One of the most challenging issues for health care organizations is ensuring business associates can be trusted with PHI (Protected Health Information). Of the 11 million people affected by report-able data breaches between September 2009 and June 2011, 6 million, or 55%, were affected by data breaches involving business associates, according to the federal government. To review the list of breaches involving business associates published by HHS click the following latest data breach report: https://docs.google.com/spreadsheet/ccc?key=0ArhiA7aQWV1XdEFfNlNPTkxJbWxPbFJvY1d1ajJCOHc
Healthcare organizations often use the services of a variety of contractors and businesses. The HITECH act allows covered entities to disclose(minimum necessary) protected health information(PHI) to these “business associates” if the covered entities obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule:
Have you identified your key business associates handling PHI that you create, receive, maintain or transmit?
Do you review your contract periodically with your key business associates?
Do you have the right to audit clause or require your business associate to follow certain minimum security controls and best practices?
EHR 2.0 provides consulting services by partnering with leading law firms to assess your business associates based on several key factors:
Corporate size of the BA
Volume of data accessed by BA
Number of facilities serviced by BABA
Type of services provided by BA
Complexity of services provided by BA
Location of BA
Previous data breaches, complaints or incidents involving BA
Our Business Associate Assessment and Monitoring services combines the above guidelines and following guidelines chart to provide an assessment report periodically about your key business associates:
Who is a business associate?
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
A member of the covered entity’s workforce is not a business associate.
Examples of a Business Associate
A third party administrator that assists a health plan with claims processing.
A CPA firm whose accounting services to a health care provider involve access to protected health information.
An attorney whose legal services to a health plan involve access to protected health information.
Examples of No Business Associate Relationship
If PHI is shared for treatment purposes, it’s not considered as business association relationship:
Physician Services
Nursing Services
Laboratory Services
http://ehr20.com/services/business-associate-assessment/
2. Presenter’s Background
Blair Jerome, PhD has worked in
public and private education for over
twenty years. Blair has designed and
taught courses for both the IT and
Pharmaceutical Industries. As an educational
administrator Blair’s experience includes working with
regulatory agencies and boards at the national,
regional and state level. Blair understands how a
changing audit landscape can impact planning,
budgeting, and decision making throughout an
organization. 2
3. Who are we
EHR 2.0 Mission: To assist healthcare
organizations develop and implement
practices to secure IT systems and comply
with HIPAA/HITECH regulations.
Education
Consulting
Toolkit(Tools, Best Practices & Checklist)
Goal: To make compliance an enjoyable
and painless experience
4. Webinar Objective
Understand and Perform Business
Associate Agreement & Assessment to
Secure Protected Health Information(PHI).
4
5. Glossary
1. PHI: Protected Health Information
2. PHR: Personal Health Records
3. HHS: Health and Human Services
4. OCR: Office for Civil Rights
5. HITECH: Health Information Technology for Economic
and Clinical Health Act
5
6. HITECH Act
The Health Information Technology for Economic and
Clinical Health (“HITECH”) provisions of the
American Recovery and Reinvestment Act of 2009
(“ARRA”, also referred to as the “Stimulus Bill”) codify and
expand on many of the requirements contained in the
Health Insurance Portability and Accountability Act of 1996
(“HIPAA”) and its regulations to protect the privacy and
security of protected health information (“PHI”).
6
10. HITECH modifications to HIPAA
Creating incentives for developing a meaningful use of
electronic health records
Changing the liability and responsibilities of Business
Associates
Redefining what a breach is
Creating stricter notification standards
Tightening enforcement
Raising the penalties for a violation
Creating new code and transaction sets (HIPAA 5010,
ICD10)
10
11. HITECH Requirements (BA Impact)
New Privacy Requirements for Business Associates
i. Breach notification
ii. Use and disclosure limitations apply directly to business
associates
iii. Minimum necessary principle applies directly, must use limited
datasets
Increased penalties
Business Associates directly liable for violations
Business Associate Agreements must be amended
Business Associates must impose same requirements
on subcontractors that access PHI
12. HITECH Requirements (BA Impact)
Breach:
According to HITECH, a breach is: the unauthorized acquisition, access, use, or
disclosure of protected health information which compromises the security or privacy of
the protected health information, except where an unauthorized person to whom such
information is disclosed would not reasonably have been able to retain such information.”
Three Exceptions:
unintentional acquisition, access, or use of protected
health information by a workforce member
inadvertent disclosure of protected health information
from a person authorized to access protected health
information at a covered entity or business associate
covered entity or business associate has a good faith
belief that the unauthorized individual, to whom the
impermissible disclosure was made, would not have
been able to retain the information.
13. What Is a “Business Associate?
A “business associate” is a person or entity that
performs certain functions or activities that
involve the use or disclosure of protected health
information on behalf of, or provides services to,
a covered entity.
A member of the covered entity’s workforce is
not a business associate.
13
14. Examples of a Business Associate
A third party administrator that assists a health
plan with claims processing.
A CPA firm whose accounting services to a
health care provider involves access to
protected health information.
An attorney whose legal services to a health
plan involves access to protected health
information.
14
15. Examples of No Business Associate
Relationship
Physician Services
Nursing Services
Laboratory Services
Radiology Services
Physical Therapy
Occupational Therapy
Bank Services
Courier Services
15
16. Responsibilities, Obligations and
Duties of BA
Must comply with HIPAA
May not use or disclose PHI
Minimum necessary use
Civil and criminal liability directly
16
17. Business Associate Cycle
Covered Entity BA HHS/OCR
• BA Contract • HIPAA Privacy and
• Breach Notification Security Rule
• Minimum Necessary
• Breach Notification
Sub-
contractors
17
20. Information Security Model
Confidentiality
Limiting information access and
disclosure to authorized users (the right
people)
Integrity
Trustworthiness of information
resources (no inappropriate changes)
Availability
Availability of information resources (at
the right time)
20
21. PHI
Health
Information
Individually
Identifiable
Health
Information
PHI
21
22. ePHI – 18 Elements
Elements Examples
Name Max Bialystock
1355 Seasonal Lane
Address (all geographic subdivisions smaller than state,
including street address, city, county, or ZIP code)
Dates related to an individual Birth, death, admission, discharge
212 555 1234, home, office, mobile etc.,
Telephone numbers
212 555 1234
Fax number
Email address LeonT@Hotmail.com, personal, official
Social Security number 239-68-9807
Medical record number 189-88876
Health plan beneficiary number 123-ir-2222-98
Account number 333389
Certificate/license number 3908763 NY
Any vehicle or other device serial number SZV4016
Device identifiers or serial numbers Unique Medical Devices
Web URL www.rickymartin.com
Internet Protocol (IP) address numbers 19.180.240.15
Finger or voice prints finger.jpg
Photographic images mypicture.jpg
Any other characteristic that could uniquely 22
identify the individual
23. Business Associate Requirement Chart
Requirements Tier 1 Tier 2 Tier 3
Right to Audit &
Yes May be No
Review
Baseline Security
Yes No No
Controls
Standards and
Certification Yes May be No
Clause
Every 6 months or
Contract Review Every year Every year
any major change
Breach Notification Stringent Standard Standard
Training and
Yes Yes Yes
Education
Periodic Risk
Yes May be N/A
Assessment
24. Criteria for Business Associates
‐ Corporate size of the BA
‐ Volume of data accessed by BA
‐ Number of facilities serviced by BABA
‐ Type of services provided by BA
‐ Complexity of services provided by BA
‐ Location of BA
‐ Previous data breaches, complaints or
incidents involving BA
25. HIPAA Security Rule Standard Implementati Yes/No/Comm
HIPAA Sections Implementation Specification on Requirement Description Solution ents
Policies and procedures to manage
164.308(a)(1)(i) Security Management Process Required security violations
164.308(a)(1)(ii)( Penetration test, vulnerability
A) Risk Analysis Required Conduct vulnerability assessment assessment
SIM/SEM, patch management,
164.308(a)(1)(ii)( Implement security measures to reduce vulnerability management, asset
B) Risk Management Required risk of security breaches management, helpdesk
164.308(a)(1)(ii)( Worker sanction for policies and Security policy document
C) Sanction Policy Required procedures violations management
164.308(a)(1)(ii)( Log aggregation, log analysis, security
D) Information System Activity Review Required Procedures to review system activity event management, host IDS
Identify security official responsible for
164.308(a)(2) Assigned Security Responsibility Required policies and procedures
Implement policies and procedures to
164.308(a)(3)(i) Workforce Security Required ensure appropriate PHI access
Mandatory, discretionary and role-
164.308(a)(3)(ii)( based access control: ACL, native OS
A) Authorization and/or Supervision Addressable Authorization/supervision for PHI access policy enforcement
164.308(a)(3)(ii)( Procedures to ensure appropriate PHI
B) Workforce Clearance Procedure Addressable access Background checks
164.308(a)(3)(ii)( Procedures to terminate PHI access Single sign-on, identity management,
C) Termination Procedures Addressable security policy document management access controls
Policies and procedures to authorize
164.308(a)(4)(i) Information Access Management Required access to PHI
164.308(a)(4)(ii)( Isolation Health Clearinghouse Policies and procedures to separate PHI Application proxy, firewall, mandatory
A) Functions Required from other operations UPN, SOCKS
164.308(a)(4)(ii)( Policies and procedures to authorize Mandatory, discretionary and role-
B) Access Authorization Addressable access to PHI based access control
164.308(a)(4)(ii)( Access Establishment and Policies and procedures to grant access Security policy document
C) Modification Addressable to PHI management
Training program for workers and
164.308(a)(5)(i) Security Awareness Training Required managers
164.308(a)(5)(ii)( Sign-on screen, screen savers,
A) Security Reminders Addressable Distribute periodic security updates monthly memos, e-mail, banners
28. Handheld Usage in Healthcare
• 25% usage with providers
• Another 21% expected to use
• 38% physicians use medical
apps
• 70% think it is a high priority
• 1/3 use hand-held for accessing EMR/EHR
28
compTIA 2011 Survey
31. Social Media
How does your practice use it?
How do your employees use it?
Do you have policies?
31
32. Cloud-based services
Public Cloud
EHR Applications
HIPAA regulations Private-label e-mail
remain barriers to full
cloud adoption
Private Cloud
Archiving of Images
File Sharing
Cloud Computing is taking
all batch processing, and On-line Backups
farming it out to a huge
central or virtualized
Hybrid 32
computers.
34. Sample Risk Analysis Template
Likelihood
High Medium Low
High Unencrypted Lack of auditing on Missing security
laptop ePHI EHR systems patches on web server
hosting patient
information
Impact
Medium Unsecured Outdated anti-virus External hard drives
wireless network software not being backed up
in doctor’s office
Sales presentation Web server backup Weak password on
Low on USB thumb tape not stored in a internal document
drive secured location server
34
35. Top 5 Recommendations
1. Ensure encryption on all protected health information
in storage and transit.(at least de-identification)
2. Implement a mobile device security program.
3. Strengthen information security user awareness and
training programs.
4. Ensure that business associate due diligence includes
clearly written contract, a periodic review of
implemented controls.
5. Minimize sensitive data capture, storage and sharing.
35
36. Key Takeaways
HITECH act treats business associates as a covered
entity
Processing of PHI elements drives business associates
scope, agreement and assessment
Updated contract and controls assessment (due
diligence) considered as best practices for mitigating
risks
Periodic review of your top tier business associates and
training requirements 36
38. How can you help us?
Follow-us on social media
facebook.com/ehr20 (Like)
linkedin.com/company/ehr-2-0 (Follow us)
https://twitter.com/#!/EHR_20 (Follow)
Next Webinar on HIPAA/HITECH Security Assessment ( 3/28)
http://ehr20.com/services/
We sincerely appreciate your referrals! 38