Your SlideShare is downloading. ×
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Business Associate Assessment, Agreement and Requirements
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Business Associate Assessment, Agreement and Requirements

1,373

Published on

One of the most challenging issues for health care organizations is ensuring business associates can be trusted with PHI (Protected Health Information). Of the 11 million people affected by …

One of the most challenging issues for health care organizations is ensuring business associates can be trusted with PHI (Protected Health Information). Of the 11 million people affected by report-able data breaches between September 2009 and June 2011, 6 million, or 55%, were affected by data breaches involving business associates, according to the federal government. To review the list of breaches involving business associates published by HHS click the following latest data breach report: https://docs.google.com/spreadsheet/ccc?key=0ArhiA7aQWV1XdEFfNlNPTkxJbWxPbFJvY1d1ajJCOHc
Healthcare organizations often use the services of a variety of contractors and businesses. The HITECH act allows covered entities to disclose(minimum necessary) protected health information(PHI) to these “business associates” if the covered entities obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the HIPAA Privacy Rule:

Have you identified your key business associates handling PHI that you create, receive, maintain or transmit?
Do you review your contract periodically with your key business associates?
Do you have the right to audit clause or require your business associate to follow certain minimum security controls and best practices?

EHR 2.0 provides consulting services by partnering with leading law firms to assess your business associates based on several key factors:
Corporate size of the BA
Volume of data accessed by BA
Number of facilities serviced by BABA
Type of services provided by BA
Complexity of services provided by BA
Location of BA
Previous data breaches, complaints or incidents involving BA
Our Business Associate Assessment and Monitoring services combines the above guidelines and following guidelines chart to provide an assessment report periodically about your key business associates:


Who is a business associate?
A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
A member of the covered entity’s workforce is not a business associate.
Examples of a Business Associate
A third party administrator that assists a health plan with claims processing.
A CPA firm whose accounting services to a health care provider involve access to protected health information.
An attorney whose legal services to a health plan involve access to protected health information.
Examples of No Business Associate Relationship
If PHI is shared for treatment purposes, it’s not considered as business association relationship:
Physician Services
Nursing Services
Laboratory Services
http://ehr20.com/services/business-associate-assessment/

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,373
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Business AssociateAssessment
  • 2. Presenter’s Background Blair Jerome, PhD has worked in public and private education for over twenty years. Blair has designed and taught courses for both the IT andPharmaceutical Industries. As an educationaladministrator Blair’s experience includes working withregulatory agencies and boards at the national,regional and state level. Blair understands how achanging audit landscape can impact planning,budgeting, and decision making throughout anorganization. 2
  • 3. Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations.  Education  Consulting  Toolkit(Tools, Best Practices & Checklist)Goal: To make compliance an enjoyable and painless experience
  • 4. Webinar ObjectiveUnderstand and Perform BusinessAssociate Agreement & Assessment toSecure Protected Health Information(PHI). 4
  • 5. Glossary1. PHI: Protected Health Information2. PHR: Personal Health Records3. HHS: Health and Human Services4. OCR: Office for Civil Rights5. HITECH: Health Information Technology for Economic and Clinical Health Act 5
  • 6. HITECH ActThe Health Information Technology for Economic andClinical Health (“HITECH”) provisions of theAmerican Recovery and Reinvestment Act of 2009(“ARRA”, also referred to as the “Stimulus Bill”) codify andexpand on many of the requirements contained in theHealth Insurance Portability and Accountability Act of 1996(“HIPAA”) and its regulations to protect the privacy andsecurity of protected health information (“PHI”). 6
  • 7. BA Applicability and Penalties 7
  • 8. BA Contracts Required 8
  • 9. Business Associate Audit by OCR 9
  • 10. HITECH modifications to HIPAA Creating incentives for developing a meaningful use of electronic health records Changing the liability and responsibilities of Business Associates Redefining what a breach is Creating stricter notification standards Tightening enforcement Raising the penalties for a violation Creating new code and transaction sets (HIPAA 5010, ICD10) 10
  • 11. HITECH Requirements (BA Impact) New Privacy Requirements for Business Associates i. Breach notification ii. Use and disclosure limitations apply directly to business associates iii. Minimum necessary principle applies directly, must use limited datasets Increased penalties Business Associates directly liable for violations Business Associate Agreements must be amended Business Associates must impose same requirements on subcontractors that access PHI
  • 12. HITECH Requirements (BA Impact) Breach: According to HITECH, a breach is: the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” Three Exceptions:  unintentional acquisition, access, or use of protected health information by a workforce member  inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate  covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information.
  • 13. What Is a “Business Associate?A “business associate” is a person or entity thatperforms certain functions or activities thatinvolve the use or disclosure of protected healthinformation on behalf of, or provides services to,a covered entity.A member of the covered entity’s workforce isnot a business associate. 13
  • 14. Examples of a Business Associate A third party administrator that assists a health plan with claims processing. A CPA firm whose accounting services to a health care provider involves access to protected health information. An attorney whose legal services to a health plan involves access to protected health information. 14
  • 15. Examples of No Business Associate Relationship Physician Services Nursing Services Laboratory Services Radiology Services Physical Therapy Occupational Therapy Bank Services Courier Services 15
  • 16. Responsibilities, Obligations and Duties of BA Must comply with HIPAA May not use or disclose PHI Minimum necessary use Civil and criminal liability directly 16
  • 17. Business Associate Cycle Covered Entity BA HHS/OCR • BA Contract • HIPAA Privacy and • Breach Notification Security Rule • Minimum Necessary • Breach Notification Sub- contractors 17
  • 18. HIPAA Titles - Overview 18
  • 19. HIPAA Security Rule 19
  • 20. Information Security Model Confidentiality Limiting information access and disclosure to authorized users (the right people) Integrity Trustworthiness of information resources (no inappropriate changes) Availability Availability of information resources (at the right time) 20
  • 21. PHI Health Information Individually Identifiable Health Information PHI 21
  • 22. ePHI – 18 Elements Elements ExamplesName Max Bialystock 1355 Seasonal LaneAddress (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code)Dates related to an individual Birth, death, admission, discharge 212 555 1234, home, office, mobile etc.,Telephone numbers 212 555 1234Fax numberEmail address LeonT@Hotmail.com, personal, officialSocial Security number 239-68-9807Medical record number 189-88876Health plan beneficiary number 123-ir-2222-98Account number 333389Certificate/license number 3908763 NYAny vehicle or other device serial number SZV4016Device identifiers or serial numbers Unique Medical DevicesWeb URL www.rickymartin.comInternet Protocol (IP) address numbers 19.180.240.15Finger or voice prints finger.jpgPhotographic images mypicture.jpgAny other characteristic that could uniquely 22identify the individual
  • 23. Business Associate Requirement Chart Requirements Tier 1 Tier 2 Tier 3 Right to Audit & Yes May be No ReviewBaseline Security Yes No No Controls Standards and Certification Yes May be No Clause Every 6 months or Contract Review Every year Every year any major changeBreach Notification Stringent Standard Standard Training and Yes Yes Yes Education Periodic Risk Yes May be N/A Assessment
  • 24. Criteria for Business Associates‐ Corporate size of the BA‐ Volume of data accessed by BA‐ Number of facilities serviced by BABA‐ Type of services provided by BA‐ Complexity of services provided by BA‐ Location of BA‐ Previous data breaches, complaints orincidents involving BA
  • 25. HIPAA Security Rule Standard Implementati Yes/No/CommHIPAA Sections Implementation Specification on Requirement Description Solution ents Policies and procedures to manage164.308(a)(1)(i) Security Management Process Required security violations164.308(a)(1)(ii)( Penetration test, vulnerabilityA) Risk Analysis Required Conduct vulnerability assessment assessment SIM/SEM, patch management,164.308(a)(1)(ii)( Implement security measures to reduce vulnerability management, assetB) Risk Management Required risk of security breaches management, helpdesk164.308(a)(1)(ii)( Worker sanction for policies and Security policy documentC) Sanction Policy Required procedures violations management164.308(a)(1)(ii)( Log aggregation, log analysis, securityD) Information System Activity Review Required Procedures to review system activity event management, host IDS Identify security official responsible for164.308(a)(2) Assigned Security Responsibility Required policies and procedures Implement policies and procedures to164.308(a)(3)(i) Workforce Security Required ensure appropriate PHI access Mandatory, discretionary and role-164.308(a)(3)(ii)( based access control: ACL, native OSA) Authorization and/or Supervision Addressable Authorization/supervision for PHI access policy enforcement164.308(a)(3)(ii)( Procedures to ensure appropriate PHIB) Workforce Clearance Procedure Addressable access Background checks164.308(a)(3)(ii)( Procedures to terminate PHI access Single sign-on, identity management,C) Termination Procedures Addressable security policy document management access controls Policies and procedures to authorize164.308(a)(4)(i) Information Access Management Required access to PHI164.308(a)(4)(ii)( Isolation Health Clearinghouse Policies and procedures to separate PHI Application proxy, firewall, mandatoryA) Functions Required from other operations UPN, SOCKS164.308(a)(4)(ii)( Policies and procedures to authorize Mandatory, discretionary and role-B) Access Authorization Addressable access to PHI based access control164.308(a)(4)(ii)( Access Establishment and Policies and procedures to grant access Security policy documentC) Modification Addressable to PHI management Training program for workers and164.308(a)(5)(i) Security Awareness Training Required managers164.308(a)(5)(ii)( Sign-on screen, screen savers,A) Security Reminders Addressable Distribute periodic security updates monthly memos, e-mail, banners
  • 26. Sample Business AssociateAgreement Send us an e-mail at info@ehr20.com for sample BAA 26
  • 27. Trends in Healthcare IT Informatics Collaboration Mobile EHR Computing HIE 27
  • 28. Handheld Usage in Healthcare• 25% usage with providers• Another 21% expected to use• 38% physicians use medical apps• 70% think it is a high priority• 1/3 use hand-held for accessing EMR/EHR 28compTIA 2011 Survey
  • 29. EMR and EHR systems 29
  • 30. Health Information Exchange (HIE) 30
  • 31. Social Media How does your practice use it? How do your employees use it? Do you have policies? 31
  • 32. Cloud-based services  Public Cloud  EHR Applications HIPAA regulations  Private-label e-mail remain barriers to full cloud adoption  Private Cloud  Archiving of Images  File SharingCloud Computing is takingall batch processing, and  On-line Backupsfarming it out to a hugecentral or virtualized  Hybrid 32computers.
  • 33. Informatics 33
  • 34. Sample Risk Analysis Template Likelihood High Medium Low High Unencrypted Lack of auditing on Missing security laptop ePHI EHR systems patches on web server hosting patient informationImpact Medium Unsecured Outdated anti-virus External hard drives wireless network software not being backed up in doctor’s office Sales presentation Web server backup Weak password on Low on USB thumb tape not stored in a internal document drive secured location server 34
  • 35. Top 5 Recommendations 1. Ensure encryption on all protected health information in storage and transit.(at least de-identification) 2. Implement a mobile device security program. 3. Strengthen information security user awareness and training programs. 4. Ensure that business associate due diligence includes clearly written contract, a periodic review of implemented controls. 5. Minimize sensitive data capture, storage and sharing. 35
  • 36. Key Takeaways HITECH act treats business associates as a covered entity Processing of PHI elements drives business associates scope, agreement and assessment Updated contract and controls assessment (due diligence) considered as best practices for mitigating risks Periodic review of your top tier business associates and training requirements 36
  • 37. Additional Resources HHS FAQ - http://www.hhs.gov/ocr/privacy/hipaa/faq/busine ss_associates/index.html 37
  • 38. How can you help us? Follow-us on social media facebook.com/ehr20 (Like) linkedin.com/company/ehr-2-0 (Follow us) https://twitter.com/#!/EHR_20 (Follow) Next Webinar on HIPAA/HITECH Security Assessment ( 3/28) http://ehr20.com/services/ We sincerely appreciate your referrals! 38
  • 39. Thank you!!Visit us at ehr20.com 39

×