Business Associate Liability and Other Issues OCR/NIST 2015 - - PowerPoint PPT Presentation

business associate liability and other issues
SMART_READER_LITE
LIVE PREVIEW

Business Associate Liability and Other Issues OCR/NIST 2015 - - PowerPoint PPT Presentation

Mar 18, 2023 270 likes •396 views

Business Associate Liability and Other Issues OCR/NIST 2015 Security Rule Conference September 2, 2015 Adam Greene, JD, MPH Amy Leopard, JD Davis Wright Tremaine LLP Bradley Arant Boult Cummings Jim Wieland Ober Kaler Agenda Who Is a

slide-1
SLIDE 1

Business Associate Liability and Other Issues

OCR/NIST 2015 Security Rule Conference September 2, 2015 Adam Greene, JD, MPH

Davis Wright Tremaine LLP

Amy Leopard, JD

Bradley Arant Boult Cummings

Jim Wieland

Ober Kaler

slide-2
SLIDE 2

Agenda

  • Who Is a Business Associate: Continuing

Questions

  • How Do You Assess a Business Associate?
  • Business Associate Agreement Challenges
  • Cloud computing issues and BAs
  • Does Offshoring Raise Concerns?
  • Cyber Insurance Issues
  • The Role of the Federal Trade Commission in

Health Information Security

2

slide-3
SLIDE 3

Who Is a BA?

  • Increasingly complex relationships

between health care providers and health plans

  • Relations among health care providers:

BA, workforce member, organized health care arrangement (OHCA), or none of the above?

  • Maintaining PHI vs. maintaining facilities

with PHI

3

slide-4
SLIDE 4

How Do You Assess a BA?

  • Risk assessing your BAs
  • Values and deficiencies of 3rd party

assessments

  • Values and deficiencies of security

questionnaires

  • Prescribing security controls

4

slide-5
SLIDE 5

How Do You Assess a BA?

  • What is the BA’s compliance structure?
  • Dealing with “Mom and Pop” BAs
  • Addressing privacy provisions that are
  • ptional under HIPAA

5

slide-6
SLIDE 6

Business Associate Agreements

  • Who is responsible for breach notification
  • Reporting timelines – is sooner always

better?

  • Agency issues – increased control vs.

increased liability

  • Whether to permit de-identification

6

slide-7
SLIDE 7

Business Associate Agreements

  • Indemnification
  • Are limits on liability appropriate?
  • Should indemnification be tied to lack of

reasonableness?

  • The role of cyber insurance

7

slide-8
SLIDE 8

Cloud Computing and BAs

  • Sharing security responsibilities across a

cloud-based ecosystem

  • Challenges when cloud provider does not

know what data it is maintaining

8

slide-9
SLIDE 9

Offshoring

  • Does HIPAA place additional restrictions
  • n contracting with non-U.S. vendors?
  • Does HIPAA apply to non-U.S. vendors?
  • Should considerations differ based on

what foreign laws are applicable?

9

slide-10
SLIDE 10

Cyber Insurance

  • The cyber insurer – the most important

party to your BAA?

  • Does your cyber insurance cover your

BA’s acts and omissions?

  • Does your BA’s cyber insurance cover

your liabilities

10

slide-11
SLIDE 11

Federal Trade Commission

  • Section 5 of the FTC Act – “Unfair” and

“deceptive” trade practices and health information privacy and security

  • Who is subject to FTC’s Section 5

authority?

  • Does FTC place higher requirements than

HIPAA?

  • FTC and offshoring

11

slide-12
SLIDE 12

Questions?

12

Adam H. Greene, JD, MPH

adamgreene@dwt.com 202.973.4213

Amy Leopard, JD

aleopard@babc.com 615.252.2309

Jim Wieland, JD

jbwieland@ober.com 410.347.7397