Paul R. Hales
Health Privacy AttorneyPaul R. Hales, J.D. is widely recognized for his ability to explain HIPAA Rules clearly in plain language. He is an attorney licensed to practice before the Supreme Court of the United States, a graduate of Columbia University Law School, and a Senior Counselor of the Missouri Bar with an international practice in HIPAA privacy and security. Paul is the author of all content in The HIPAA E- Tool®, an Internet-based, complete HIPAA compliance solution with separate editions for Health Care Providers, Business Associates, Health Plans, and Third third-party administrators.
Recorded-webinar by: Paul R. Hales
-
-
2023 New HIPAA Business Associate Enforcement – CE & BA Takeaways
On June 28, 2023, the HHS Office for civil rights published the results of its investigation into HIPAA violations by a business associate (BA) that provides important guidance and clarification of the requirements for BA HIPAA compliance. Covered entities (CES) are deeply entangled with the HIPAA compliance of their BAS by law and contract. This webinar builds on June 28, 2023, HIPAA enforcement settlement to explain newly clarified BA HIPAA compliance clearly and the significant lessons for CES. The chain of HIPAA compliance starts with a CE. it extends to a BA that provides a CE with services involving PHI. And the chain of compliance continues on down to any subcontractors of a BA that perform services involving PHI. BA subcontractors are defined by HIPAA as BAS and are fully liable for compliance.
During the first six months of 2023, major health information breaches reported to HHS affected nearly double the number of individuals affected during the same period last year. And about half of them were victims of BA breaches. Criminals focus on attacking BAS because one hit can give them access to the PHI of all the BA’s customers – and, according to one expert, bas are the weakest link – the unlocked window that criminals crawl through.
Serious BA PHI breaches have attracted aggressive private class action lawsuits filed within days of a breach targeting bas and their CE customers. CES that did nothing wrong can be held liable to pay the same civil money penalty as their BA for the BA’s HIPAA violation under the federal common law of agency which is included in the HIPAA enforcement rule.
Simple steps, often overlooked but easy to follow, enable BAS and CES to protect against costs and damage to their reputations caused by BA HIPAA violations. of HIPAA rules that apply to BAS
- CES must obtain “satisfactory assurances” from each BA, documented in writing, that the BA complies with HIPAA before disclosing PHI to the BA or allowing the BA to create, receive, maintain, or transmit PHI on their behalf
- BAS must obtain “satisfactory assurances” from each subcontractor BA, documented in writing, that the subcontractor BA complies with HIPAA before permitting the subcontractor BA to perform services involving PHI
This webinar explains the interconnected HIPAA compliance responsibilities and liabilities of CES and BAS.
HIPAA rules that apply to both are easy to follow, step-by-step, when you know the steps.