New Enforcement Penalties and New Guidance About HIPAA Business Associates— Don’t Forget Your VOIP Phone System

Presenter :Jim Sheldon-Dean
Event Date : 07/11/2019
Time: 1 pm ET | 12 pm CT | 11 am MT | 10 pm PT
Duration :90 minutes



Product Description

Since the beginnings of HIPAA more than 20 years ago, there has always been a question of which entities that a health care entity deals with are considered HIPAA Business Associates, and what is required to meet compliance requirements if you are a HIPAA Business Associate or an entity that hires one. 

Some activities, such as claims handling or records management functions, where use or disclosure on behalf of an entity is clear, are easy to see as HIPAA Business Associate activities, while others may not use or disclose Protected Health Information but may create, receive, maintain, or transmit PHI on behalf of another entity, meeting the definition of a HIPAA Business Associate. A recent multi-million-dollar enforcement settlement makes it clear that entities such as VOIP phone service providers do act as HIPAA Business Associates.

This session will discuss how to determine who is a HIPAA Business Associate, what it means to establish a Business Associate relationship, and what the responsibilities are for Business Associates and the entities that hire them.

To clarify HIPAA Business Associate compliance responsibilities, on May 24, 2019, the US Department of Health and Human Services Office for Civil Rights issued a guide to the direct enforcement liabilities of Business Associates under the HIPAA regulations, detailing the specific rules under which Business Associates must operate. There are no surprises, just a straightforward list of ten categories of things that can land a Business Associate in hot water, including one big category for “Failure to comply with the requirements of the Security Rule” and one for “Impermissible Uses and Disclosures of PHI”. While lacking in details, the guidance does help set the boundaries for Business Associate obligations.

On top of these enforcement and guidance initiatives, HHS OCR has recently issued a revised set of penalty levels, increasing all penalty levels by 17% according to a Cost Of Living Adjustment, but reducing the annual maximums for the lower three tiers of penalties to reflect a new interpretation of the law, calling for maximum annual penalties to be related to the four tiers.  While some maximums have been reduced, the changes indicate that enforcement will continue, and recent settlements show that penalties have not been waning, particularly when it comes to Business Associates.

Key Topic Areas:

Because the regulations have expanded the obligations of HIPAA Business Associates, it is now more important than ever to carefully consider whether a BA designation is appropriate or not – Business Associate Agreements are not to be entered into lightly. The requirements have a direct impact on what needs to be put into the business associate agreements you establish. The new guidance from HHS on the direct enforcement liabilities of Business Associates makes more clear the compliance responsibilities HIPAA Business Associates take on.

HIPAA Business Associates must put in place Security Rule protections for electronic PHI within their organizations, including performing a HIPAA Risk Analysis, adopting a full suite of security policies and safeguards, and implementing a continuing security process to ensure the protection of PHI. The entities that hire HIPAA Business Associates need to include in their own HIPAA Risk Analysis the risk issues that may be posed by their Business Associates and plan for mitigation of such risks.

All kinds of covered entities, and now, business associates of covered entities as well, need to review their HIPAA compliance, policies, and procedures to see if they are prepared to meet the challenges of compliance today. In addition, Business Associates have emerged as a leading source of health information breaches, and we will discuss what covered entities should do to ensure good practices by their Business Associates in order to avoid the considerable expense of breaches.

Learning Objectives:

  • The regulations will be reviewed and their effects on usual practices for Business Associates and their relationships with covered entities, hybrid entities, affiliated covered entities (ACEs) and organized health care arrangements (OHCAs) will be discussed.
  • The scope of the definition of HIPAA Business Associate activity will be discussed.
  • Describe the kinds of entities that qualify as Business Associates and why it is important to carefully consider the designation before using it.
  • Explain what a Business Associate needs to do according to the regulations and HHS guidance, and provide a policy framework for information security.
  • Explore the questions that should be posed to HIPAA Business Associates to ensure they have considered good privacy and security compliance practices in their businesses.
  • The new enforcement penalty structure and the latest plans for audits by HHS OCR will be described and a plan for being prepared for audits will be discussed.
Related Courses:

Suggested Attendees:

  • Compliance director
  • CEO
  • CFO
  • Privacy Officer
  • Security Officer
  • Information Systems Manager
  • HIPAA Officer
  • Chief Information Officer
  • Health Information Manager
  • Healthcare Counsel/lawyer
  • Office Manager

About the Presenter:

Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of healthcare entities. He is a frequent speaker regarding HIPAA, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference. Jim Sheldon-Dean has more than 36 years of experience in policy analysis and implementation, business process analysis, information systems and software development, and eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.

After Registration

You will receive an email with login information and handouts (presentation slides) 1 day before the live webcast that you can print and share to all participants at your location.

System Requirement

Operating System: Windows any version preferably above Windows Vista & Mac any version above OS X 10.6
Internet Speed: Preferably above 1 MBPS
Headset: Any decent headset and microphone which can be used to talk and hear clearly

Can’t Listen Live?
No problem. You can get access to On-Demand webinar. Use it as a training tool at your convenience.

For more information you can reach out to below contact:
Toll-Free No: 1-302-444-0162
Email: [email protected]

You can also use the order form for making orders. Click here to download.