1 / 14

Dealing with Business Associates

Dealing with Business Associates. Business Associates. Business Associates are persons or organizations that on behalf of a covered entity: Perform any function or activity covered by HIPAA Provide a service on behalf of a covered entity involving the transfer of PHI.

barr
Download Presentation

Dealing with Business Associates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dealing with Business Associates

  2. Business Associates • Business Associates are persons or organizations that on behalf of a covered entity: • Perform any function or activity covered by HIPAA • Provide a service on behalf of a covered entity involving the transfer of PHI

  3. Some DHS Business Associates include: • Medi-Cal Managed Care Plans • Electronic Data Systems (EDS) • Delta Dental • Ramsell • Maximus

  4. HIPAA & Managed Care Plans Medi-Cal Managed Care plans are covered entity health plans under HIPAA

  5. Under federal law the state Medicaid agency must ensure that: Each plan has written policies regarding enrollee rights including: • Right to request and receive a copy of their medical records and • Right to request that records be amended or corrected 42 C.F.R. §438.224

  6. State Medicaid Agency must ensure: • That plans use and disclose individually identifiable health information in accordance with privacy requirements in the HIPAA Privacy Rule

  7. What Does This Mean? • Review plan policies and procedures to make sure HIPAA Privacy policies are in place • Monitor plan compliance with Exhibit “G” of the managed care contracts.

  8. What Does Exhibit “G” Require? • Plans may only use and disclose PHI for purposes directly connected to Medi-Cal administration • Plans must provide DHCS contract manager with a list of external entities, except for network providers, to which it discloses lists of Medi-Cal member names and addresses (annually)

  9. What Does Exhibit “G” Require? • Not to divulge Medi-Cal status except for TPO • To implement administrative, physical and technical safeguards • To maintain comprehensive written information privacy and security program

  10. Notification of Breach Under Exhibit “G”, plan is required to: • Notify DHCS contract manager within 24 hours during a work week of any suspected or actual breach of security or unauthorized use or disclosure of PHI • Take prompt corrective action and investigate the breach

  11. Notification of Breach • Comply with state breach law found at California Civil Code §1798.82 and notify patients of unauthorized disclosure of personal information which is computerized and unencrypted • Provide a written report to DHCS Privacy Officer within 15 days of the discovery of the breach

  12. NPP’s Under Exhibit “G” plans are required to: • Produce a NPP which must include the DHCS Privacy Officer contact information for use by beneficiaries wanting to complain • Submit new or revised NPP’s to DHCS contract managers for review

  13. New Revised BA Agreement • DHCS negotiations with Maximus • Strengthens the following areas: • Compliance with the Security Rule • Notification of breaches • Two versions • High Risk – for FI’s (including EDS and Maximus) • Standard Risk • Revised 12/2007 • Managed Care plans • Use Exhibit G

  14. THE END

More Related