Business Associate Assurance: What Covered Entities Need to Know


Published on

Business Associate Assurance: What covered entities need to know
Have you identified your key business associates handling e-PHI that you create, receive, maintain or transmit?
Do you review your contract periodically with your key business associates?
Do you have the right to audit clause or require your business associate to follow certain minimum security controls and best practices?
One of the most challenging issues for health care organizations is ensuring business associates can be trusted with ePHI (electronic Protected Health Information). Of the 11 million people affected by reportable data breaches between September 2009 and June 2011, 6 million, or 55%, were affected by data breaches involving business associates, according to the federal government. This 50-minute webinar helps the audience to learn assessment strategies a covered entity needs to institute to manage business associates.
Learn more about business associate assessment and engagement best practices by attending our webinar.
Learn more at

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Business Associate Assurance: What Covered Entities Need to Know

  1. 1. Business Associate Assurance:What covered entities need to know
  2. 2. Webinar ObjectiveUnderstand the risks associated withbusiness associates and implement thesteps required to mitigate the risks tosecure Protected Health Information(PHI).E-mail: 2
  3. 3. Who are we …EHR 2.0 Mission: To assist healthcareorganizations develop and implementpractices to secure IT systems and complywith HIPAA/HITECH regulations. Education(Training, Webinar & Workshops) Consulting Services Toolkit(Tools, Best Practices & Checklist)Goal: To make compliance an enjoyable and painlessexperience, while building capability and confidence.
  4. 4. Glossary1. PHI: Protected Health Information2. HHS: Health and Human Services3. OCR: Office for Civil Rights4. CIA: Confidentiality, Integrity and Availability5. HIE: Health Information Exchange6. HITECH: Health Information Technology for Economic and Clinical Health Act 4
  5. 5. The American Recovery andReinvestment Act of 2009 and HITECH 5
  6. 6. HITECH modifications to HIPAA Creating incentives for developing a meaningful use of electronic health records Changing the liability and responsibilities of Business Associates Redefining what a breach is Creating stricter notification standards Tightening enforcement Raising the penalties for a violation Creating new code and transaction sets (HIPAA 5010, ICD10) 6
  7. 7. BA Applicability and Penalties 7
  8. 8. BA Contracts Required 8
  9. 9. Business Associate Audit by OCR 9
  10. 10. HITECH Requirements (BA Impact) New Privacy Requirements for Business Associates i. Breach notification ii. Use and disclosure limitations apply directly to business associates iii. Minimum necessary principle applies directly, must use limited datasets Increased Penalties Business Associates Directly Liable for Violations Business Associate Agreements Must be Amended Business Associates Must Impose Same Requirements on Sub-contractors that Access PHI
  11. 11. What Is a “Business Associate”?A “business associate” is a person or entity thatperforms certain functions or activities thatinvolve the use or disclosure of protected healthinformation on behalf of, or provides services to,a covered entity.A member of the covered entity’s workforce isnot a business associate. 11
  12. 12. Examples of a Business Associate A third party administrator that assists a health plan with claims processing. A CPA firm whose accounting services to a health care provider involves access to protected health information. An attorney whose legal services to a health plan involves access to protected health information. 12
  13. 13. Examples of No Business AssociateRelationship Physician Services Nursing Services Laboratory Services Radiology Services Physical Therapy Occupational Therapy Bank Services Courier Services 13
  14. 14. Responsibilities, Obligations and Duties of BA Must comply with HIPAA May not use or disclose PHI Minimum necessary use Breach Notification to CE and HHS Direct civil and criminal liability 14
  15. 15. Business Associate ScopeCovered Entity BA HHS/OCR • BA Contract • HIPAA Privacy and • Breach Notification Security Rule • Minimum Necessary • Breach Notification Sub- contractors 15
  16. 16. HIPAA Titles - Overview 16
  17. 17. HIPAA Security Rule 17
  18. 18. Information Security Model Confidentiality Limiting information access and disclosure to authorized users (the right people) Integrity Trustworthiness of information resources (no inappropriate changes) Availability Availability of information resources (at the right time) 18
  19. 19. PHI Health Information Individually Identifiable Health Information PHI 19
  20. 20. ePHI – 18 Elements Elements ExamplesName Max Bialystock 1355 Seasonal LaneAddress (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code)Dates related to an individual Birth, death, admission, discharge 212 555 1234, home, office, mobile etc.,Telephone numbers 212 555 1234Fax numberEmail address, personal, officialSocial Security number 239-68-9807Medical record number 189-88876Health plan beneficiary number 123-ir-2222-98Account number 333389Certificate/license number 3908763 NYAny vehicle or other device serial number SZV4016Device identifiers or serial numbers Unique Medical DevicesWeb URL www.rickymartin.comInternet Protocol (IP) address numbers or voice prints finger.jpgPhotographic images mypicture.jpgAny other characteristic that could uniquely 20identify the individual
  21. 21. Criteria for Business Associates‐ Corporate size‐ Volume of data accessed‐ Number of facilities serviced‐ Type of services provided‐ Complexity of services provided‐ Location‐ Previous data breaches, complaints orincidents involving BA
  22. 22. BA Engagement Best Practices Requirements Tier 1 Tier 2 Tier 3 Right to Audit & Yes May be No ReviewBaseline Security Yes No No Controls Standards and Certification Yes Yes Yes Clause Every 6 months or Contract Review Every year Every year any major changeBreach Notification Stringent Standard Standard Training and Yes Yes Yes Education Periodic Risk Yes May be N/A Assessment
  23. 23. HIPAA Security Rule Standard Implementati Yes/No/CommHIPAA Sections Implementation Specification on Requirement Description Solution ents Policies and procedures to manage164.308(a)(1)(i) Security Management Process Required security violations164.308(a)(1)(ii)( Penetration test, vulnerabilityA) Risk Analysis Required Conduct vulnerability assessment assessment SIM/SEM, patch management,164.308(a)(1)(ii)( Implement security measures to reduce vulnerability management, assetB) Risk Management Required risk of security breaches management, helpdesk164.308(a)(1)(ii)( Worker sanction for policies and Security policy documentC) Sanction Policy Required procedures violations management164.308(a)(1)(ii)( Log aggregation, log analysis, securityD) Information System Activity Review Required Procedures to review system activity event management, host IDS Identify security official responsible for164.308(a)(2) Assigned Security Responsibility Required policies and procedures Implement policies and procedures to164.308(a)(3)(i) Workforce Security Required ensure appropriate PHI access Mandatory, discretionary and role-164.308(a)(3)(ii)( based access control: ACL, native OSA) Authorization and/or Supervision Addressable Authorization/supervision for PHI access policy enforcement164.308(a)(3)(ii)( Procedures to ensure appropriate PHIB) Workforce Clearance Procedure Addressable access Background checks164.308(a)(3)(ii)( Procedures to terminate PHI access Single sign-on, identity management,C) Termination Procedures Addressable security policy document management access controls Policies and procedures to authorize164.308(a)(4)(i) Information Access Management Required access to PHI164.308(a)(4)(ii)( Isolation Health Clearinghouse Policies and procedures to separate PHI Application proxy, firewall, mandatoryA) Functions Required from other operations UPN, SOCKS164.308(a)(4)(ii)( Policies and procedures to authorize Mandatory, discretionary and role-B) Access Authorization Addressable access to PHI based access control164.308(a)(4)(ii)( Access Establishment and Policies and procedures to grant access Security policy documentC) Modification Addressable to PHI management Training program for workers and164.308(a)(5)(i) Security Awareness Training Required managers164.308(a)(5)(ii)( Sign-on screen, screen savers,A) Security Reminders Addressable Distribute periodic security updates monthly memos, e-mail, banners
  24. 24. BA Risk Assessment Questionnaire
  25. 25. Trends in Healthcare IT Informatics Collaboration Mobile EHR Computing HIE 25
  26. 26. Handheld Usage in Healthcare• 25% usage with providers• Another 21% expected to use• 38% physicians use medical apps• 70% think it is a high priority• 1/3 use hand-held for accessing EMR/EHR 26compTIA 2011 Survey
  27. 27. EMR and EHR systems 27
  28. 28. Health Information Exchange (HIE) 28
  29. 29. Cloud-based services  Public Cloud  EHR Applications Assessment and  Private-label e-mail Agreement with your Cloud Service Providers  Private Cloud  Archiving of Images  File SharingCloud Computing is takingall batch processing, and  On-line Backupsfarming it out to a hugecentral or virtualized  Hybrid 29computers.
  30. 30. Informatics 30
  31. 31. Top 5 Recommendations 1. Ensure encryption on all protected health information in storage and transit.(at least de-identification) 2. Implement a mobile device security program. 3. Strengthen information security user awareness and training programs. 4. Ensure that business associate due diligence includes clearly written contract, a periodic review of implemented controls. 5. Minimize sensitive data capture, storage and sharing. 31
  32. 32. Reported Breaches involving BAs 32
  33. 33. Recent Resolution Agreementwith HHS 33
  34. 34. Key Takeaways HITECH act treats business associates as a covered entity Processing of PHI elements drives business associates scope, agreement and assessment Updated contract and risk assessment questionnaire (due diligence) is recommended Periodic review of your top tier business associates and training requirements 34
  35. 35. Additional Resources HHS FAQ - ss_associates/index.html 35
  36. 36. Next Steps Business Associate Package  BA Risk Assessment Questionnaire  Sample Policies and Procedures  4-hour Training/Consulting Next Live Webinars  HIPAA/HITECH Security Assessment(5/2/2012)  OCR/HHS HIPAA/HITECH Audit Preparation(5/9/2012) Sign-up at Career Development Send your resume to 36
  37. 37. Questions?E-mail: Call: 802-448-2255 37
  38. 38. Thank you!! 38