Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
Understanding Your CSP’s
BAA
• This webinar is being recorded and an on-demand
version will be available at the same URL at the
conclusion of the webin...
HOSTING Overview
3
6
400
380 Employees
Independent Audits In 2014
US-based Datacenters
SOC 2
TYPE II
SOC 3
CERTIFIED
H I P...
HOSTING and CHIME
4
For more info, visit http://www.hosting.com/chime/ in the
“Attachments” section.
5
Introduction
6
Learning Objectives
• Discuss three actions to take before signing a
BAA
• Identify key terms that every BAA should have...
7
HIPAA Basics: Omnibus Rule
• Requires the protection and confidential
handling of protected health information (PHI)
• O...
8
HIPAA Basics: CEs and BAs
• “Covered Entities”
• Health care providers, health plans, and health care
clearinghouses
• E...
9
HIPAA Basics: CEs and BAs
• “Business Associates” Exceptions:
• “Janitor Clause” – organizations whose functions or
serv...
10
HIPAA Basics: PHI
• “PHI”
• Information that (1) is created or received by a health care
provider, health plan, or heal...
11
HIPAA Basics: Compliance
12
HIPAA Basics: Compliance
1. HIPAA Security Rule
2. HIPAA Privacy Rule
3. HIPAA Data Breach Notification Rule
4. Busines...
13
What is a BAA?
• Contract that creates obligations between
parties:
• Business Associates and Covered Entities
• Busine...
14
Two Kinds of BAAs
1. Between Covered Entities and Business
Associates
2. Between Business Associates and
Subcontractors
15
Three Things to Do before Signing a
BAA
1. Assess your Risk
2. Assess your BAA
3. Assess your Business Associate
16
Three Things to Do before Signing a
BAA: Assess Your Risk
1. Internal compliance
2. HIPAA compliance
3. Legal risk
4. D...
17
Three Things to Do before Signing a
BAA: Assess Your BAA
1. Use a compliant BAA
2. Use the right kind of BAA
3. Ensure ...
18
Three Things to Do before Signing a
BAA: Assess Your Business
Associate
1. Certification
2. Guarantees
3. Check the bre...
19
Key BAA Terms
• Preamble
• Section 1: Definitions
• Taken from HIPAA
• Section 2: What Business Associate will and will...
20
BAA Loopholes
• Additional subcontracting
• BAAs with extraneous provisions
21
HHS Form of BAA
See:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
Business Asso...
22
Further Considerations
23
Learning Objectives
• Discuss three actions to take before signing a
BAA
• Identify key terms that every BAA should hav...
24
Q&A
Steve Yoost | General Counsel, HOSTING
For more information about services by HOSTING, please contact our team at
8...
Upcoming SlideShare
Loading in …5
×

Understanding Your Cloud Service Provider’s BAA

663 views

Published on

Healthcare organizations cite “willingness to sign a BAA” as their top consideration when evaluating cloud service providers (CSPs). But what are you really signing up for when you execute your CSP’s BAA? Are you getting the protection your organization needs? Steve Yoost, General Counsel of HOSTING, discusses how to ensure your BAA safeguards your PHI and meets your HIPAA compliance needs.

Published in: Technology
  • Be the first to comment

Understanding Your Cloud Service Provider’s BAA

  1. 1. 1 Understanding Your CSP’s BAA
  2. 2. • This webinar is being recorded and an on-demand version will be available at the same URL at the conclusion of the webinar • Please submit questions via the button on the upper left of the viewer • If we don’t get to your question during the webinar, we will follow up with you via email • Download related resources via the “Attachments” button above the viewing panel • On Twitter? Join the conversation: @HOSTINGdotcom 2 Housekeeping
  3. 3. HOSTING Overview 3 6 400 380 Employees Independent Audits In 2014 US-based Datacenters SOC 2 TYPE II SOC 3 CERTIFIED H I P A A C O M P L I A N T 180 Healthcare Customers 1st CHIME Launch Partner CHIME Technologies Cooperative Member Services Program
  4. 4. HOSTING and CHIME 4 For more info, visit http://www.hosting.com/chime/ in the “Attachments” section.
  5. 5. 5 Introduction
  6. 6. 6 Learning Objectives • Discuss three actions to take before signing a BAA • Identify key terms that every BAA should have • Describe terms and loopholes to avoid in a BAA
  7. 7. 7 HIPAA Basics: Omnibus Rule • Requires the protection and confidential handling of protected health information (PHI) • Omnibus Rule (amendment) to HIPAA: • January 2013 passage • Subsequent compliance roll out • Impact of Omnibus Rule with regard to third party providers: • Requires compliance from an entity that “creates, receives, maintains, or transmits PHI on behalf of customers that are health care providers, health plans, or health care clearinghouses”
  8. 8. 8 HIPAA Basics: CEs and BAs • “Covered Entities” • Health care providers, health plans, and health care clearinghouses • Examples: physicians, hospitals, health insurance companies, healthcare billing services, value-added healthcare networks • “Business Associates” • Entities that create, receive, maintain, or transmit PHI on behalf of Covered Entities • Examples: records storage companies, data analysis companies, hosting providers
  9. 9. 9 HIPAA Basics: CEs and BAs • “Business Associates” Exceptions: • “Janitor Clause” – organizations whose functions or services do not involve the use or disclosure of protected health information, and where any access to PHI would be incidental, if at all • “Conduit Clause” – organizations that merely act as a conduit for protected health info
  10. 10. 10 HIPAA Basics: PHI • “PHI” • Information that (1) is created or received by a health care provider, health plan, or health care clearinghouse; (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (3) identifies or could be used to identify the individual • Examples: name, address, dates (birthdate, admission date, release date, etc.), phone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and license plate numbers, URLs, IP address numbers, biometric identifiers, and photographs
  11. 11. 11 HIPAA Basics: Compliance
  12. 12. 12 HIPAA Basics: Compliance 1. HIPAA Security Rule 2. HIPAA Privacy Rule 3. HIPAA Data Breach Notification Rule 4. Business Associate Agreements (BAAs)
  13. 13. 13 What is a BAA? • Contract that creates obligations between parties: • Business Associates and Covered Entities • Business Associates and Subcontractors • Purpose: ensure the parties have obligations to treat PHI in compliance with HIPAA • Required by HIPAA under certain circumstances
  14. 14. 14 Two Kinds of BAAs 1. Between Covered Entities and Business Associates 2. Between Business Associates and Subcontractors
  15. 15. 15 Three Things to Do before Signing a BAA 1. Assess your Risk 2. Assess your BAA 3. Assess your Business Associate
  16. 16. 16 Three Things to Do before Signing a BAA: Assess Your Risk 1. Internal compliance 2. HIPAA compliance 3. Legal risk 4. Data breach expense
  17. 17. 17 Three Things to Do before Signing a BAA: Assess Your BAA 1. Use a compliant BAA 2. Use the right kind of BAA 3. Ensure flow-down
  18. 18. 18 Three Things to Do before Signing a BAA: Assess Your Business Associate 1. Certification 2. Guarantees 3. Check the breach list (https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf) 4. Insurance
  19. 19. 19 Key BAA Terms • Preamble • Section 1: Definitions • Taken from HIPAA • Section 2: What Business Associate will and will not do • Ex: use and disclosure restrictions, safeguards, notice • Section 3: What Covered Entity will and will not do • Ex: compliance with law, notice of changes • Section 4: Term and Termination • At end, return or destroy PHI; if keep, maintain protections • Section 5: Miscellaneous
  20. 20. 20 BAA Loopholes • Additional subcontracting • BAAs with extraneous provisions
  21. 21. 21 HHS Form of BAA See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html Business Associate Contracts SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS (Published January 25, 2013) Introduction A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information…
  22. 22. 22 Further Considerations
  23. 23. 23 Learning Objectives • Discuss three actions to take before signing a BAA • Identify key terms that every BAA should have • Describe terms and loopholes to avoid in a BAA
  24. 24. 24 Q&A Steve Yoost | General Counsel, HOSTING For more information about services by HOSTING, please contact our team at 888.894.4678.

×