HIPAA Business Associate Compliance and Dangers

Date: Friday July 14, 2023

10:00 AM PDT | 01:00 PM EDT

Duration: 60 Minutes
Instructor: Paul R. Hales
Webinar Id: 803477


One Attendee
Unlimited Attendees


One Attendee
Unlimited Attendees ?


Live + Recorded
$269 $318  
One Attendee
Live + Recorded
$599 $678  
Unlimited Attendees ?


This webinar is for HIPAA Covered Entities (CEs) and Business Associates (BAs). Criminals increasingly focus cyber-attacks on BAs because one hit can give them access to PHI of all the BA’s customers. Growth of serious BA PHI breaches affecting tens of millions of patients put the spotlight on BA HIPAA compliance, attracting HHS Office for Civil Rights investigations and aggressive private class action lawsuits filed within days of a breach targeting BAs and their CE customers. CEs that did nothing wrong can still be held liable to pay the same civil money penalty as their BA for the BA’s HIPAA violation under the Federal Common Law of Agency which is included in the HIPAA Enforcement Rule.

Simple steps, often overlooked but easy to follow, enable CEs and BAs to protect against costs and damage to their reputations caused by violations of HIPAA Rules that apply to BAs. The chain of HIPAA compliance starts with a CE. It extends to a BA that provides a CE with services involving PHI. And the chain of compliance continues on down to any subcontractors of a BA that perform services involving PHI. BA subcontractors are defined by HIPAA as BAs and are fully liable for compliance.

  • CEs must obtain "satisfactory assurances" from each BA, documented in writing, that the BA complies with HIPAA before disclosing PHI to the BA or allowing the BA to create, receive, maintain, or transmit PHI on their behalf.
  • BAs must obtain "satisfactory assurances" from each Subcontractor BA, documented in writing, that the Subcontractor BA complies with HIPAA before permitting the Subcontractor BA to perform services involving PHI.

This webinar explains the interconnected HIPAA compliance responsibilities and liabilities of CEs and BAs. HIPAA Rules that apply to both are easy to follow, step-by-step, when you know the steps.

Why should you Attend:
  • CEs can find themselves fully liable for HIPAA violations committed by BAs and BAs for violations committed by Subcontractors under the little-known Federal Common Law of Agency. However, risks associated with BA HIPAA compliance can be managed calmly and confidently by following the HIPAA Rules that are easy to follow, step-by-step.
  • CEs should attend to see what to look for in Due Diligence, how to obtain HIPAA-required satisfactory assurances that a BA is complying with HIPAA and avoid liability by inadvertently making a BA their agent.
  • BAs should attend this webinar to see exactly what they must do to comply with HIPAA Rules - Security, Privacy, and Breach Notification Rules. And what to look for in Due Diligence and how to obtain HIPAA-required satisfactory assurances that a Subcontractor BA is complying with HIPAA while avoiding liability by inadvertently making a Subcontractor BA their agent

Areas Covered in the Session:
HIPAA Rules that apply to CEs in dealing with BAs and that BAs must follow are discussed and explained including:
  • Serious Business Associate HIPAA Violations Brief review of current OCR BA Enforcement and Class Action lawsuits based on BA HIPAA violations
  • Explanation of how HIPAA Rules apply to BAs
    • Security, Privacy, and Breach Notification Rules
  • Business Associate Agreements and the Key Agency Issue - Don’t make your BA or Subcontractor BA your legal agent by mistake as many do
  • CE Due Diligence for BAs and BA Due Diligence for Subcontractor BAs
  • Who’s in Charge? - Responsibility & Authority - Responsibility of Senior Management and Owners - Delegation of Authority for development and implementation of a BA HIPAA compliance program

Who Will Benefit:
Covered Entities of all types who disclose PHI to BAs and allow BAs to create, receive, maintain, and transmit PHI on their behalf.
Business Associates of all types including for example:
  • Billing and Coding companies
  • Practice Management Companies
  • IT Vendors
  • Data Storage firms (electronic and paper)
  • Secure and unsecured providers of PHI email and text message services
  • Vendors of patient satisfaction surveys
  • PHI record retrieval and release of information vendors
  • Law and Accounting Firms
  • Health Plan Third-Party Administrators
  • CE Owner - CEO - COO Compliance Manager
  • Board of Directors - for-profit and non-profit CEs
  • Healthcare Practice Manager
  • Administrator, Long-Term Care Facility
  • BA Owner - CEO - COO
  • Security and Privacy Officers
  • Compliance, Information Security, and Risk Management Directors
  • Business Manager
  • Attorney - General Counsel, Associate General Counsel, Inside Compliance Attorney, Outside Health Law Attorney

Speaker Profile
Paul R. Hales, J.D. is widely recognized for his expert knowledge and ability to explain the HIPAA Rules clearly in plain language. Paul is an attorney licensed to practice before the Supreme Court of the United States and a graduate of Columbia University Law School with an international practice in HIPAA privacy and security. He is the author of all content in The HIPAA E-Tool®, an Internet-based, complete HIPAA compliance solution with separate editions for Covered Entities, Business Associates, Health Plans and Third Party Administrators.

You Recently Viewed