Module 9. Starter Questions

1. Module 9. Starter Questions • BAs can often be silent behind the scenes partners of CEs.  How should they approach fielding complaints from consumers or persons whose PHI they are using or manipulating for analysis? • As a business that is just a BA, not a covered entity, do we need to worry about breach notification at all outside of the context of what is in out BA agreements?  If we are audited, will OCR just look at our agreements and ignore policies and procedures on breach notification? • Compliance date of 9/22/2014 applies to existing previously compliant BAAs.  What should be compliant - the agreement between the CE and the BA, or the actions taken by the BA to be compliant or both? • What should I ask of / expect of my BAs, given that many are small companies? • Or…As a BA, what can covered entities require of me? Can they all require something different? Is there anything I can do that will enable me to “standardize” the evidence of my compliance? • What about law firms? My defense firm? Did something change with Omnibus that made them more liable and attentive?

2. Module 9. Starter Questions • Am I liable for the actions of my BAs? Can I be penalized if one of my BAs is found to be non-compliant? • In a recent motion to dismiss a data-mining lawsuit, Google says people have "no legitimate expectation of privacy in information" voluntarily turned over to third parties. What are your thoughts? Probably won’t sign a BAA? • How much of the privacy rule applies to me as a BA? • When must my BAAs be updated? • If my company stores PHI but doesn't access it, does HIPAA apply to me? If I am providing and arranging for the hosting of an application, but my medical providers control the access to their data, and I have no access to their data unless they permit me, does HIPAA apply to me? • Are there differences between what a BA must do if they directly serve patients/members (B2C) versus those who serve another business (B2B)? • What kinds of penalties could BAs face if found non-compliant?

3. Module 9. Starter Questions • We've been "negotiating" with Google (we use Google docs, gmail, etc) forever. They will not sign our BAA. Any advice? • Big companies such as Google, Amazon, UPS, FedEx are seemingly ‘getting away’ with not adhering to certain rules and regs. If I continue to work with them, am I leaving myself exposed? • What can a CE or do if a downstream BA refuses to sign a BA agreement? • From a LinkedIn discussion group: Here's an interesting question for you. Are co-location vendors business associates? "I believe the answer is yes but could see the argument co-location vendors are not BAs. if a co-location vendor only houses a server and that server is locked in its own cage and the customer supplied the lock and the co-location vendor can't unlock the cage, is the co-location vendor a business associate because they store and protect an inaccessible server?" • Will HHS go after non-US based BAs who suffer a breach? • Workforce training requirements in the Security Rule seem gray for BAs. ‘Strongly recommended’ vs ‘Required’- I know what we *should do, but what exactly does ‘strongly recommended’ mean?