If you are a healthcare organization that has vendors providing services as a HIPAA Business Associate, managing this process can be confusing. A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity healthcare provider.
Having a systematic process to handle these business relationships to ensure a healthcare organization’s protected health information is being properly accessed and protected by the business associate is critical.
Organizations must know how to identify business associates. Business associate functions and activities include the use of tracking technologies, claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; and practice management. Business associate services are legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.
This webinar is for HIPAA Covered Entities (CEs) and Business Associates (BAs). Criminals increasingly focus cyber-attacks on BAs because one hit can give them access to PHI of all the BA’s customers. Growth of serious BA PHI breaches affecting tens of millions of patients put the spotlight on BA HIPAA compliance, attracting HHS Office for Civil Rights investigations and aggressive private class action lawsuits filed within days of a breach targeting BAs and their CE customers. CEs that did nothing wrong can still be held liable to pay the same civil money penalty as their BA for the BA’s HIPAA violation under the Federal Common Law of Agency which is included in the HIPAA Enforcement Rule.
Simple steps, often overlooked but easy to follow, enable CEs and BAs to protect against costs and damage to their reputations caused by violations of HIPAA Rules that apply to BAs. The chain of HIPAA compliance starts with a CE. It extends to a BA that provides a CE with services involving PHI. And the chain of compliance continues on down to any subcontractors of a BA that perform services involving PHI. BA subcontractors are defined by HIPAA as BAs and are fully liable for compliance.
This webinar explains the interconnected HIPAA compliance responsibilities and liabilities of CEs and BAs. HIPAA Rules that apply to both are easy to follow, step-by-step, when you know the steps.
HIPAA Rules that apply to CEs in dealing with BAs and that BAs must follow are discussed and explained including:
CEs can find themselves fully liable for HIPAA violations committed by BAs and BAs for violations committed by Subcontractors under the little known Federal Common Law of Agency. However, risks associated with BA HIPAA compliance can be managed calmly and confidently by following the HIPAA Rules that are easy to follow, step-by-step.
CEs should attend to see what to look for in Due Diligence, how to obtain HIPAA required satisfactory assurances that a BA is complying with HIPAA and avoid liability by inadvertently making a BA their agent.
BAs should attend this webinar to see exactly what they must do to comply with HIPAA Rules – Security, Privacy and Breach Notification Rules. And what to look for in Due Diligence and how to obtain HIPAA required satisfactory assurances that a Subcontractor BA is complying with HIPAA while avoiding liability by inadvertently making a Subcontractor BA their agent
Covered Entities of all types who disclose PHI to BAs and allow BAs to create, receive, maintain and transmit PHI on their behalf
Business Associates of all types including for example:
Venue: Recorded Webinar
Telehealth completely changed in 2020 when the Public Health Emergency was put into effect. Now in 2025, many of those temporary changes are expiring and the telehealth business has exploded. These methods of communication between provider and patient are loved by many, and the convenience of telehealth in healthcare has become a common occurrence. This webinar will be reviewing the current parts of telehealth that are being considered permanent in the 2026 Physicians Fee Schedule Final Rule and the new evaluation and management services that are new codes for CPT in 2025 related to telehealth. We will find out what the do’s and don’ts of telehealth that are here to stay, as well as implementing these new codes and regulations into your practice. These new rules and codes are important to any one currently offering telehealth as well all who are considering it to add it to their practice in order to be compliant and maximize reimbursement for the services performed. Areas Covered in this Webinar The CMS Telehealth List and how to use it Medicare’s rules G codes for Medicare telehealth CPT addition of 17 codes to the E/M section for Telehealth Education for office staff Implementation on your software programs Who Will Benefit Physicians Advanced Nurses Physicians Assistant Billers Coders Compliance Managers Administrators Case Managers Claims Processors
HIPAA Breach Risk Assessments determine whether a Ransomware attack constitutes a HIPAA Breach that triggers Breach Notification Rule reports and notifications. A Ransomware attack is automatically presumed to be a HIPAA Breach unless you do a HIPAA Breach Risk Assessment that demonstrates the attack resulted in only a low probability of compromise to the affected protected health information (PHI). This webinar explains how to do a Ransomware HIPAA Breach Risk Assessment. The Problem Solved by this Webinar The HHS Office for Civil Rights (OCR) declared that a breach of unsecured PHI is presumed to have occurred when electronic protected health information (ePHI) is encrypted as the result of a ransomware attack on a HIPAA-regulated entity (health care provider, health plan, health care clearinghouse, or business associate). The entity must then comply with the applicable breach notification provisions, including notifying affected individuals without unreasonable delay, the Secretary of HHS, and the media (for breaches affecting over 500 individuals), in accordance with HIPAA breach notification requirements. However, it is not a breach if the ransomware-victimized entity can demonstrate that there is a low probability that the encrypted ePHI has been compromised. This webinar explains how to do that. Areas Covered in the Webinar A Breach Risk Assessment can determine whether a ransomware attack is a breach of unsecured ePHI, triggering embarrassing reports and notifications. Factors that can be applied in performing a Breach Risk Assessment. OCR’s guidance about specific factors that can demonstrate a low probability of compromise to ePHI encrypted by a ransomware attack. How to perform a Breach Risk Assessment step-by-step. How to document a Breach Risk Assessment and why you must document it. What to do if you cannot demonstrate a low probability of compromise to ePHI. Why You Should Attend This Webinar Attend this webinar to learn how to perform a Breach Risk Assessment with a special emphasis on ransomware attacks. Ransomware attacks may have only a low probability of compromising ePHI. A Breach Risk Assessment can determine whether a ransomware attack resulted only in a low probability of compromise to ePHI and provide Covered Entities and Business Associates with Documentation to overcome the presumption that the ransomware attack was a Breach.. Who Will Benefit Health Care Covered Entities HIPAA Compliance Officials – Privacy and Security Officers Chief Compliance Officer Practice Managers Health Information Technology Supervisors Risk Managers Group Health Plan Administrators Third Party Group Health Plan Administrators Covered Entity Senior Management and Owners Health Care Providers practicing as individuals or in small groups Attorneys for Covered Entities – In-house and Outside Counsel Business Associates HIPAA Compliance Officials – Privacy and Security Officers Chief Compliance Officer Business Associate Senior Management and Owners Risk Managers Attorneys for Business Associates – In-house and Outside Counsel
Over the last few years, the U.S. Department of Health and Human Services, Office for Civil Rights has made modifications to patient privacy requirements. The agency is on track for enhancing care coordination, empowering patients, and reducing administrative burden. In addition, on the Security Rule side, the agency released a proposed rule to overhaul significant requirements and make cybersecurity safeguards a priority. Knowing what an organization must do to meet these new regulatory requirements can be challenging. The webinar will address what has already changed in privacy, cover proposed Privacy Rule modifications, and cover the Security Rule overhaul proposals. Timeline and compliance implications will be covered. After completing this webinar, a Covered Entity or Business Associate will have a clear understanding of what has changed and what will change. Objectives Who Must Comply with HIPAA Requirements? What are the HIPAA Security and Privacy Rules? What Has Already Changed in Privacy? What are the Proposed Privacy Rule Modifications? What are the proposed Security Rule modifications? What is the Timeline & Compliance Implications? What recommendations should be followed now? Q&A Webinar Highlights Learn from an expert on the implementation of the HIPAA rules Understand what the HIPAA management process currently requires Learn how to implement these changes for your organization Who Should Attend Compliance Officer HIPAA Privacy Officer HIPAA Security Officer Medical/Dental Office Managers Practice Managers Information Systems Manager Chief Information Officer General Counsel/lawyer Practice Management Consultants Any Business Associates that access protected health information
Many providers have considered outsourcing functions in the revenue cycle. Like all businesses, some third-party companies do excellent work for providers, but there may be others that look for ways to take advantage of their provider. Outsourcing has its own pros & cons that must be carefully considered. We will review major common areas that providers must weigh strategically before making a decision whether to outsource and selecting the best partner for your needs. It is vital providers know exactly who is handling their claims and what they are doing with their information. Definitions of third-party vendors Legal responsibilities of the provider Common industry trends Important questions to ask vendors & contractors Who Will Benefit Physicians Practice managers Medical assistants Nurses Compliance staff Billers Coders Revenue Cycle Risk Management Mid level providers