This document provides an overview and agenda for a webinar on HIPAA compliance and security requirements for Federally Qualified Health Centers (FQHCs). The webinar will cover HIPAA/HITECH requirements including the new Omnibus Rule, the importance of security, and administrative, physical, and technical security standards. It will discuss required security risk assessments and the presenter's qualifications. Breach notification rules, costs of data breaches, and lessons learned will also be reviewed to emphasize the importance of security compliance.

1. in partnership with
February 20, 2014
MPCA HIPAA Compliance/Meaningful Use
Requirements and Security Risk Assessment
Series
Webinar 2
HIPAA/HITECH Requirements for
FQHCs and the New Omnibus Rule
(Part 2)

2. About MPCA
Michigan Primary Care Association (MPCA)
Has been the voice for Health Centers and other community-based
providers in Michigan since 1980. It is a leader in building a healthy
society in which all residents have convenient and affordable access to
quality health care.
MPCA’s mission is to promote, support, and develop comprehensive,
accessible, and affordable quality community-based primary care
services to everyone in Michigan
www.MPCA.net
517-381-8000

3. About OSIS
Ohio Shared Information Services, Inc. (OSIS)
We are a 501(c)3 non-profit organization that partners with Federally
Qualified Health Centers (FQHCs) to provide compliance/security
related, IT, EPM and EHR services to improve the quality of care
delivered to the underserved population.
Our security division has professionals on staff dedicated to providing
information security services to transform healthcare.
www.OSISSecurity.com
513-677-5600 x1223

4. Presented by:
Jay Trinckes, CISO, OSIS
• Certified Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Certified in Risk and Information Systems Control (CRISC)
• National Security Agency (NSA) INFOSEC Assessment Methodology (IAM) and
INFOSEC Evaluation Methodology (IEM)
• Author:
•
•
•
Presentations: RAC Monitor, NWRPCA-CHAMPS, NACHC-FOM-IT, HRSA
Regional
Upcoming: PMI National Conference, Chicago, IL – May 2014
Experience: risk assessments, vuln/pen tests, information security
management, former law enforcement officer.

5. Overview of MPCA Seminar Series
Series of five Webinars to assist members
with HIPAA Compliance and Meaningful Use
1. HIPAA/HITECH Requirements for FQHCs
and the New Omnibus Rule (Part 1)
2. HIPAA/HITECH Requirements for FQHCs
and the New Omnibus Rule (Part 2)
3. Meaningful Use Requirements for FQHCs
4. Preliminary Assessment Tool for FQHCs
5. Review of Preliminary Assessment for
FQHCs

6. Webinar 2: Topics
•
•
•
•
•
•
•
Recap of Part 1
Importance of Security
Administrative
Physical
Technical
Business Associates
Questions/Answers

7. “There are only two types of
companies: Those that
have been hacked, and
those that will be.”
Former FBI Director Robert Mueller

8. Recap of Part 1

9. Overview of HIPAA/HITECH
The Health Insurance Portability and
Accountability Act (HIPAA) was enacted
in1996 as a response from Congress to:
– Increase technology in healthcare
– Protect against potential fraud or compromise
of sensitive information
– Different regulations within states
contradicting federal regulations
– Regional isolation – everyone doing their own
thing

10. HITECH ACT
• Part of the American Recovery and
Reinvestment Act (ARRA) of 2009
• The Health Information Technology for Economic
and Clinical Health Act (The HITECH Act)
– Revised HIPAA
– Amended enforcement regulations
– Stiffer Penalties
– Provided enforcement actions for State
Attorney General
– Increased Breach Notification Rules

11. Privacy Basics
• In the most basic terms, a health center (and
business associate) may NOT use or disclose
protected health information except as permitted
or required by the HIPAA Privacy Rule.
• A health center and business associate should
apply the least amount of privileges to their
individual employees based upon the roles of
their employees.
• These restrictions should be applied through
policies and procedures to restrict access to
protected health information as ‘need-to-know’ or
to perform their job functions.

12. Direct Identifiers
Direct Identifiers of the individual or of relatives, employers, or household
members of the individual are defined under 45 CFR § 164.514(e)(2) and
include the following eighteen (18) items:
1.
2.
Names;
All geographic subdivisions smaller than a State,
including street address, city, county, precinct, zip code,
and their equivalent geo-codes, except for the initial
three (3) digits of a zip code if, according to the current
publicly available data from the Bureau of the Census:
The geographic unit formed by combining all zip codes with the
same three initial digits contains more than 20,000
people; and
The initial three (3) digits of a zip code for all such geographic
units containing 20,000 or fewer people are changed
to ‘000’.
3.
4.
5.
6.
7.
All elements of dates (except year) for dates directly
related to an individual, including birth date, admission
date, discharge date, date of death; and all ages over
eighty-nine (89) and all elements of dates (including
year) indicative of such age, except that such ages and
elements may be aggregated into a single category of
age ninety (90) or older;
Telephone numbers;
Fax numbers;
Electronic mail addresses;
Social security numbers;
8. Medical record numbers;
9. Health plan beneficiary numbers;
10. Account numbers;
11.
Certificate/license numbers;
12. Vehicle identifiers and serial
numbers, including license plate
numbers;
13.
Device identifiers and serial
numbers;
14.
Web Universal Resource Locators
(URLs);
15.
Internet Protocol (IP) address
numbers;
16.
Biometric identifiers, including
finger and voice prints;
17.
Full face photographic images and
any comparable images;
18.
Any other unique identifying
number, characteristic, or code.
Omnibus Rule includes Genetic Information as Protected Health Information

13. Minimum Necessary
• A health center and business associate must develop
policies and procedures to reasonably limit to, the minimum
necessary, its disclosures and requests for protected health
information for payment and healthcare operations.
• There are several different examples to demonstrate how
the minimum necessary standards can be applied, but there
may be an easier example of what not to do.
– It would be a violation of the minimum necessary standard if a
hospital employee is allowed routine, unimpeded access to
patients’ medical records if that employee does not need this
access to do his or her job.
Minimum necessary requirements do NOT apply to disclosures
to or requests by a healthcare provider for treatment; uses or
disclosures made to the individual; uses or disclosures made
pursuant to an authorization; disclosures made to the
Secretary; uses or disclosures that are required by law; and
uses or disclosures that are required for compliance with the
Privacy Rule.

14. Administrative Requirements
•
•
•
•
•
•
•
•
•
Privacy Personnel Designations
Privacy Training
Administrative Safeguards
Complaint Handling
Workforce Member Sanctions
Mitigation
Retaliation
Waiver of Rights
Privacy Policies

15. • HITECH:
Enforcement
Violation Category
Section 1176(a)(1)
Each Violation
All Such Violations of an Identical
Provision in a Calendar Year
(A) Did Not Know
$100 - $50,000
$1,500,000
(B) Reasonable Cause
$1,000 - $50,000
$1,500,000
(C)(i) Willful Neglect –
Corrected
$10,000 - $50,000
$1,500,000
(C)(ii) Willful Neglect –
Not Corrected
$50,000
$1,500,000
• [Note: State Attorney Generals can also bring
enforcement actions.]
• OCR has collected over $50 million from enforcement
• It is more cost effective to become HIPAA compliant
than to risk enforcement

16. Enforcement (cont.)
US Code Title 42 Chapter 7 – 1320d-6
• Wrongful disclosure of individually identifiable health information
• Offense: A person who knowingly and in violation of this part– Uses or causes to be used a unique health identifier;
– Obtains individually identifiable health information relating to an
individual; or
– Discloses individually identifiable health information to another person
A person described … shall—
• (1) be fined not more than $50,000, imprisoned not more than 1
year, or both;
• (2) if the offense is committed under false pretenses, be fined not
more than $100,000, imprisoned not more than 5 years, or both;
and
• (3) if the offense is committed with intent to sell, transfer, or use
individually identifiable health information for commercial
advantage, personal gain, or malicious harm, be fined not more
than $250,000, imprisoned not more than 10 years, or both.

17. Privacy Rule vs. Security Rule
Security Rule
Privacy Rule
• Intended to protect
• Implement
certain Electronic
Protected Health
appropriate and
Information (EPHI)
reasonable
• Secure the confidentiality,
integrity, availability while
safeguards to
allowing authorized use
secure Protected
and disclosure
– Administrative
Health
– Physical
Information (PHI):
– Administrative
– Physical
– Technical
– Technical
• More Detailed and
Comprehensive

18. Required vs. Addressable
• Addressable is NOT the same as optional!
• Addressable means the entity must:
– Perform an assessment to determine whether
the implementation specification is a reasonable
and appropriate safeguard for implementation in
the entity’s environment
– Decide whether to implement the addressable
specification as-is, implement an equivalent
alternative that still allows compliance, or not
implement either one
– Document the assessments and all decisions

19. Omnibus Rule
• Effective: March 26, 2013 – 180 days to comply –
deadline September 23, 2013
– Modifies Privacy, Security, Enforcement Rule, and
Breach Notification Rules
• Business Associates (and subcontractors of a BA) are now
directly liable for compliance – minimum necessary applies
– Limit use/disclosure for marketing/fundraising
prohibit sale of PHI
– Individuals have right to electronic copies of health
information
– Right to restrict disclosure for ‘out-of-pocket’
payments
– Modify authorization for proof of immunization to
schools
– Enable access to decedent information (after 50
years)

20. Omnibus Rule (cont.)
• Enforcement Rule
– Increased tiers for Civil Monetary Penalties
(CMP); ‘willful neglect’
• Breach Notification
– Removes ‘harm’ threshold; every security
incident is presumed a breach, unless risk
analysis demonstrates low probability of
compromise
• Privacy Rules – includes protection of
genetic information
• De-Identification - guidance

21. Meaningful Use
• Center for Medicare and Medicaid provides
incentives (i.e. $) for the use of Electronic Health
Record (EHR) Technologies
• Since January 2011, there has been an estimated
$17 billion paid out for meaningful use incentives.
• Stage 1: 15 core objectives to meet
– Core 15 – determines if a security risk analysis was
conducted or reviewed as required under 45 CFR
164.308(a)(1)
– In addition, security updates must be implemented
• Stage 2
– Ensure adequate privacy and security protection for
personal health information (same as Core 15 above);
ALSO addresses the encryption/security of data stored
within the EHR software
– Use secure electronic messaging to communicate with
patients on relevant health information

22. Importance of Security

23. “The state of technology
security overall is so weak that
intelligence officials see
hacking as one of the largest
threats to western powers.”
(Menn 2011)

24. Importance of Security
• In January 2012, Former FBI Director Robert Mueller
testified before the Senate Select Committee on
Intelligence explaining that cyber-threats would
surpass terrorism as the nation’s top concern.
• Norton AV: 141 victims of cybercrime per minute
• Total bill of cybercrime is $139 billion in US ($388
billion globally)
• Gartner: Less than 1% of cybercriminals are arrested
• OCR – since September of 2009,
– 804 incidents affecting
– 29.3 Million individuals.
• Ponemon: The impact of medical identity theft crimes
is close to $31 billion a year

25. State of Security
-Recent Ponemon Institute Survey
• Small companies realize vulnerabilities, but few fully
appreciate ramifications
– More worried about time/productivity lost than loss of
customers or business partners, or damage to reputation and
increase cost to winning new prospects
– Misconceptions of consequences prevent mitigation
• Insufficient people resources – 64%
• Lack of in-house skilled or expert personnel – 55%
• Lack of central accountability– 50%
• Top 3 Threats
– Proliferation of unstructured data – 69%
– Unsecure third parties including cloud providers – 65%
– Not knowing where all sensitive data is located – 62%
• Results indicate that companies tend to seriously
underestimate potential damage and reveal a great data
breach perception gap

26. Healthcare Security
• Target: healthcare information
– Insurance Information: Able to resell access to people
who don’t have insurance
– Access to prescription drugs
• Survey: 600 healthcare executives
– 50% reported a privacy/security related issue over last 2
years
– 75% already sharing patient data (studies, post-market
drug analysis, new medical programs)
– Only 50% addressing security issues
• Hospital Management Systems (HMS) Survey
– 53% conducted mandatory risk assessment
– 58% had no dedicated staff
– 50% spend less than 3% of their resources on security

27. Data Breach Study
• Causes:
–
–
–
–
–
50% hacking
49% malware
29% physical
17% abuse of privileges
11% social engineering
• Participants: 45% of large companies had staff
that leaked data (46% of these were
very/extremely serious)
– 92% external
– 17% insider

28. According to a report from PricewaterhouseCoopers,
LLP (PwC), “Electronic health data breaches are
increasingly carried out by ‘knowledgeable insiders’
bent on identity theft or access to prescription drugs.”
(Eisenberg 2011)

29. Costs
Data security breaches cost US healthcare industry
$6.5 billion annually
– 75% lack adequate funding
– 48% of organization spend less than 10% of annual
budget on security
• Five categories:
– Legal/Regulatory – fines/penalties, lawsuits
– Financial – business distraction, remediation,
communication, insurance, changing vendors
– Operational – recruiting new hires, reorganization
– Clinical – diagnosis delays, processing fraud,
research
– Reputational – loss of future patients, business
partners, staff losses

30. Medical Identity Theft
•
•
•
•
•
Unaware of seriousness
Fairly easy
Victims tend to be older
Hard to determine when crime occurred
Share medical information with family

31. Larry Ponemon, Chairman and Founder of the
Ponemon Institute stated, “Our study shows that
the risk and high cost of medical identity theft are
not resonating with the public, revealing a serious
need for greater education and awareness.”

32. Breach Notification Rule
• Breach is defined as “the acquisition, access,
use, or disclosure of protected health information
in a manner not permitted under subpart E [45
CFR Subpart E – Privacy of Individually
Identifiable Health Information] of this part which
compromises the security or privacy of the
protected health information [or poses a
significant risk of financial, reputational, or other
harm to the individual].”
• Ponemon Survey:
– Overall Cost $188 per record (2012)
• Healthcare $233 per record (2012)
• Pharmaceutical $207 per record (2012)
– Full cost of a data breach averages $5.4 million
(includes account detection, notification, postresponse and loss of business)

33. Lessons Learned from Breach
• Determine security posture
• Assume ALL portable device contain
sensitive information
• Set expectations of contractors
• Security incident handling
• Don’t underestimate burden of incident
• Keep logs
• Take responsibility for your actions (both
individually and as an organization)

34. Important Requirements
• Administration
– Security Management Process
• Risk Analysis, Risk Management, Sanction Policy,
Information System Activity Review
– Security Awareness Training
– Security Incident Procedures
– Contingency Planning
• Physical
– Workstation, Device, Remote Access
• Technical
– Access Control, Integrity, Transmission

35. Administrative
Safeguards

36. Administrative Safeguards
• Over ½ of the HIPAA Security requirements
are covered under the Administrative
Safeguards
• Administrative Safeguards are:
– Administrative actions
– Policies/Procedures
• To manage security, must measure the:
–
–
–
–
Selection of mitigating controls
Development controls accordingly
Implementation of controls
Maintenance of controls

37. Security Management
• Must “implement policies and procedures
to prevent, detect, contain, and correct
security violations.”
– Conduct a Risk Assessment
• Risk Analysis – “conduct an accurate and
thorough assessment of the potential risks and
vulnerabilities to the confidentiality, integrity, and
availability of electronic protected health
information held by the health center.”
• Risk Management - “implement security
measures [that are] sufficient to reduce risks [to]
vulnerabilities to a reasonable and appropriate
level.”

38. Sanction Policy
• “apply appropriate sanctions against
workforce members who fail to comply
with the security policies and procedures
of the covered entity.”
• Sign a statement of adherence to security
policy/procedures

39. Information System Activity Review
• “regularly review records of information
system activities.”
– Audit logs
– Access reports
– Security incident tracking reports
• Identify audit/activity review functionality
• Can they be adequately used to monitor
• Policy to establish review – procedures to
follow

40. Assigned Security Responsibility
• Security Official required
• The Security Official is “responsible for
the development and implementation of
the [security] policies and procedures
required by [the Security Rule].”

41. Workforce Security
• Covered entities and business associates
must “implement [adequate] policies and
procedures to ensure that all members of
its workforce have appropriate access to
electronic protected health information.”

42. Authorization and/or Supervision
• There should be adequate
implementation of “procedures for the
authorization and/or supervision of
workforce members who work with
electronic protected health information.”
– Identify Roles
– Based on roles, provide appropriate access
levels
• Workforce Clearance
• Termination Procedures

43. Information Access Management
• “implement [adequate] policies and
procedures for access authorization to
electronic protected health information
that are consistent with the applicable
[Privacy Rule requirements].”
• Develop classification of information
– Protected Health Information
– Confidential Information
– Business Sensitive
– Public Information

44. Security Awareness Training
• A health center should provide adequate
security awareness training to all
members of its workforce including
management or executive level
personnel.
– Security Reminders - “periodic security
updates”
– Protection from Malicious Software - There
should be adequate procedures in place for
“guarding against” malicious software.

45. Log-in Monitoring
• To verify that appropriate access is being
maintained, the covered entity/business
associate should have adequate
procedures in place to monitor any log-in
attempts.
No Expectation of Privacy

46. Password Management
• Procedures in place for “creating,
changing, and safeguarding passwords”.
– Use unique, complex passwords
– Commit passwords to memory
– Do NOT write passwords down in unsecured
locations
– Do NOT share passwords with anyone
– Authenticate Users

47. Security Incident
• Security incidents are those situations
where it is believed that protected health
information has been used or disclosed in
an unauthorized fashion.
– Actual unauthorized access, use, or
disclosure
– Interference with system operations (Denial
of Service)
• According to a report by Solutionary, security
service provider, companies pay $6,500 an hour
from a DDoS attack and up to $3,000 a day to
mitigate/recover from malware infections.

48. Contingency Plan
• Need to be able to sustain or resume
business during or after an emergency.
• Implement adequate policies and
procedures, as needed, to respond to
emergency or other situations that could
cause damage to systems that contain
electronic protected health information.
– Fire
– Vandalism
– System Failures
– Natural Disasters

49. Physical
Safeguards

50. Physical Safeguards –
First Layer of Defense
• Physical Layer
– Controls over physical access
– Procedures and maintenance of documents/hardware
• Two Areas:
– Facility Access Control
– Device/Media Controls
• Physical security requires a total commitment to a
CULTURE of security and an adherence to the
principles of physical security.
– Proper Identification
– Proper Authorization
– Need to Know; Minimum Use
“60% of all theft is committed by internal staff”

51. Facility Access Control
• Policies/Procedures
– Cover all staff members, visitors, and
business associates, contractors, subcontractors, (anyone entering facility)
The goal of physical and environmental
protection is to secure protected health
information along with the security of the
facility and workforce members working
within the facility.

52. Workstation Use
• Asset Inventory – can’t protect what you
don’t know you have
– Includes workstations, laptops, PDAs,
tablets, smart phones, printers, typewriters,
etc.
• Minimum Necessary Rule applies
– Physical Controls to lock down mobile
devices
– Technical Controls to restrict devices/users
– Restricted access to the Internet

53. Device and Media Controls
• Hardware and electronic media includes:
– Hard drives;
– Magnetic tapes or disks;
– Optical disks;
– Digital memory cards;
– Removable thumb drives; or
– Any other items that may contain electronic
protected health information.

54. Controls
•
•
•
•
•
Wiping/Degaussing
Encryption
Password protection
Tracking
USB Controls/Data Loss Protection (DLP)

55. Remote Use and Mobile Device
“There have been a number of security incidents related
to the use of laptops, other portable and/or mobile
devices and external hardware that store, contain or
are used to access Electronic Protected Health
Information (EPHI) under the responsibility of a
HIPAA covered entity. All covered entities are
required to be in compliance with the HIPAA Security
Rule, which includes, among its requirements,
reviewing and modifying, where necessary, security
policies and procedures on a regular basis. This is
particularly relevant for organizations that allow
remote access to EPHI through portable devices or
on external systems or hardware not owned or
managed by the covered entity.” (The Department of
Health and Human Services 2006)

56. Social Engineering
“any act that influences a person to take an
action that may or may not be against their
best interest.”
Examples

57. Tips to Avoid SE
1. Learn to Identify Social Engineering Attacks
2. Security Awareness Should Be Personal and
Interactive
3. Understand the Value of the Information They
Possess
4. Updates are essential
5. Develop Scripts
6. Have and Learn from Social Engineering
Assessments
Credit – Chris Hadnagy, Social Engineering: The Art
of Human Hacking

58. Personnel Security
•
•
•
•
•
Be Aware of Surroundings
Attempt to travel in groups and not alone
Stay in lighted areas
Take different routes; change up routine
Out of Town Travel
– Stay at reputable hotels
– Take special care and control over
equipment/information
– Key cards (magnetic swipes)
– Door stops
– Talking on phone

59. Laws of Security
• Law #1: If a malicious individual persuades a user to
run his/her program on their computer, it is no longer
their computer.
• Law #2: If a malicious individual can alter the
operating system of a user's computer, it is no longer
their computer.
• Law #3: If a malicious individual has physical access to
a user's computer, it is no longer their computer.
• Law #4: If a user allows a malicious individual to
upload programs to their website, it isn't their website
anymore.
• Law #5: Strong security is always undermined by weak
passwords.

60. Laws of Security (cont.)
• Law #6: Treat your system administrators well and
make sure they can be trusted, since a computer is
only as secure as the administrator makes it.
• Law #7: The decryption key determines how securely
your data is encrypted. (If you use a weak encryption
algorithm or don't secure the keys, encryption is
worthless.)
• Law #8: Keep your virus scanners up to date since an
old .dat file is just slightly better than having no virus
scanner installed at all.
• Law #9: It is very difficult to be anonymous in the real
world and on the web. (Your behaviors will determine
the level of privacy you will have.)

61. Law #10: “Security is a
process… NOT a product.”
(– phrase coined by Bruce Schneier.)

62. Technical
Safeguards

63. Technical Safeguards
• The objective of these safeguards is to
mitigate the risk of electronic protected
health information being used or
disclosed in an unauthorized manner.
• CIA Triad
– Confidentiality
– Integrity
– Availability

64. Risk Assessment
• The covered entity (and business
associate) are required to “conduct an
accurate and thorough assessment of the
potential risks and vulnerabilities to the
confidentiality, integrity, and availability of
electronic protected health information
held by the covered entity.”
Will discuss more in webinar 3

65. Access Control
• Allow access to only those that are
authorized
– Includes software programs
– Data in databases
• Controls on:
– Workstations
– Laptops
– Servers
– Network (through firewall/routers)

66. Unique User Identification
• Every workforce member must have an
unique user identifier (i.e. username)
when accessing information
• Account Management Includes:
– Account Establishment
– Account Activation
– Account Modification
– Account Termination
– Account Removal

67. Emergency Access Procedure
• Emergency procedures should contain
methods of supporting continued
operations in situations that affect normal
operations.
• It should be determined whether or not
the information systems can allow for the
automatic failover to emergency
configurations or will a workforce member
have to manually configure these failover
procedures.

68. Automatic Logoff
• Health centers should implement an
automatic logoff of information systems
after a period of workforce member
inactivity.
– Generally, 10 minutes
• The automatic logoff feature should be
activated on all workstations (and
software) with access to electronic
protected health information.

69. Encryption/Decryption
• A covered entity (and business associate)
needs to identify or address all electronic
protected health information that requires
encryption so that it is restricted from access
by individuals or other software programs
that may not be granted access rights to this
information.
• Reasonable/Appropriate
• State of Data
– Stored
– Processed
– Transit

70. Audit Controls
• A health center is required to implement
audit control mechanisms that are
reasonably implemented to record and
examine activity in information systems
that contain or use electronic protected
health information.
– Established by risk assessment
– Can take up a lot of hard drive space
– Need to be flexible, but account for important
items
– Need to be reviewed

71. Integrity
• Deals with alteration or modification of
data
• Awareness
– Training
– Audit Trails
– Sanctions
• Risk Assessment identifies possible
unauthorized modification areas
• Backups

72. Authentication
• An authorized individual is required to
present something that only they would
know prior to gaining access;
• An authorized individual is required to
present something that they would only
have prior to gaining access; or
• The authorized individual is presenting
something unique to only that individual
prior to gaining accesses.

73. Transmission Security
• A health center needs to implement
adequate technical security measures to
guard against unauthorized access to
electronic protected health information
being transmitted over an electronic
communications network.
• Restrict certain protocols (SNMP, Finger,
TFTP)

74. “
Results require action,
not excuses!” – Amy Cotta

75. Business
Associates

76. Business Associates
• Omnibus Rule:
– Directly liable
– Implement administrative, physical, and technical
safeguards to protect CIA of EPHI
– BA is any organization that creates, receives,
maintains, or transmits PHI on health center’s
behalf
• Any agent, or subcontractor of BA is also
considered a BA
– Agent must enter into a BAA with subcontractor to
comply with HIPAA Security Rules and applicable
Privacy Rules

77. Examples of
Business Associates
• Companies that provide certain types of functions, activities, and
services to covered entities.
–
–
–
–
–
–
–
–
–
–
Claims Processing;
Data Analysis;
Utilization review;
Billing;
Legal Services;
Accounting/financial services;
Consulting;
Administrative;
Accreditation; or
Other related services
• Omnibus Rule added:
– Patient Safety Organizations
– Health Information Organizations, E-Prescribing Gateways, other data
transmission services that require routine access
– Persons that offer personal health records to one or more individuals on
behalf of health center

78. Business Associate
• As required by 45 CFR § 164.308(b)(1), a
covered entity should obtain “satisfactory
assurance” that their business associates will
“appropriately safeguard the electronic protected
health information created, received, maintained,
or transmitted on the covered entity’s behalf.”
• Although ‘satisfactory assurance’ is met through a
‘written contract or other arrangement’, it is
recommended that the same level of due
diligence met by the covered entity to secure
electronic protected health information is being
met by the business associate. – Omnibus Rule

79. Business Associate Contracts
• BA agrees to not use/disclose PHI other than
permitted (explain what is permitted)
• Use appropriate safeguards
• Ensure subcontractors agree to same
restrictions/safeguards
• Availability to health center
• Additional amendments
• Accounting of disclosures
• Make practices available to Secretary of HHS
for purposes of determining compliance

80. Business Associate Contracts (cont.)
• Report any security incident
– Omnibus Rule: reporting of breaches of
unsecured protected health information
• Termination Clause
– Omnibus Rule: BA is obligated to follow
standards under HIPAA Security Rule, must
also follow applicable HIPAA Privacy Rules
• Consider costs of a breach
• Consider right to audit

81. Summary
•
•
•
•
•
•
•
Assume Audit will happen
Conduct Risk Assessment
Update Policies/Procedures
Revise BAAs and conduct Due Diligence
Train and Educate
Evaluate
Document, Document, Document

82. Service Offerings
• HIPAA Compliance Program
• HIPAA/HITECH Information Systems Security Risk Assessment
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
• Internal/External Vulnerability/Penetration Test
• Organizational Requirements
• Policies, Procedures, & Documentation Requirements
• Policies/Procedures
• Security Awareness Training
• Mitigation Management
• Vendor Due Diligence
• Security Incident Response Handling
• Business Continuity/Disaster Recovery Planning
• Subject Matter Expertise

83. Questions
Jay@OSISSecurity.com
513-707-1623 (direct)

84. in partnership with
Thursday, March 6, 2014
2pm – 3pm EST
MPCA HIPAA Compliance/Meaningful Use
Requirements and Security Risk Assessment
Series
Webinar 3
Meaningful Use Requirements for
FQHCs from the Security Risk Aspect