Three available size options exit to fit your needs: 80″ class, 70″ class, and 60″ class.

The brilliant high definition LCD panel, with energy-efficient design, provides a beautiful display while also allowing you to annotate, store and sharing your information.  The easy multi-touch operation with a pen or finger defines the functionality of the device.  The exclusive, user-intuitive Sharp Pen Software™ pairs well with high-performance optical imaging and infrared detection systems for quick response.  The Direct Sharp MFP connectivity makes it easy to import or export data between machines.  To further usability, the device comes with built-in templates that include calendars, to-do lists, and more.

For more information on the AQUOS BOARD or other Sharp products, give us a call at (616) 977-2679.

The top five reasons that LifeSize believes they offer truly Smart Video:
1.  Easy enough for anyone to use without training
2.  Lots of infrastructure applications with none of the hassle
3.  Heads-up experience
4.  Name-based dialing
5.  Smart scheduling

Seeing is believing, so click here to request a demo to see LifeSize Icon Series in action.

Give us a call at (616) 977-2679 to have us answer any questions you may have or to get involved with this exciting technology.

Managed Workplace is a next-generation remote monitoring and management software platform, which delivers end-to-end visibility into the networks, cloud, applications and devices relied on by your end-users.  See everything that is happening in your IT environment through a unified web-based dashboard, with automatic discovery and monitoring of existing and new devices.  Use alerting to proactively address performance and security concerns.  Automate configuration and network settings to increase productivity, enforce usage policies and improve security.

For more information about Managed Workplace, visit: www.levelplatforms.com

For more information on how you can use this and similar tools to grow your business, contact Kraft Business Systems at (616) 977-2679.

GreatAmerica defines this title as having “the business acumen it takes to be an industry market leader; a long-term outlook, ethical business conduct, customer focus and loyalty to worthy business partners.”

For more information about GreatAmerica Financial Services, visit their website at: www.greatamerica.com.

Help Keep Your Customers Protected!

Addressing published claims of HP^® printer and MFP vulnerabilities and reviewing how a Sharp MFP’s

extensive feature set provides data and network security!

At Sharp we are dedicated to ensuring that our customers are provided with the latest MFP security features and functions; and, we make every effort toprovide you with timely information designed to address current and important topics regarding MFP security.

A recently published articledetailing a potential security vulnerability found with HP printers affords us an opportunity to bring to your attention the many ways, including access control, data security, and network security,Sharp MFPs can help protect customer data and the networks on which the MFPs reside.

We have a long-standing tradition of providing the finest security features in the industry. To assist you further please refer to the attached bulletin and matrix–these items describe in additional detail the many security features available on our equipment.

Sincerely,

RICHARD HUELBIG

Product Manager–Security & Print

Sharp Imaging And Information Company Of America

http://www.kraftbusiness.com/blog/wp-content/uploads/2013/04/Sharp_Security_At_A_Glance_Matrix_Page_4_3.14.13.pdf

http://www.kraftbusiness.com/blog/?attachment_id=1001

“There are two kinds of computer owners: those that backup their data, and those who will backup after they lose something irreplaceable. It’s that last group for whom World Backup Day exists, and the special occasion has returned for a third year to make sure we all wind up in that first, very responsible camp.”

Don’t be a part of the second camp, ask us about our Disaster Recovery services.

Read the full article by Jon Fingas: http://www.engadget.com/2013/03/31/world-backup-day-2013/

Over the past couple of years with HITECH and now the HIPAA Omnibus Rule, there are higher restrictions with business associates and their vendors.  I want to spend some time talking a little bit about that today.

Slide: Agenda

First of all let’s lay out a quick agenda.  I want to talk about HIPAA, HITECH, Omnibus, and how it relates to the Business Associate.  Then we’ll give some background about the relationships those healthcare organizations have with healthcare entities and medical practices.  After, we’ll wrap things up by talking about what comes next; what will be the next step for entities, what will be the next step for Business Associates.  Then we’ll have a summary and Q&A section.

Slide: HIPAA, HITECH, and The Business Associate

First of all, let’s talk about this idea of a Business Associate.  In the HIPPA world we have a couple different types of organizations.  Generally, we know the covered entity gets the most HIPAA exposure; but it’s important to understand that a Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  So, organizations that provide services to position practices, hospitals, insurance companies are considered Business Associates.

Slide: HIPAA, HITECH, and The Business Associate ctd.

The important phrase in that definition is “certain functions or activities”.  First thing is disclosures.   At this point, a disclosure is the release of some patient information to a third party.  There are some Business Associates or vendors of medical providers that have to make disclosures in some cases.   The main term, or general term, is that of services.

I also want to spend some time talking about this idea of reasonable and appropriate safeguards.  Anybody who has worked with Business Associates knows that you have business associate contracts in place. If you’re a covered entity, a provider or insurance company, you have contracts with your vendors; if you’re a vendor you have contracts with your clients.  In those contracts, which are called, Business Associate Agreement or Business Associate Contracts, the names are used synonymously; there is certain language in there that suggests that a Business Associate has to take reasonable and appropriate safeguards.

Slide: Safeguards- Not Just Vague Language

Now I am going to talk about a bit about that language and what that means.  When we talk about this concept of safeguards it specifically mentions in Business Associates contracts about administrative, physical, and technical safeguards.  In my experience working with a lot of companies, those statements are sometimes interpreted as just safeguards.  And what I think Business Associates are learning more and more is that administrative, physical, and technical safeguards are very specific HIPAA requirements and citations.  So, the point I want to drive home here is when you’re engaged with a Business Associate, or if you’re a Business Associate engaged with a client those terms are very specific HIPAA requirements.  When you’re signing a Business Associate Agreement, understand that you’re committing to meeting those requirements.

Slide: Add HITECH/Omnibus to the Mix

A little bit of history on HIPPA.  We know that it came out in 1996 and that from privacy prospective we’ve all had patients sign HIPAA forms, or signed them ourselves as patients.  Well, the HIPAA rules have changed a little bit over the years.  In particular, the first major change that occurred was when the HITECH Act was introduced in 2009.  HITECH was a part of the American Reinvestment Act stimulus package, and it stands for the Health Information Technology for Economic Recovery and Reinvestment Act of 2009.  There were a number of things that were put into that whole stimulus plan.  First was the introduction of what we now call Meaningful Use; in other words, there were incentives available for  providers who had not yet implemented medical records in electronic form to do so.  The second part of that entire measure was around educating the workforce and the providers on electronic medical records and technology within the healthcare industry.  What is really not widely known is that a good portion of that HITECH Act was set aside to redefine and restructure some portion in HIPAA.

Slide: Post-HITECH/Omnibus HIPAA

The second thing that happened over the last four weeks was we were introduced to the HIPAA Consolidated Omnibus.  The consolidated omnibus was a combination of rules that had changed over the years plus the introduction of new requirements that were added, in what I’m calling “HIPAA 2.0”.  We had some minor revisions along the way and now we have our second version of HIPAA.  So let’s now talk about HITECH and omnibus and what changed relative to HIPAA.  First of all, the physicians who are attesting to meaningful use to receive their incentive, there were specific HIPPA requirements built into the whole Meaningful Use standard.  Enforcement changed; there were increases in the maximum level of fines, there were also various entities that were made responsible for enforcing HIPPA violations.  The other thing that changed is HIPAA ignorance is no longer tolerated.  This means that if there is a violation, in the past, it was frequent that an organization would claim they simply didn’t know they had to comply here or have to comply there, and often times they would get a slap on the wrist and be put in a position where they could remedy the situation.  Well that has changed, and at this point if you are ignorant of your responsibilities that puts you in the category of willful neglect.  The other major piece, the core of this presentation, is the fact that Business Associates and Subcontractors now have the same HIPAA responsibilities as the Covered Entities they service.  This one is key because this one says that the Business Associate has to be HIPAA compliant, and so do their vendors.

Slide: The Business Associate Relationship

I am going to lay out the way HIPAA sees the Business Associate relationship.  Covered entities are your providers, your hospitals, your insurance companies, your clearing houses.  Generally, those covered entities have vendors or groups that provide services; these are defined as the Business Associates.  Additionally, those Business Associates may have companies that provide services, and those organizations in the HIPAA world are called subcontractors to the covered entity.  The Business Associate has responsibilities to the covered entity, and the subcontractor has responsibilities to the Business Associate.  There is a fourth type of organization called a conduit; this is an organization like the US Postal Services or UPS.  Ultimately, that conduit has responsibilities to all three of those.  However, the one thing that has changed is that conduits are exempt from HIPAA compliance for a number of reasons.

Slide: Post-HITECH/Omnibus HIPAA

Now we will go into detail about what changed relative to HITECH and Omnibus as it relates to Business Associates.  One, as mentioned before, is that Business Associates and Subcontractors must comply with all HIPAA Security Rules and relative Privacy Rules.  Business Associates and Subcontractors are now liable for any misuse or failure to safeguard protected health information (PHI).  Business Associates and Subcontractors must have a relative Breach Notification Process; Business Associates now have the responsibility to identify, recognize, and report breaches through the chain accordingly.  Business Associates and Subcontractors are required to provide access to a copy of the electronic protected health information (ePHI) to the covered entity when requested.  For example, if you have electronic medical record software and you request an electronic copy of that medical record, the Business Associate is obligated to provide that to you in a type of disclosure.  Lastly, Business Associates and Subcontractors must provide access to PHI in the event of an audit.  This means that if a Business Associate is chosen for a HIPAA audit, they would have to provide access to the records in the same way that a provider would have to give access to the records.

Slide: HIPAA Compliance Responsibility

I am going to further dive into the responsibilities of the organizations.  So, the Covered Entities, the Business Associate, and the Subcontractor all have responsibilities to achieve and maintain HIPAA Compliance.  All Business Associates may not apply or have relevant compliance responsibilities to each area under the administrative simplification.  It may just be security, depending on the rule, and the purpose they serve.  I also note here that the Conduits do in fact not have HIPPA Compliance Responsibilities.

Slide: Business Associate Impact

Let me explain a little bit why the government is putting significant effort in making sure that the BA’s and their vendors are meeting compliance.  These stats were pulled from the Office for Civil Rights Health and Human Services, known as the “wall of shame”; it’s when an organization has a breach of 500 or more individuals who are affected by that breach.  Ultimately, between September 2009 and December 2012, there have been breaches and the number of patients affected by those breaches is 21,516,294.  The numbers that stand out to me are that Business Associates were involved in 21% of those breaches; when you look at the total individuals affected, Business Associates were responsible for 57% of the individuals breached.  What were saying here is that the healthcare organizations whose patients were breached, 57% of those individuals was the fault of one of their vendors.  As you look at the average individuals per breach, when a BA is involved, there is an average of 106,698 individuals involved per breach.  Anybody that has had to deal with a breach knows that it has to be dealt with in terms of cost per individual per breach.

Slide: The Covered Entity’s Perspective

So, let’s look at it from the Covered Entity’s perspective.  So, we may have organizations on this call that are providers or Business Associates.  I am first going to draw out some enforcement activities, specifically, the categories of enforcement that have been laid out.

The worst possible scenario is to commit a breach or have an audit and be in a category of willful neglect where nothing is corrected.  The second willful neglect category is where the violation is corrected.  The third category, which is less severe than the other two, is due to reasonable cause and not willful neglect.  The final category, and the best scenario you could be in if a breach does occur, is by exercising reasonable diligence would not have known.   Understand that, in the event of a breach, or in the event of an audit or investigation, recognize that a fine or penalty is extremely likely, where you fall on this spectrum is directly proportional to the amount of work you’ve done to become compliant and stay compliant.  The purpose of this slide is that with the increasing degree of effort, you decrease your decrease your degree of HIPAA Compliance Risk.

Slide: The Covered Entity’s Relationships with Business Associates 

Now, let’s talk specifically about the Business Associate relationship and how that factors in.   I drew the same parallel with the increasing degree of HIPAA Compliance effort by the Covered Entity, Business Associate, and Subcontractor and its relationship to the decreasing degree of HIPAA Compliance Risk to the Covered Entity.

The worst possible scenario that can exist is that you could be doing business with an organization, a Business Associate, and have no BA contract in place.  Obviously, the next best step is to have a BA contract in place.  The next best step, relative to impact of the Covered Entity, is if the Business Associate or Subcontractor has conducted a risk assessment.  The next best step is that the BA or Subcontractor is taking necessary steps to compliance.  The most optimal step is if the BA or Subcontractor   produces proof of HIPAA Compliance.

Now, there’s a couple of questions any myths that float around, and I’ll go over those later, but it’s important to understand that the further you take this HIPAA effort, the decreasing amount of risk you’re presenting to your client.  One of the questions I often ask is is there a see no evil, hear no evil mentality for HIPAA.  In other words, if I don’t do a risk assessment and I don’t uncover anything that’s vulnerable, am I in a worse position than if I were to discover it and uncover it.  The answer is yes.  If you elect not to perform a risk assessment or to take yourself down the path of business and healthcare and you haven’t done, at the minimum a BA contract or risk assessment, you’re in this situation of willful neglect.  In other words, the government or auditor would rather see you do something and perhaps not achieve 100% compliance, but do something on that path as opposed to doing nothing.  And of course, as you can imagine, the level of fines and enforcement are relative as you cross the spectrum.

Slide: Common Questions

So I said I’d go over some common myths and questions.  First, is the Covered Entity responsible for their Business Associate’s or Subcontractor’s HIPAA Compliance, or vice versa?  And the answer to that is no.

Second, is the Covered Entity responsible for engaging in relationships with HIPAA Compliant Business Associates and Subcontractors?  And the answer to that is absolutely.  The Covered Entity has a responsibility of diligence that they have to execute in making sure that they’re doing business with those who will protect their information.

The last question I’m commonly asked is if the Business Associate or Subcontractor claims HIPAA Compliance, does this imply that the Covered Entity is HIPAA Compliant?  And the answer to that is no.  This is very common, and I’ll give you a great example of where I see this.  When a practice or a provider implements and electronic medical records software and that EMR software developer produces a HIPAA Compliant statement, many organizations believe that because they have that in hand that they have filled their HIPAA Responsibilities.  When, in actuality, that’s not the case.  The practice, provider, health system insurance company has to do their own HIPAA Compliance measures.

Slide: HIPAA Compliance of Business Associates and Subcontractors

As I see it, in the HIPAA world, when you’re working with a Business Associate you have two types of compliance that should be measured.  The first is solution compliance.  For example, I’m going to use the idea of an electronic medical record solution.  The solution means that the EMR is HIPAA compliant and is hosted in a HIPAA compliant Facility.  In other words, the development of that application includes all the measures to control items such as having everyone use their I.D., having audit trails within the EMR, and other factors.

However, on the institutional compliance side I’m looking for that EMR Company and Hosting Company to have gone through an exercise to make sure that they have all the correct policies and procedures in place, to make sure their employees have been trained, to make sure they have a disaster recovery plan in the event that wherever their EMR is hosted was essentially taken care of in the event of a disaster.  So I’m looking at it from two perspectives, and it’s important that as you deal with your Business Associates, you look at it as well.  Another example would be a basic shredding company.  For example, I know that now a days that a lot of shredding companies will actually drive a truck to your office where they shred it on site.  So in other words, they’re showing you a HIPAA compliance solution.  However, my question to them is have your employees been trained? Do you have policies around sanctioning employees if they happen to commit a HIPAA violation?  So there are two areas to make sure are reviewed in this process.

Slide: A Healthcare Scenario

I also mentioned earlier that I would lay out a scenario of a basic single doctor healthcare practice and show you the complexities that exist.  You’re looking at a diagram that shows a physicians practice in the left corner.  That physician practice may use an electronic medical record that is hosted in the cloud.  That cloud has a disaster recovery site and is also connected with the medical record company.   That practice may also use an It Services company that works with their local work stations and servers, a document destruction company to do their shredding, they may also interface with the lab and the insurance company.  So when you start laying out this scenario, and you look at where the PHI is located, what you find is that PHI owned by the doctor is in a lot of different places.  Therefore, when you start looking at who has HIPAA Responsibility, everybody who has physical or technical visibility to that patient information is responsible for HIPAA Compliance.

Slide: What constitutes compliance?

The other important thing is to recognize what constitutes compliance.  For example, I always look at it in a three pronged approach.  When you look at things you have within your business; you have antivirus software, everyone has a login I.D., you do backup and recovery.  You have the technical capabilities to do this which I lumped in this whole category called safeguards.  To the left of that is policy; you have to have policy and procedures surrounding each one of those.  In other words, how often do you backup?  Who does it?  How is it done, how is it recovered?  The third, and most important, is to be able to prove that.  It’s great in practice to say “I do ABC”, but it’s something different in an audit situation when you have to prove that you do it.  I always equate HIPAA to the IRS.  Yes, it’s great to be able to say I spent this much here and this much there, but if the IRS comes out they are going to want proof of it.  It is the same thing with HIPAA when an audit occurs.

Slide: Who enforces HIPAA Compliance?

So, very quickly about who enforces HIPAA.  One, it is enforced through the United States Department of Health and Human Services in the Office for Civil Rights.  In addition to that, along with the HITECH Act, there were also funds that were appropriated to train individuals within each individual state’s Office of the Attorney General or HIPAA enforcement on behalf of the public.  So there are a couple entities that take after enforcing HIPAA.

Slide: Is there an easy way to take the first step?

Introduction:

Over the past couple of years with HITECH and now the HIPAA Omnibus Rule, there are higher restrictions with business associates and their vendors.  I want to spend some time talking a little bit about that today.

Slide: Agenda

First of all let’s lay out a quick agenda.  I want to talk about HIPAA, HITECH, Omnibus, and how it relates to the Business Associate.  Then we’ll give some background about the relationships those healthcare organizations have with healthcare entities and medical practices.  After, we’ll wrap things up by talking about what comes next; what will be the next step for entities, what will be the next step for Business Associates.  Then we’ll have a summary and Q&A section.

Slide: HIPAA, HITECH, and The Business Associate

First of all, let’s talk about this idea of a Business Associate.  In the HIPPA world we have a couple different types of organizations.  Generally, we know the covered entity gets the most HIPAA exposure; but it’s important to understand that a Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.  So, organizations that provide services to position practices, hospitals, insurance companies are considered Business Associates.

Slide: HIPAA, HITECH, and The Business Associate ctd.

The important phrase in that definition is “certain functions or activities”.  First thing is disclosures.   At this point, a disclosure is the release of some patient information to a third party.  There are some Business Associates or vendors of medical providers that have to make disclosures in some cases.   The main term, or general term, is that of services.

I also want to spend some time talking about this idea of reasonable and appropriate safeguards.  Anybody who has worked with Business Associates knows that you have business associate contracts in place. If you’re a covered entity, a provider or insurance company, you have contracts with your vendors; if you’re a vendor you have contracts with your clients.  In those contracts, which are called, Business Associate Agreement or Business Associate Contracts, the names are used synonymously; there is certain language in there that suggests that a Business Associate has to take reasonable and appropriate safeguards.

Slide: Safeguards- Not Just Vague Language

Now I am going to talk about a bit about that language and what that means.  When we talk about this concept of safeguards it specifically mentions in Business Associates contracts about administrative, physical, and technical safeguards.  In my experience working with a lot of companies, those statements are sometimes interpreted as just safeguards.  And what I think Business Associates are learning more and more is that administrative, physical, and technical safeguards are very specific HIPAA requirements and citations.  So, the point I want to drive home here is when you’re engaged with a Business Associate, or if you’re a Business Associate engaged with a client those terms are very specific HIPAA requirements.  When you’re signing a Business Associate Agreement, understand that you’re committing to meeting those requirements.

Slide: Add HITECH/Omnibus to the Mix

A little bit of history on HIPPA.  We know that it came out in 1996 and that from privacy prospective we’ve all had patients sign HIPAA forms, or signed them ourselves as patients.  Well, the HIPAA rules have changed a little bit over the years.  In particular, the first major change that occurred was when the HITECH Act was introduced in 2009.  HITECH was a part of the American Reinvestment Act stimulus package, and it stands for the Health Information Technology for Economic Recovery and Reinvestment Act of 2009.  There were a number of things that were put into that whole stimulus plan.  First was the introduction of what we now call Meaningful Use; in other words, there were incentives available for  providers who had not yet implemented medical records in electronic form to do so.  The second part of that entire measure was around educating the workforce and the providers on electronic medical records and technology within the healthcare industry.  What is really not widely known is that a good portion of that HITECH Act was set aside to redefine and restructure some portion in HIPAA.

Slide: Post-HITECH/Omnibus HIPAA

The second thing that happened over the last four weeks was we were introduced to the HIPAA Consolidated Omnibus.  The consolidated omnibus was a combination of rules that had changed over the years plus the introduction of new requirements that were added, in what I’m calling “HIPAA 2.0”.  We had some minor revisions along the way and now we have our second version of HIPAA.  So let’s now talk about HITECH and omnibus and what changed relative to HIPAA.  First of all, the physicians who are attesting to meaningful use to receive their incentive, there were specific HIPPA requirements built into the whole Meaningful Use standard.  Enforcement changed; there were increases in the maximum level of fines, there were also various entities that were made responsible for enforcing HIPPA violations.  The other thing that changed is HIPAA ignorance is no longer tolerated.  This means that if there is a violation, in the past, it was frequent that an organization would claim they simply didn’t know they had to comply here or have to comply there, and often times they would get a slap on the wrist and be put in a position where they could remedy the situation.  Well that has changed, and at this point if you are ignorant of your responsibilities that puts you in the category of willful neglect.  The other major piece, the core of this presentation, is the fact that Business Associates and Subcontractors now have the same HIPAA responsibilities as the Covered Entities they service.  This one is key because this one says that the Business Associate has to be HIPAA compliant, and so do their vendors.

Slide: The Business Associate Relationship

I am going to lay out the way HIPAA sees the Business Associate relationship.  Covered entities are your providers, your hospitals, your insurance companies, your clearing houses.  Generally, those covered entities have vendors or groups that provide services; these are defined as the Business Associates.  Additionally, those Business Associates may have companies that provide services, and those organizations in the HIPAA world are called subcontractors to the covered entity.  The Business Associate has responsibilities to the covered entity, and the subcontractor has responsibilities to the Business Associate.  There is a fourth type of organization called a conduit; this is an organization like the US Postal Services or UPS.  Ultimately, that conduit has responsibilities to all three of those.  However, the one thing that has changed is that conduits are exempt from HIPAA compliance for a number of reasons.

Slide: Post-HITECH/Omnibus HIPAA

Now we will go into detail about what changed relative to HITECH and Omnibus as it relates to Business Associates.  One, as mentioned before, is that Business Associates and Subcontractors must comply with all HIPAA Security Rules and relative Privacy Rules.  Business Associates and Subcontractors are now liable for any misuse or failure to safeguard protected health information (PHI).  Business Associates and Subcontractors must have a relative Breach Notification Process; Business Associates now have the responsibility to identify, recognize, and report breaches through the chain accordingly.  Business Associates and Subcontractors are required to provide access to a copy of the electronic protected health information (ePHI) to the covered entity when requested.  For example, if you have electronic medical record software and you request an electronic copy of that medical record, the Business Associate is obligated to provide that to you in a type of disclosure.  Lastly, Business Associates and Subcontractors must provide access to PHI in the event of an audit.  This means that if a Business Associate is chosen for a HIPAA audit, they would have to provide access to the records in the same way that a provider would have to give access to the records.

Slide: HIPAA Compliance Responsibility

I am going to further dive into the responsibilities of the organizations.  So, the Covered Entities, the Business Associate, and the Subcontractor all have responsibilities to achieve and maintain HIPAA Compliance.  All Business Associates may not apply or have relevant compliance responsibilities to each area under the administrative simplification.  It may just be security, depending on the rule, and the purpose they serve.  I also note here that the Conduits do in fact not have HIPPA Compliance Responsibilities.

Slide: Business Associate Impact

Let me explain a little bit why the government is putting significant effort in making sure that the BA’s and their vendors are meeting compliance.  These stats were pulled from the Office for Civil Rights Health and Human Services, known as the “wall of shame”; it’s when an organization has a breach of 500 or more individuals who are affected by that breach.  Ultimately, between September 2009 and December 2012, there have been breaches and the number of patients affected by those breaches is 21,516,294.  The numbers that stand out to me are that Business Associates were involved in 21% of those breaches; when you look at the total individuals affected, Business Associates were responsible for 57% of the individuals breached.  What were saying here is that the healthcare organizations whose patients were breached, 57% of those individuals was the fault of one of their vendors.  As you look at the average individuals per breach, when a BA is involved, there is an average of 106,698 individuals involved per breach.  Anybody that has had to deal with a breach knows that it has to be dealt with in terms of cost per individual per breach.

Slide: The Covered Entity’s Perspective

So, let’s look at it from the Covered Entity’s perspective.  So, we may have organizations on this call that are providers or Business Associates.  I am first going to draw out some enforcement activities, specifically, the categories of enforcement that have been laid out.

The worst possible scenario is to commit a breach or have an audit and be in a category of willful neglect where nothing is corrected.  The second willful neglect category is where the violation is corrected.  The third category, which is less severe than the other two, is due to reasonable cause and not willful neglect.  The final category, and the best scenario you could be in if a breach does occur, is by exercising reasonable diligence would not have known.   Understand that, in the event of a breach, or in the event of an audit or investigation, recognize that a fine or penalty is extremely likely, where you fall on this spectrum is directly proportional to the amount of work you’ve done to become compliant and stay compliant.  The purpose of this slide is that with the increasing degree of effort, you decrease your decrease your degree of HIPAA Compliance Risk.

Slide: The Covered Entity’s Relationships with Business Associates

Now, let’s talk specifically about the Business Associate relationship and how that factors in.   I drew the same parallel with the increasing degree of HIPAA Compliance effort by the Covered Entity, Business Associate, and Subcontractor and its relationship to the decreasing degree of HIPAA Compliance Risk to the Covered Entity.

The worst possible scenario that can exist is that you could be doing business with an organization, a Business Associate, and have no BA contract in place.  Obviously, the next best step is to have a BA contract in place.  The next best step, relative to impact of the Covered Entity, is if the Business Associate or Subcontractor has conducted a risk assessment.  The next best step is that the BA or Subcontractor is taking necessary steps to compliance.  The most optimal step is if the BA or Subcontractor   produces proof of HIPAA Compliance.

Now, there’s a couple of questions any myths that float around, and I’ll go over those later, but it’s important to understand that the further you take this HIPAA effort, the decreasing amount of risk you’re presenting to your client.  One of the questions I often ask is is there a see no evil, hear no evil mentality for HIPAA.  In other words, if I don’t do a risk assessment and I don’t uncover anything that’s vulnerable, am I in a worse position than if I were to discover it and uncover it.  The answer is yes.  If you elect not to perform a risk assessment or to take yourself down the path of business and healthcare and you haven’t done, at the minimum a BA contract or risk assessment, you’re in this situation of willful neglect.  In other words, the government or auditor would rather see you do something and perhaps not achieve 100% compliance, but do something on that path as opposed to doing nothing.  And of course, as you can imagine, the level of fines and enforcement are relative as you cross the spectrum.

Slide: Common Questions

So I said I’d go over some common myths and questions.  First, is the Covered Entity responsible for their Business Associate’s or Subcontractor’s HIPAA Compliance, or vice versa?  And the answer to that is no.

Second, is the Covered Entity responsible for engaging in relationships with HIPAA Compliant Business Associates and Subcontractors?  And the answer to that is absolutely.  The Covered Entity has a responsibility of diligence that they have to execute in making sure that they’re doing business with those who will protect their information.

The last question I’m commonly asked is if the Business Associate or Subcontractor claims HIPAA Compliance, does this imply that the Covered Entity is HIPAA Compliant?  And the answer to that is no.  This is very common, and I’ll give you a great example of where I see this.  When a practice or a provider implements and electronic medical records software and that EMR software developer produces a HIPAA Compliant statement, many organizations believe that because they have that in hand that they have filled their HIPAA Responsibilities.  When, in actuality, that’s not the case.  The practice, provider, health system insurance company has to do their own HIPAA Compliance measures.

Slide: HIPAA Compliance of Business Associates and Subcontractors

As I see it, in the HIPAA world, when you’re working with a Business Associate you have two types of compliance that should be measured.  The first is solution compliance.  For example, I’m going to use the idea of an electronic medical record solution.  The solution means that the EMR is HIPAA compliant and is hosted in a HIPAA compliant Facility.  In other words, the development of that application includes all the measures to control items such as having everyone use their I.D., having audit trails within the EMR, and other factors.

However, on the institutional compliance side I’m looking for that EMR Company and Hosting Company to have gone through an exercise to make sure that they have all the correct policies and procedures in place, to make sure their employees have been trained, to make sure they have a disaster recovery plan in the event that wherever their EMR is hosted was essentially taken care of in the event of a disaster.  So I’m looking at it from two perspectives, and it’s important that as you deal with your Business Associates, you look at it as well.  Another example would be a basic shredding company.  For example, I know that now a days that a lot of shredding companies will actually drive a truck to your office where they shred it on site.  So in other words, they’re showing you a HIPAA compliance solution.  However, my question to them is have your employees been trained? Do you have policies around sanctioning employees if they happen to commit a HIPAA violation?  So there are two areas to make sure are reviewed in this process.

Slide: A Healthcare Scenario

I also mentioned earlier that I would lay out a scenario of a basic single doctor healthcare practice and show you the complexities that exist.  You’re looking at a diagram that shows a physicians practice in the left corner.  That physician practice may use an electronic medical record that is hosted in the cloud.  That cloud has a disaster recovery site and is also connected with the medical record company.   That practice may also use an It Services company that works with their local work stations and servers, a document destruction company to do their shredding, they may also interface with the lab and the insurance company.  So when you start laying out this scenario, and you look at where the PHI is located, what you find is that PHI owned by the doctor is in a lot of different places.  Therefore, when you start looking at who has HIPAA Responsibility, everybody who has physical or technical visibility to that patient information is responsible for HIPAA Compliance.

Slide: What constitutes compliance?

The other important thing is to recognize what constitutes compliance.  For example, I always look at it in a three pronged approach.  When you look at things you have within your business; you have antivirus software, everyone has a login I.D., you do backup and recovery.  You have the technical capabilities to do this which I lumped in this whole category called safeguards.  To the left of that is policy; you have to have policy and procedures surrounding each one of those.  In other words, how often do you backup?  Who does it?  How is it done, how is it recovered?  The third, and most important, is to be able to prove that.  It’s great in practice to say “I do ABC”, but it’s something different in an audit situation when you have to prove that you do it.  I always equate HIPAA to the IRS.  Yes, it’s great to be able to say I spent this much here and this much there, but if the IRS comes out they are going to want proof of it.  It is the same thing with HIPAA when an audit occurs.

Slide: Who enforces HIPAA Compliance?

So, very quickly about who enforces HIPAA.  One, it is enforced through the United States Department of Health and Human Services in the Office for Civil Rights.  In addition to that, along with the HITECH Act, there were also funds that were appropriated to train individuals within each individual state’s Office of the Attorney General or HIPAA enforcement on behalf of the public.  So there are a couple entities that take after enforcing HIPAA.

Slide: Is there an easy way to take the first step?

So the question now is if there is an easy way to take the first step?  Well, one, I want to reiterate that you should treat HIPAA compliance with the same degree of diligence and urgency as accounting, taxes, and the IRS.  Start with a simple checklist, particularly if you are a Business Associate, of areas that need to be addressed.  For example, with our organization we have a specific services working with Business Associates to help understand their requirements, help understand where their HIPAA vulnerabilities exist, and then help them through that process; in other words, we perform a risk assessment.

So the question now is if there is an easy way to take the first step?  Well, one, I want to reiterate that you should treat HIPAA compliance with the same degree of diligence and urgency as accounting, taxes, and the IRS.  Start with a simple checklist, particularly if you are a Business Associate, of areas that need to be addressed.  For example, with our organization we have a specific services working with Business Associates to help understand their requirements, help understand where their HIPAA vulnerabilities exist, and then help them through that process; in other words, we perform a risk assessment.

To view the presentation, click the link below:

http://www.slideshare.net/HealthCareManagement/business-associate-hipaa-compliance-impact-on-the-business-associate-and-covered-entities

We hope you will join us and we look forward to seeing you there!

RSVP via Facebook or contact Nicole Rodammer at (616) 977-2679.

March 20 – 12:15-1 p.m.

Joe Dylewski, Managing HIPAA Partner at Health Care Management, will be talking about Business Associates and their involvement in the HIPAA Omnibus Rule .  A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Register Here: https://www3.gotomeeting.com/register/736002358

“When we put on these surveillance devices, we all become spies, or scrooglers, of everything and everyone around us.”

As the technological world continues to grow, Google will soon put us in a position where our privacy disappears.  The revolutionary Google Glass will let one of the most powerful companies in the world see what we see and tailor itself to our every want and need…but at what cost to us?

Read the full article: http://www.cnn.com/2013/02/25/tech/innovation/google-glass-privacy-andrew-keen/index.html?iid=article_sidebar