so take out your pens and write this these down establishment of permitted use and required disclosures and uses non-disclosure of information appropriate technical administrative and physical safeguards in order to protect the confidentiality integrity and availability of that data as required by all of the parties to the agreement breach notification rule again as i mentioned on those previous slides you need to have a plan in place require elements found in both the privacy and the security rules as well as any other items such as defining who the entities are if you're labeling someone as a covered entity make sure that you define covered entity in your definition section because as we saw a covered entity under federal hipaa is defined differently than a covered entity under states of texas so just be sure that you're making express provisions for those types of nuances so what is indemnification because although it's not required like i said this is one that a lot of entities put in the contracts a provision in a contract that represents the transfer of risk between the parties in indemnification can be mutual i.e e or eg the same terms apply to both parties or unilateral one party has the benefit the circumstances dictate the type of indemnification make sure that you have done adequate due diligence in order to assess the risk before agreeing to indemnification indemnified versus hold harmless we have indemnified solely protect against losses hold harmless protects against losses and liability and then you have protect and protect is different depending on what definition that you use defend means the contractor will provide the upstream party with a legal defense and so you need to really look at what you're putting into that indemnification provision because it can really open up your expenses as well as your potential lie ability if it's unilateral that's typically problematic and i discourage that especially if you don't have a history of course of dealings with the entity a lot of entities try and make it unilateral so that their company is completely indemnified and all the liability falls on the other party but common sense should tell you that that's probably not the best route to go is indemnification required provision in a baa absolutely not and i can't reinforce that enough so let's look at covid for a moment because it means a lot for business associates and subcontractors in terms of liability and a question that i'm asked often is whether or not hhs when they stated they were going to loosen or really use discretion in their authority to enforce these privacy and security rules whether that means they're just going to turn the blind eye and i have to say no and it's because the bulletins that hhs set forth require those who are telecommuting who are in the regular course of business to continue using the security rule and to continue to meet those privacy rule exceptions which have been in place now for approximately 18 to 20 years when hhs promulgated the privacy rule as well as the security role they really took into account a variety of different circumstances which can and do arise including emergency situations public health issues disasters and that's why under the security role in your policies and procedures as well as there's a separate line item in the security rule you absolutely have to have a business continuity plan as well as a disaster recovery plan so all of that is absolutely critical a cobit 19 overview i'm just hitting the highlights here because it's important and you may want to put certain provisions in your contracts relating to covenant in general it was first reported in china in late 2019 the world health organization declared a pandemic on march 11 of 2020 from there the president declared a national emergency on march 13th of 2020 common signs of infection include respiratory symptoms fever cough shortness of breath and breathing difficulties in more severe cases as we know infection can cause pneumonia severe acute respiratory syndrome kidney failure and even death and i'm going to sidestep here for a moment whenever i do training for my clients and then interview the various levels of employees throughout their organization the one question that i ask is what is and i it depends on how i ask the question but what is the most extreme ramification of not complying with the security role and undergoing a ransomware attack another way to phrase that is is death possible in the event of a ransomware attack and it's interesting because my covered entities really get it my business associates who i trained annually at first a lot of them said no but then they stopped and they thought and they said you know what not for us but for our covered entities yes and they are exactly right so that's why if you stop and think about treatment and what healthcare's fundamental purpose is not having access or availability or having the integrity of a medical record disrupted is absolutely problematic because you don't know the symptoms the patient has you don't know the last time they received a dose of a drug or a respiratory treatment and you do not know what their drug drug interactions are so absolutely it could be problematic and that's why even during covid adhering to the privacy role in the security rule is so important because it can in fact impact patient outcomes following up on that the virus is now known as the severe acute respiratory syndrome coronavirus 2 also known as sars cob2 for short the disease it causes is called coronavirus disease 2019 or covid19 i like to think of this like hiv and aids and the relationship between those two particular viruses basically what you have is hiv is the underlying virus which can cause the n stage disease known as aids so that's just a way to think of those two items so a couple of general health items that are relevant to covid and during the pandemic first and foremost the hipaa privacy rule and the security rule are still applicable during this pandemic that can't be overstated or highlighted enough the privacy rule has always had an exception for health care providers to report certain diseases or conditions of an individual patient the various states and federal government agencies such as the state's department of health and human services or to the cdc so this is nothing new and it perplexed me because i received not only a lot of inquiries but also i was interviewed by the washington times and a couple of other news outlets about this and their question was can an entity give information to first responders yes as long as they use the minimum necessary standard and a lot of times those first responder entities were not even asking who specifically in a household for example had covid they just wanted to know if someone had it or if they had been exposed to someone who added that was it so you really can't get more minimally necessary than what they were asking for again it is within the purview of a covered entity to provide protected health information of a communicable disease status to these public health entities and also to various organizations such as potential unicef or the american red cross we're keeping track of these in order to carry out their functions in terms of their charters and their role in interaction with these public health authorities the transmission of the patient's information still needs to occur occur in accordance with the security rule so if you are reporting coveted cases and specific patient names to the cdc you need to make sure that you are doing it in a secure manner well i've mentioned the minimum necessary role throughout the presentation and it is because it shows up everywhere in hipaa the high tech act all of the interim rules the final rule you have to use the minimum necessary information to accomplish the purpose of what you are doing so covered entities may rely on representations from public health authorities or other public health officials that the requested information is the minimum necessary for the purpose when that reliance is reasonable under the circumstances and a couple of examples are a covered entity can rely on what the cdc says that they need to send in they can also rely on information by the cdc about all patients exposed to or suspected or confirmed to have the novel coronavirus which is coveted 19 as the previous slide said it's written in different ways so that's why i gave you a couple of different examples of how the nomenclature and the acronym may change in addition internally covered entities should continue to apply their role-based access this is important because it not only applies to covered entities but also to business associates and to sub-contractors enroll based access if you go back and look at that may 2019 data breach and the violations that i highlighted the three million dollar enforcement action this was one of those issues the role-based access so tell the health versus telecommuting on march 17th of 2020 the hhs office for civil rights announced that it will waive potential penalties for good faith use of telehealth during the nationwide public health emergency due to covid 19. effective immediately this exercise of discretion applies to telehealth provided for any reason regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to covid 19. communication technology considerations between covered entities and patients first you have those which are permissible and now we're into tele health more specifically tell us tell us medicine versus telecommuting telecommuting as we know occurs across a large spectrum of industries it's not specific to hipaa and a lot of laws whether they're state laws or they are other federal laws such as global the graham leach-bliley act which deals with financial institutions personally identifiable information which is sensitive as well you need to make sure that you're adhering to those technical administrative and physical safeguards end of story and transitioning to remote workings should have been in place in business continuity plans and disaster recovery plans already so this should not have been a big deal for any covered entity or business associate now the tele medicine is a different animal and that is a specific communication between a provider and a patient and that falls into three main buckets telemedicine which is a telecommunication which has both an audio and a visual component to it then you have e-visits and check-ins the latter two are reimbursed to the lower amounts but they can be done over the phone only so if you are utilizing those codes make sure that you're not up coding because that is an area that hhs oig and the department of justice will not give a pass on it's imperative that if you are a provider that you are in fact documenting the type of entity that you're using and if you have a well-integrated ehr system see if they have an app or another type of solution that's available it really connects it to that electronic health record or automatically uploads some form of documentation because you're going to need it to establish medical necessity so again you want to use the permissible ones on the screen and not the non-permissibles because that's outward facing and no type of interaction between a provider and a patient should be open for the world to see the february 2020 bulletin really hasn't changed hhs has issued subsequent bulletins for further refinement for items such as i previously mentioned the first responders but in general no one can release patient information to the media or to the public at large regarding an individual patient's information related to treatment of an identifiable patient that specifically requires a written authorization and the reality is if you're a business associate more likely than not you do not have it so that's something to be conscious of there i've mentioned the other part of this and this i want to emphasize because this really impacts business associates and subcontractors in an emergency situation covered entities as well as the business associates and subcontractors must continue to implement reasonable safeguards to protect that phi against intentional or unintentional impermissible uses or disclosures and must apply those technical administrative and physical safeguards to electronic protected health information so as we round the final turn of our presentation today here are some key compliance nuggets as i like to call them first i look at the fruit basket and i call it the fruit basket because of roger severino's comments he is the director of ocr these are found in a february 3rd 2020 law 360 article for enforcement purposes there's still a lot of low-hanging fruit and throughout the presentation i've identified a lot of those areas not only for covered entity but really for anyone who creates receives maintains or transmits protective health information next there are a lot of entities that are not doing the basics as i said this is frustrating for me and i'm always scored whenever i get a call from a new client where they say i've received an ocr notice and when we start going through things they had very little of the safeguards in place it's just mind-blowing they're not implementing the proper controls on access to patient records this is key clouding of a statutory duty a wide variety of areas where entities have crowd breaches and have not reported to us those breaches that's key and if you look at september through december of 2019 you really see some enforcement actions related to this if hipaa enforcers unearth hidden breaches then covered entities may be accused of sweeping it under the rug and should expect more vigorous enforcement again i mentioned this earlier in the presentation and look to those enforcement actions specifically in florida from september through december of 2019 phi needs to be protected which means that fundamental risk analysis on the front end is crucial types of violations here are some of the items that they really hone in on in addition to what i mentioned before stealing protective health information can also have in fact implications under the false claims act and that is something everyone should strive to avoid employees and contractors looking at information whether or not part of the team or they're not authorized to do so this goes back to those access controls that we saw and then external security breaches ransomware attacks include medstar and hollywood presbyterian medical center and then failing to update patches in community health systems 2014 example is something to hone in on there so what are the takeaways before i take any questions well first you want to evaluate baas in the context of both federal and state laws from there performing an annual risk analysis is the first step to identifying vulnerabilities mitigating risk and increasing compliance a baa is a contract and that can't be stated enough both business associates and subcontractors have been under the purview of express liability for years some would argue when the final omnibus rule came out others would argue before that when high tech acts passed and i'm one who would say it stems back even before high-tech act path because it was implied in the privacy rule and in some of those enforcement actions when you start going back a few years hhs did in fact go back to 2005 which is the security rule so that's how far back they can and do often go depending on the length of the relationship between the parties staying abreast of guidance especially during the coven 19 pandemic as well as executive orders and actual changes in the law so with that i want to thank you catherine again for having me and i'll open the floor to any questions okay thank you so much rachel i very much appreciate it that was a very comprehensive webinar and we do have a few questions so thank you so much sure so the first question we have is are indemnification provisions required in baas absolutely not and that's something that i've iterated and reiterated throughout the actual presentation because it's something that you see a lot and it's a very important provision but no it's not a requirement okay all right good well it's uh it's an important thing to to just reiterate so thank you um okay here's another one uh are there other types of cases which could give rise to liability in addition to an ocr fine for not having a business associate agreement in place yes that is one of the areas where the business associate agreement is a focus for hhs ocr it's also one of the reasons i have my clients put that in one of their five items okay all right um okay here's a good one is the baa a contract yes it absolutely is a contract it's finding and you can find yourself in a contract claim in court over it often times you have to read that contract in party materia with your other contracts and again it's imperative to make sure that your choice of law choice of venue choice of forum and the indemnification clauses are in fact identical oftentimes i see situations where they're not and as anyone can imagine that is an area that is right for litigation okay all right i always like these type of questions um what are the top three items in the 2019 hhs fact sheet for business associates to focus on if they had if they had three things to focus on what would you recommend absolutely that risk analysis which not only comes up there but the ocr director highlighted that in his 2020 article with law 360. so that's first second is the business associate agreement that's another item and lastly it's compliant with the security rule okay all right so top three items all right all right what is the key to avoiding government actions as well as lawsuits um okay and um okay so if you could answer if you could answer that sure what is the key to avoiding government actions and lawsuits first and foremost it's compliance and risk mitigation a good way to do that is to adopt an enterprise risk management strategy and depending on the size of the organization that type of enterprise risk management program will vary having said that that annual risk analysis really helps in the mitigation because you're reviewing and refining and seeing where perhaps you were okay one year but you noticed that there were a lot of impermissible access is the next year that were caught on your logs so that's why that annual risk analysis is crucial as well okay what about um i mean it seems like it seems like organizations should should also um get some of that you know low fr hanging fruit what about what about that low hanging fruit again as the ocr director indicated it all stems from the risk analysis because you're looking at making sure the phi and ephi are kept in a confidential and available and in integrity is intact in those types of data so i would say that that's absolutely crucial in relation to the technical administrative and typical safeguards that can't be overstated okay all right well thank you so much rachel do you do you have anything else that you've thought of or any other words of advice that you wanted to to leave with us today as we wrap up no not at all other than again it's always my pleasure to collaborate with you catherine and first health care compliance in general and i look forward to our next event okay wonderful well i look forward to it as well and i want to make sure to remind our attendees that you can download these slides um remember it's it's either on the side of your screen or on the upper part of your screen there's a button to download the slides so you have all the information with you um and uh thank you again so much rachel and thank you attendees uh please i'm sorry go ahead okay chill sorry about that oh no i i have nothing else other than to hope that everyone remains safe and healthy great me too me too so attendees please use the contact on the information on the screen for any questions or if you send us questions later we can forward them on to rachel please remember your paycom and pmi ceu certificate will be emailed to you from within two days following the broadcast automatically there's no need to request it you can register for future webinars or request a demo of our compliance solution on our website at firsthcc.com or call us at 888-543-4778 and thank you for joining us