Business Associate Assurance: What covered entities need to know Have you identified your key business associates handling e-PHI that you create, receive, maintain or transmit? Do you review your contract periodically with your key business associates? Do you have the right to audit clause or require your business associate to follow certain minimum security controls and best practices? One of the most challenging issues for health care organizations is ensuring business associates can be trusted with ePHI (electronic Protected Health Information). Of the 11 million people affected by reportable data breaches between September 2009 and June 2011, 6 million, or 55%, were affected by data breaches involving business associates, according to the federal government. This 50-minute webinar helps the audience to learn assessment strategies a covered entity needs to institute to manage business associates. Learn more about business associate assessment and engagement best practices by attending our webinar. Learn more at http://ehr20.com/services/business-associate-assessment/

1. Business Associate Assurance:
What covered entities need to know

2. Webinar Objective
Understand the risks associated with
business associates and implement the
steps required to mitigate the risks to
secure Protected Health Information(PHI).
E-mail: info@ehr20.com
2

3. Who are we …
EHR 2.0 Mission: To assist healthcare
organizations develop and implement
practices to secure IT systems and comply
with HIPAA/HITECH regulations.
 Education(Training, Webinar & Workshops)
 Consulting Services
 Toolkit(Tools, Best Practices & Checklist)
Goal: To make compliance an enjoyable and painless
experience, while building capability and confidence.

4. Glossary
1. PHI: Protected Health Information
2. HHS: Health and Human Services
3. OCR: Office for Civil Rights
4. CIA: Confidentiality, Integrity and Availability
5. HIE: Health Information Exchange
6. HITECH: Health Information Technology for Economic
and Clinical Health Act
4

5. The American Recovery and
Reinvestment Act of 2009 and HITECH
5

6. HITECH modifications to HIPAA
 Creating incentives for developing a meaningful use of
electronic health records
 Changing the liability and responsibilities of Business
Associates
 Redefining what a breach is
 Creating stricter notification standards
 Tightening enforcement
 Raising the penalties for a violation
 Creating new code and transaction sets (HIPAA 5010,
ICD10)
6

7. BA Applicability and Penalties
7

8. BA Contracts Required
8

9. Business Associate Audit by OCR
9

10. HITECH Requirements (BA Impact)
 New Privacy Requirements for Business Associates
i. Breach notification
ii. Use and disclosure limitations apply directly to business
associates
iii. Minimum necessary principle applies directly, must use limited
datasets
 Increased Penalties
 Business Associates Directly Liable for Violations
 Business Associate Agreements Must be Amended
 Business Associates Must Impose Same Requirements
on Sub-contractors that Access PHI

11. What Is a “Business Associate”?
A “business associate” is a person or entity that
performs certain functions or activities that
involve the use or disclosure of protected health
information on behalf of, or provides services to,
a covered entity.
A member of the covered entity’s workforce is
not a business associate.
11

12. Examples of a Business Associate
 A third party administrator that assists a health
plan with claims processing.
 A CPA firm whose accounting services to a
health care provider involves access to
protected health information.
 An attorney whose legal services to a health
plan involves access to protected health
information.
12

13. Examples of No Business Associate
Relationship
 Physician Services
 Nursing Services
 Laboratory Services
 Radiology Services
 Physical Therapy
 Occupational Therapy
 Bank Services
 Courier Services
13

14. Responsibilities, Obligations and
Duties of BA
 Must comply with HIPAA
 May not use or disclose PHI
 Minimum necessary use
 Breach Notification to CE and HHS
 Direct civil and criminal liability
14

15. Business Associate Scope
Covered Entity BA HHS/OCR
• BA Contract • HIPAA Privacy and
• Breach Notification Security Rule
• Minimum Necessary
• Breach Notification
Sub-
contractors
15

16. HIPAA Titles - Overview
16

17. HIPAA Security Rule
17

18. Information Security Model
Confidentiality
Limiting information access and
disclosure to authorized users (the right
people)
Integrity
Trustworthiness of information
resources (no inappropriate changes)
Availability
Availability of information resources (at
the right time)
18

19. PHI
Health
Information
Individually
Identifiable
Health
Information
PHI
19

20. ePHI – 18 Elements
Elements Examples
Name Max Bialystock
1355 Seasonal Lane
Address (all geographic subdivisions smaller than state,
including street address, city, county, or ZIP code)
Dates related to an individual Birth, death, admission, discharge
212 555 1234, home, office, mobile etc.,
Telephone numbers
212 555 1234
Fax number
Email address LeonT@Hotmail.com, personal, official
Social Security number 239-68-9807
Medical record number 189-88876
Health plan beneficiary number 123-ir-2222-98
Account number 333389
Certificate/license number 3908763 NY
Any vehicle or other device serial number SZV4016
Device identifiers or serial numbers Unique Medical Devices
Web URL www.rickymartin.com
Internet Protocol (IP) address numbers 19.180.240.15
Finger or voice prints finger.jpg
Photographic images mypicture.jpg
Any other characteristic that could uniquely 20
identify the individual

21. Criteria for Business Associates
‐ Corporate size
‐ Volume of data accessed
‐ Number of facilities serviced
‐ Type of services provided
‐ Complexity of services provided
‐ Location
‐ Previous data breaches, complaints or
incidents involving BA

22. BA Engagement Best Practices
Requirements Tier 1 Tier 2 Tier 3
Right to Audit &
Yes May be No
Review
Baseline Security
Yes No No
Controls
Standards and
Certification Yes Yes Yes
Clause
Every 6 months or
Contract Review Every year Every year
any major change
Breach Notification Stringent Standard Standard
Training and
Yes Yes Yes
Education
Periodic Risk
Yes May be N/A
Assessment

23. HIPAA Security Rule Standard Implementati Yes/No/Comm
HIPAA Sections Implementation Specification on Requirement Description Solution ents
Policies and procedures to manage
164.308(a)(1)(i) Security Management Process Required security violations
164.308(a)(1)(ii)( Penetration test, vulnerability
A) Risk Analysis Required Conduct vulnerability assessment assessment
SIM/SEM, patch management,
164.308(a)(1)(ii)( Implement security measures to reduce vulnerability management, asset
B) Risk Management Required risk of security breaches management, helpdesk
164.308(a)(1)(ii)( Worker sanction for policies and Security policy document
C) Sanction Policy Required procedures violations management
164.308(a)(1)(ii)( Log aggregation, log analysis, security
D) Information System Activity Review Required Procedures to review system activity event management, host IDS
Identify security official responsible for
164.308(a)(2) Assigned Security Responsibility Required policies and procedures
Implement policies and procedures to
164.308(a)(3)(i) Workforce Security Required ensure appropriate PHI access
Mandatory, discretionary and role-
164.308(a)(3)(ii)( based access control: ACL, native OS
A) Authorization and/or Supervision Addressable Authorization/supervision for PHI access policy enforcement
164.308(a)(3)(ii)( Procedures to ensure appropriate PHI
B) Workforce Clearance Procedure Addressable access Background checks
164.308(a)(3)(ii)( Procedures to terminate PHI access Single sign-on, identity management,
C) Termination Procedures Addressable security policy document management access controls
Policies and procedures to authorize
164.308(a)(4)(i) Information Access Management Required access to PHI
164.308(a)(4)(ii)( Isolation Health Clearinghouse Policies and procedures to separate PHI Application proxy, firewall, mandatory
A) Functions Required from other operations UPN, SOCKS
164.308(a)(4)(ii)( Policies and procedures to authorize Mandatory, discretionary and role-
B) Access Authorization Addressable access to PHI based access control
164.308(a)(4)(ii)( Access Establishment and Policies and procedures to grant access Security policy document
C) Modification Addressable to PHI management
Training program for workers and
164.308(a)(5)(i) Security Awareness Training Required managers
164.308(a)(5)(ii)( Sign-on screen, screen savers,
A) Security Reminders Addressable Distribute periodic security updates monthly memos, e-mail, banners

24. BA Risk Assessment Questionnaire

25. Trends in Healthcare IT
Informatics Collaboration
Mobile EHR
Computing HIE
25

26. Handheld Usage in Healthcare
• 25% usage with providers
• Another 21% expected to use
• 38% physicians use medical
apps
• 70% think it is a high priority
• 1/3 use hand-held for accessing EMR/EHR
26
compTIA 2011 Survey

27. EMR and EHR systems
27

28. Health Information Exchange (HIE)
28

29. Cloud-based services
 Public Cloud
 EHR Applications
Assessment and  Private-label e-mail
Agreement with your
Cloud Service
Providers
 Private Cloud
 Archiving of Images
 File Sharing
Cloud Computing is taking
all batch processing, and  On-line Backups
farming it out to a huge
central or virtualized
 Hybrid 29
computers.

30. Informatics
30

31. Top 5 Recommendations
1. Ensure encryption on all protected health information
in storage and transit.(at least de-identification)
2. Implement a mobile device security program.
3. Strengthen information security user awareness and
training programs.
4. Ensure that business associate due diligence includes
clearly written contract, a periodic review of
implemented controls.
5. Minimize sensitive data capture, storage and sharing.
31

32. Reported Breaches involving BAs
32
https://docs.google.com/spreadsheet/ccc?key=0ArhiA7aQWV1XdEFfNlNPTkxJbWx
PbFJvY1d1ajJCOHc

33. Recent Resolution Agreement
with HHS
33

34. Key Takeaways
 HITECH act treats business associates as a covered
entity
 Processing of PHI elements drives business associates
scope, agreement and assessment
 Updated contract and risk assessment questionnaire
(due diligence) is recommended
 Periodic review of your top tier business associates and
training requirements
34

35. Additional Resources
 HHS FAQ -
http://www.hhs.gov/ocr/privacy/hipaa/faq/busine
ss_associates/index.html
35

36. Next Steps
 Business Associate Package
 BA Risk Assessment Questionnaire
 Sample Policies and Procedures
 4-hour Training/Consulting
ehr20.com/services
 Next Live Webinars
 HIPAA/HITECH Security Assessment(5/2/2012)
 OCR/HHS HIPAA/HITECH Audit Preparation(5/9/2012)
Sign-up at ehr20.com/webinars
 Career Development
Send your resume to info@ehr20.com
36

37. Questions?
E-mail: info@ehr20.com
Call: 802-448-2255
37

38. Thank you!!
38