Business Associate Assessment, Agreement and Requirements

Presenter’s Background
Blair Jerome, PhD has worked in
public and private education for over
twenty years. Blair has designed and
taught courses for both the IT and
Pharmaceutical Industries. As an educational
administrator Blair’s experience includes working with
regulatory agencies and boards at the national,
regional and state level. Blair understands how a
changing audit landscape can impact planning,
budgeting, and decision making throughout an
organization. 2

Who are we
EHR 2.0 Mission: To assist healthcare
organizations develop and implement
practices to secure IT systems and comply
with HIPAA/HITECH regulations.
 Education

 Consulting

 Toolkit(Tools, Best Practices & Checklist)

Goal: To make compliance an enjoyable
and painless experience

Webinar Objective

Understand and Perform Business
Associate Agreement & Assessment to
Secure Protected Health Information(PHI).

4

Glossary

1. PHI: Protected Health Information

2. PHR: Personal Health Records

3. HHS: Health and Human Services

4. OCR: Office for Civil Rights

5. HITECH: Health Information Technology for Economic
and Clinical Health Act

5

HITECH Act

The Health Information Technology for Economic and
Clinical Health (“HITECH”) provisions of the
American Recovery and Reinvestment Act of 2009
(“ARRA”, also referred to as the “Stimulus Bill”) codify and
expand on many of the requirements contained in the
Health Insurance Portability and Accountability Act of 1996
(“HIPAA”) and its regulations to protect the privacy and
security of protected health information (“PHI”).

6

BA Applicability and Penalties

7

BA Contracts Required

8

Business Associate Audit by OCR

9

HITECH modifications to HIPAA

 Creating incentives for developing a meaningful use of
electronic health records
 Changing the liability and responsibilities of Business
Associates
 Redefining what a breach is
 Creating stricter notification standards
 Tightening enforcement
 Raising the penalties for a violation
 Creating new code and transaction sets (HIPAA 5010,
ICD10)

10

HITECH Requirements (BA Impact)
 New Privacy Requirements for Business Associates
i. Breach notification
ii. Use and disclosure limitations apply directly to business
associates
iii. Minimum necessary principle applies directly, must use limited
datasets
 Increased penalties
 Business Associates directly liable for violations
 Business Associate Agreements must be amended
 Business Associates must impose same requirements
on subcontractors that access PHI

HITECH Requirements (BA Impact)
 Breach:
According to HITECH, a breach is: the unauthorized acquisition, access, use, or
disclosure of protected health information which compromises the security or privacy of
the protected health information, except where an unauthorized person to whom such
information is disclosed would not reasonably have been able to retain such information.”

 Three Exceptions:
 unintentional acquisition, access, or use of protected
health information by a workforce member
 inadvertent disclosure of protected health information
from a person authorized to access protected health
information at a covered entity or business associate
 covered entity or business associate has a good faith
belief that the unauthorized individual, to whom the
impermissible disclosure was made, would not have
been able to retain the information.

What Is a “Business Associate?

A “business associate” is a person or entity that
performs certain functions or activities that
involve the use or disclosure of protected health
information on behalf of, or provides services to,
a covered entity.
A member of the covered entity’s workforce is
not a business associate.

13

Examples of a Business Associate

 A third party administrator that assists a health
plan with claims processing.
 A CPA firm whose accounting services to a
health care provider involves access to
protected health information.
 An attorney whose legal services to a health
plan involves access to protected health
information.

14

Examples of No Business Associate
Relationship

 Physician Services
 Nursing Services
 Laboratory Services
 Radiology Services
 Physical Therapy
 Occupational Therapy
 Bank Services
 Courier Services
15

Responsibilities, Obligations and
Duties of BA

 Must comply with HIPAA
 May not use or disclose PHI
 Minimum necessary use
 Civil and criminal liability directly

16

Business Associate Cycle

Covered Entity BA HHS/OCR

• BA Contract • HIPAA Privacy and
• Breach Notification Security Rule
• Minimum Necessary
• Breach Notification
Sub-
contractors
17

HIPAA Titles - Overview

18

HIPAA Security Rule

19

Information Security Model

Confidentiality
Limiting information access and
disclosure to authorized users (the right
people)

Integrity
Trustworthiness of information
resources (no inappropriate changes)

Availability
Availability of information resources (at
the right time)

20

PHI

Health
Information

Individually
Identifiable
Health
Information

PHI

21

ePHI – 18 Elements
Elements Examples
Name Max Bialystock
1355 Seasonal Lane
Address (all geographic subdivisions smaller than state,
including street address, city, county, or ZIP code)
Dates related to an individual Birth, death, admission, discharge
212 555 1234, home, office, mobile etc.,
Telephone numbers
212 555 1234
Fax number
Email address LeonT@Hotmail.com, personal, official
Social Security number 239-68-9807
Medical record number 189-88876
Health plan beneficiary number 123-ir-2222-98
Account number 333389
Certificate/license number 3908763 NY
Any vehicle or other device serial number SZV4016
Device identifiers or serial numbers Unique Medical Devices
Web URL www.rickymartin.com
Internet Protocol (IP) address numbers 19.180.240.15
Finger or voice prints finger.jpg
Photographic images mypicture.jpg
Any other characteristic that could uniquely 22
identify the individual

Business Associate Requirement Chart
Requirements Tier 1 Tier 2 Tier 3

Right to Audit &
Yes May be No
Review

Baseline Security
Yes No No
Controls
Standards and
Certification Yes May be No
Clause
Every 6 months or
Contract Review Every year Every year
any major change

Breach Notification Stringent Standard Standard

Training and
Yes Yes Yes
Education

Periodic Risk
Yes May be N/A
Assessment

Criteria for Business Associates

‐ Corporate size of the BA
‐ Volume of data accessed by BA
‐ Number of facilities serviced by BABA
‐ Type of services provided by BA
‐ Complexity of services provided by BA
‐ Location of BA
‐ Previous data breaches, complaints or
incidents involving BA

HIPAA Security Rule Standard Implementati Yes/No/Comm
HIPAA Sections Implementation Specification on Requirement Description Solution ents

Policies and procedures to manage
164.308(a)(1)(i) Security Management Process Required security violations
164.308(a)(1)(ii)( Penetration test, vulnerability
A) Risk Analysis Required Conduct vulnerability assessment assessment
SIM/SEM, patch management,
164.308(a)(1)(ii)( Implement security measures to reduce vulnerability management, asset
B) Risk Management Required risk of security breaches management, helpdesk

164.308(a)(1)(ii)( Worker sanction for policies and Security policy document
C) Sanction Policy Required procedures violations management

164.308(a)(1)(ii)( Log aggregation, log analysis, security
D) Information System Activity Review Required Procedures to review system activity event management, host IDS

Identify security official responsible for
164.308(a)(2) Assigned Security Responsibility Required policies and procedures

Implement policies and procedures to
164.308(a)(3)(i) Workforce Security Required ensure appropriate PHI access
Mandatory, discretionary and role-
164.308(a)(3)(ii)( based access control: ACL, native OS
A) Authorization and/or Supervision Addressable Authorization/supervision for PHI access policy enforcement
164.308(a)(3)(ii)( Procedures to ensure appropriate PHI
B) Workforce Clearance Procedure Addressable access Background checks

164.308(a)(3)(ii)( Procedures to terminate PHI access Single sign-on, identity management,
C) Termination Procedures Addressable security policy document management access controls
Policies and procedures to authorize
164.308(a)(4)(i) Information Access Management Required access to PHI

164.308(a)(4)(ii)( Isolation Health Clearinghouse Policies and procedures to separate PHI Application proxy, firewall, mandatory
A) Functions Required from other operations UPN, SOCKS

164.308(a)(4)(ii)( Policies and procedures to authorize Mandatory, discretionary and role-
B) Access Authorization Addressable access to PHI based access control
164.308(a)(4)(ii)( Access Establishment and Policies and procedures to grant access Security policy document
C) Modification Addressable to PHI management
Training program for workers and
164.308(a)(5)(i) Security Awareness Training Required managers

164.308(a)(5)(ii)( Sign-on screen, screen savers,
A) Security Reminders Addressable Distribute periodic security updates monthly memos, e-mail, banners

Sample Business Associate
Agreement

Send us an e-mail at info@ehr20.com for
sample BAA

26

Trends in Healthcare IT

Informatics Collaboration

Mobile EHR
Computing HIE

27

Handheld Usage in Healthcare

• 25% usage with providers

• Another 21% expected to use

• 38% physicians use medical
apps

• 70% think it is a high priority

• 1/3 use hand-held for accessing EMR/EHR
28

compTIA 2011 Survey

EMR and EHR systems

29

Health Information Exchange (HIE)

30

Social Media
 How does your practice use it?

 How do your employees use it?

 Do you have policies?

31

Cloud-based services
 Public Cloud
 EHR Applications
HIPAA regulations  Private-label e-mail
remain barriers to full
cloud adoption
 Private Cloud
 Archiving of Images
 File Sharing
Cloud Computing is taking
all batch processing, and  On-line Backups
farming it out to a huge
central or virtualized
 Hybrid 32

computers.

Sample Risk Analysis Template
Likelihood
High Medium Low

High Unencrypted Lack of auditing on Missing security
laptop ePHI EHR systems patches on web server
hosting patient
information
Impact

Medium Unsecured Outdated anti-virus External hard drives
wireless network software not being backed up
in doctor’s office

Sales presentation Web server backup Weak password on
Low on USB thumb tape not stored in a internal document
drive secured location server
34

Top 5 Recommendations
1. Ensure encryption on all protected health information
in storage and transit.(at least de-identification)
2. Implement a mobile device security program.
3. Strengthen information security user awareness and
training programs.
4. Ensure that business associate due diligence includes
clearly written contract, a periodic review of
implemented controls.
5. Minimize sensitive data capture, storage and sharing.

35

Key Takeaways
 HITECH act treats business associates as a covered
entity

 Processing of PHI elements drives business associates
scope, agreement and assessment

 Updated contract and controls assessment (due
diligence) considered as best practices for mitigating
risks

 Periodic review of your top tier business associates and
training requirements 36

Additional Resources

 HHS FAQ -
http://www.hhs.gov/ocr/privacy/hipaa/faq/busine
ss_associates/index.html

37

How can you help us?
 Follow-us on social media
facebook.com/ehr20 (Like)
linkedin.com/company/ehr-2-0 (Follow us)
https://twitter.com/#!/EHR_20 (Follow)

 Next Webinar on HIPAA/HITECH Security Assessment ( 3/28)

 http://ehr20.com/services/

We sincerely appreciate your referrals! 38

Thank you!!

Visit us at ehr20.com
39

Business Associate Assessment, Agreement and Requirements

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Business Associate Assessment, Agreement and Requirements

Semelhante a Business Associate Assessment, Agreement and Requirements (20)

Mais de data brackets

Mais de data brackets (20)

Último

Último (20)

Business Associate Assessment, Agreement and Requirements