Business Associate Assurance: What covered entities need to know
Have you identified your key business associates handling e-PHI that you create, receive, maintain or transmit?
Do you review your contract periodically with your key business associates?
Do you have the right to audit clause or require your business associate to follow certain minimum security controls and best practices?
One of the most challenging issues for health care organizations is ensuring business associates can be trusted with ePHI (electronic Protected Health Information). Of the 11 million people affected by reportable data breaches between September 2009 and June 2011, 6 million, or 55%, were affected by data breaches involving business associates, according to the federal government. This 50-minute webinar helps the audience to learn assessment strategies a covered entity needs to institute to manage business associates.
Learn more about business associate assessment and engagement best practices by attending our webinar.
Learn more at http://ehr20.com/services/business-associate-assessment/
2. Webinar Objective
Understand the risks associated with
business associates and implement the
steps required to mitigate the risks to
secure Protected Health Information(PHI).
E-mail: info@ehr20.com
2
3. Who are we …
EHR 2.0 Mission: To assist healthcare
organizations develop and implement
practices to secure IT systems and comply
with HIPAA/HITECH regulations.
Education(Training, Webinar & Workshops)
Consulting Services
Toolkit(Tools, Best Practices & Checklist)
Goal: To make compliance an enjoyable and painless
experience, while building capability and confidence.
4. Glossary
1. PHI: Protected Health Information
2. HHS: Health and Human Services
3. OCR: Office for Civil Rights
4. CIA: Confidentiality, Integrity and Availability
5. HIE: Health Information Exchange
6. HITECH: Health Information Technology for Economic
and Clinical Health Act
4
6. HITECH modifications to HIPAA
Creating incentives for developing a meaningful use of
electronic health records
Changing the liability and responsibilities of Business
Associates
Redefining what a breach is
Creating stricter notification standards
Tightening enforcement
Raising the penalties for a violation
Creating new code and transaction sets (HIPAA 5010,
ICD10)
6
10. HITECH Requirements (BA Impact)
New Privacy Requirements for Business Associates
i. Breach notification
ii. Use and disclosure limitations apply directly to business
associates
iii. Minimum necessary principle applies directly, must use limited
datasets
Increased Penalties
Business Associates Directly Liable for Violations
Business Associate Agreements Must be Amended
Business Associates Must Impose Same Requirements
on Sub-contractors that Access PHI
11. What Is a “Business Associate”?
A “business associate” is a person or entity that
performs certain functions or activities that
involve the use or disclosure of protected health
information on behalf of, or provides services to,
a covered entity.
A member of the covered entity’s workforce is
not a business associate.
11
12. Examples of a Business Associate
A third party administrator that assists a health
plan with claims processing.
A CPA firm whose accounting services to a
health care provider involves access to
protected health information.
An attorney whose legal services to a health
plan involves access to protected health
information.
12
13. Examples of No Business Associate
Relationship
Physician Services
Nursing Services
Laboratory Services
Radiology Services
Physical Therapy
Occupational Therapy
Bank Services
Courier Services
13
14. Responsibilities, Obligations and
Duties of BA
Must comply with HIPAA
May not use or disclose PHI
Minimum necessary use
Breach Notification to CE and HHS
Direct civil and criminal liability
14
15. Business Associate Scope
Covered Entity BA HHS/OCR
• BA Contract • HIPAA Privacy and
• Breach Notification Security Rule
• Minimum Necessary
• Breach Notification
Sub-
contractors
15
18. Information Security Model
Confidentiality
Limiting information access and
disclosure to authorized users (the right
people)
Integrity
Trustworthiness of information
resources (no inappropriate changes)
Availability
Availability of information resources (at
the right time)
18
19. PHI
Health
Information
Individually
Identifiable
Health
Information
PHI
19
20. ePHI – 18 Elements
Elements Examples
Name Max Bialystock
1355 Seasonal Lane
Address (all geographic subdivisions smaller than state,
including street address, city, county, or ZIP code)
Dates related to an individual Birth, death, admission, discharge
212 555 1234, home, office, mobile etc.,
Telephone numbers
212 555 1234
Fax number
Email address LeonT@Hotmail.com, personal, official
Social Security number 239-68-9807
Medical record number 189-88876
Health plan beneficiary number 123-ir-2222-98
Account number 333389
Certificate/license number 3908763 NY
Any vehicle or other device serial number SZV4016
Device identifiers or serial numbers Unique Medical Devices
Web URL www.rickymartin.com
Internet Protocol (IP) address numbers 19.180.240.15
Finger or voice prints finger.jpg
Photographic images mypicture.jpg
Any other characteristic that could uniquely 20
identify the individual
21. Criteria for Business Associates
‐ Corporate size
‐ Volume of data accessed
‐ Number of facilities serviced
‐ Type of services provided
‐ Complexity of services provided
‐ Location
‐ Previous data breaches, complaints or
incidents involving BA
22. BA Engagement Best Practices
Requirements Tier 1 Tier 2 Tier 3
Right to Audit &
Yes May be No
Review
Baseline Security
Yes No No
Controls
Standards and
Certification Yes Yes Yes
Clause
Every 6 months or
Contract Review Every year Every year
any major change
Breach Notification Stringent Standard Standard
Training and
Yes Yes Yes
Education
Periodic Risk
Yes May be N/A
Assessment
23. HIPAA Security Rule Standard Implementati Yes/No/Comm
HIPAA Sections Implementation Specification on Requirement Description Solution ents
Policies and procedures to manage
164.308(a)(1)(i) Security Management Process Required security violations
164.308(a)(1)(ii)( Penetration test, vulnerability
A) Risk Analysis Required Conduct vulnerability assessment assessment
SIM/SEM, patch management,
164.308(a)(1)(ii)( Implement security measures to reduce vulnerability management, asset
B) Risk Management Required risk of security breaches management, helpdesk
164.308(a)(1)(ii)( Worker sanction for policies and Security policy document
C) Sanction Policy Required procedures violations management
164.308(a)(1)(ii)( Log aggregation, log analysis, security
D) Information System Activity Review Required Procedures to review system activity event management, host IDS
Identify security official responsible for
164.308(a)(2) Assigned Security Responsibility Required policies and procedures
Implement policies and procedures to
164.308(a)(3)(i) Workforce Security Required ensure appropriate PHI access
Mandatory, discretionary and role-
164.308(a)(3)(ii)( based access control: ACL, native OS
A) Authorization and/or Supervision Addressable Authorization/supervision for PHI access policy enforcement
164.308(a)(3)(ii)( Procedures to ensure appropriate PHI
B) Workforce Clearance Procedure Addressable access Background checks
164.308(a)(3)(ii)( Procedures to terminate PHI access Single sign-on, identity management,
C) Termination Procedures Addressable security policy document management access controls
Policies and procedures to authorize
164.308(a)(4)(i) Information Access Management Required access to PHI
164.308(a)(4)(ii)( Isolation Health Clearinghouse Policies and procedures to separate PHI Application proxy, firewall, mandatory
A) Functions Required from other operations UPN, SOCKS
164.308(a)(4)(ii)( Policies and procedures to authorize Mandatory, discretionary and role-
B) Access Authorization Addressable access to PHI based access control
164.308(a)(4)(ii)( Access Establishment and Policies and procedures to grant access Security policy document
C) Modification Addressable to PHI management
Training program for workers and
164.308(a)(5)(i) Security Awareness Training Required managers
164.308(a)(5)(ii)( Sign-on screen, screen savers,
A) Security Reminders Addressable Distribute periodic security updates monthly memos, e-mail, banners
26. Handheld Usage in Healthcare
• 25% usage with providers
• Another 21% expected to use
• 38% physicians use medical
apps
• 70% think it is a high priority
• 1/3 use hand-held for accessing EMR/EHR
26
compTIA 2011 Survey
29. Cloud-based services
Public Cloud
EHR Applications
Assessment and Private-label e-mail
Agreement with your
Cloud Service
Providers
Private Cloud
Archiving of Images
File Sharing
Cloud Computing is taking
all batch processing, and On-line Backups
farming it out to a huge
central or virtualized
Hybrid 29
computers.
31. Top 5 Recommendations
1. Ensure encryption on all protected health information
in storage and transit.(at least de-identification)
2. Implement a mobile device security program.
3. Strengthen information security user awareness and
training programs.
4. Ensure that business associate due diligence includes
clearly written contract, a periodic review of
implemented controls.
5. Minimize sensitive data capture, storage and sharing.
31
32. Reported Breaches involving BAs
32
https://docs.google.com/spreadsheet/ccc?key=0ArhiA7aQWV1XdEFfNlNPTkxJbWx
PbFJvY1d1ajJCOHc
34. Key Takeaways
HITECH act treats business associates as a covered
entity
Processing of PHI elements drives business associates
scope, agreement and assessment
Updated contract and risk assessment questionnaire
(due diligence) is recommended
Periodic review of your top tier business associates and
training requirements
34
36. Next Steps
Business Associate Package
BA Risk Assessment Questionnaire
Sample Policies and Procedures
4-hour Training/Consulting
ehr20.com/services
Next Live Webinars
HIPAA/HITECH Security Assessment(5/2/2012)
OCR/HHS HIPAA/HITECH Audit Preparation(5/9/2012)
Sign-up at ehr20.com/webinars
Career Development
Send your resume to info@ehr20.com
36