After the Omnibus Rule –Who Can Touch Your e-PHIUsing a 3 rd Party Vendor to Outsource Your e-PHI
Chad Kissinger Chad Kissinger is a Texas Internet pioneer. In 1994, Chad founded OnRamp as one of Texas’ first Internet operations companies that provided enterprises the ability to connect to and effectively utilize the Internet. Over the years, OnRamp (www.onr.com) has grown into a leading Data Center Operations company that delivers a full suite of services designed to help its customers effectively maintain the confidentiality, availability and integrity of their IT operations without the cost or effort of building and maintaining data center and IT infrastructure. Chad brings a wealth of experience, expertise and intimate knowledge in several areas of data center and Internet related technology, including: HIPAA compliance, cloud computing, data centers, virtualization and disaster recovery. Chad is a leader in the Internet community, and has been a founding member, President and Legislative Chair of the Texas Internet Service Provider Association. He is also a recognized expert on ISP issues and has testified in front of the Texas House of Representatives, the Texas Senate and the United States House Telecommunications Subcommittee on a variety of Internet related topics.
Learning Objectives1. This presentation is intended to promote an understanding of the recent changes required by the HIPAA Omnibus Rule and Texas HB 300 in regards to third party IT relationships. This is not a comprehensive HIPAA or Omnibus Rule primer.2. The goal of this presentation is to elicit a discussion and answer questions about forming relationships with providers of data services that will support your e-PHI.
PerspectiveLawyerHealthcare ProviderCovered EntityTraditional Business AssociateData Center Providers, Cloud Providers,SAS Providers, etc.
OverviewIn the past, most providers of outsourced data services would execute Business Associate Agreements(BAAs) that required them to only take “reasonable” care in protecting the e-PHI they dealt with. Othersdeclined to execute BAAs outright based on the conduit exception, a rule created for the US PostalService and their electronic analogues – essentially an exception to HIPAA compliance for those whomerely acted as a “conduit” for e-PHI. Covered Entities and their Business Associates wanted dataservice providers who would relieve them of their own responsibilities and data service providers wantedno responsibility – but still wanted the business.The HIPAA Omnibus Rule and TX HB300 have clarified the responsibilities of Covered Entities, BusinessAssociates and their agents, with specific emphasis on the role of IT vendors. The conduit exception hasbeen clarified to only apply to the USPS (FedEx, etc.) and Internet and telephone service providers. Itdoes not apply to Business Associates who have persistent access to PHI.The Omnibus Rule establishes direct liability for both the covered entity and the business associate,even in the absence of a BAA. Subcontractors of Business Associates who handle e-PHI are alsoBusiness Associates and each link in the chain from the covered entity on down has responsibility formistakes made “downstream”.Now, more than ever, it is important for Covered Entities to seek out relationships with 3rd party vendors,and particularly IT vendors, who both understand the law, as outlined by HIPAA and HITECH, and aremaking a conscientious effort to achieve compliance under the HIPAA and HITECH Acts.This presentation will cover the top issues Covered Entities and Business Associates should addresswhen considering outsourcing the handling of patient data.
Glossary of Terms – Informal DefinitionsProtected Health Information (PHI) – Any information about health status, provisionof health care, or payment for health care that can be linked to a specific individual.This is interpreted rather broadly and includes any part of a patient’s medical recordor payment history.Electronic Protected Health Information (e-PHI) – PHI that is created, maintainedor transmitted electronically.Covered Entity – A covered entity under HIPAA is a Health Care Provider, HealthCare Plan or Health Care Clearinghouse.Business Associate – Any person or company, that is not a covered entity, that“creates, receives, maintains or transmits” PHI for a covered entity or businessassociate.Business Associate Agreement – The agreement between a covered entity and abusiness associate or between two Business Associates that clearly defines thepermitted uses of PHI and the roles and responsibilities of each regarding theprotection of PHI.
Glossary of Terms – Informal DefinitionsContinuedPrivacy Rule – The HIPAA Privacy Rule establishes national standards to protectindividuals’ medical records and other personal health information and applies tohealth plans, health care clearinghouses, and those health care providers thatconduct certain health care transactions electronically. The Rule requires appropriatesafeguards to protect the privacy of personal health information, and sets limits andconditions on the uses and disclosures that may be made of such information withoutpatient authorization. The Rule also gives patients rights over their healthinformation, including rights to examine and obtain a copy of their health records, andto request corrections.Security Rule – The HIPAA Security Rule establishes national standards to protectindividuals’ electronic personal health information that is created, received, used, ormaintained by a covered entity. The Security Rule requires appropriateadministrative, physical and technical safeguards to ensure theconfidentiality, integrity, and security of electronic protected health information.
Glossary of TermsContinuedBreach Notification Rule – The requirement that Covered Entities and BusinessAssociates notify patients when there has been an impermissible use or disclosure ofprotected health information such that the use or disclosure poses a significant risk offinancial, reputational, or other harm to the affected individual. Breach Notificationcan be triggered by simply losing control of protected health information (PHI) orelectronic protected health information (e-PHI) or temporarily allowing others to haveaccess the PHI or e-PHI.
Status Quo AnteBefore HITECH, data centers and other service providers wouldsign Business Associates Agreements (BAAs) stating they wouldtake “reasonable care,” others would claim the conduit exception.
Status Quo AnteContinuedCustomers (Covered Entities/Business Associates) - wary ofoutsourcing or looked to providers that delivered services as “providingcompliance.”Providers (should be Business Associates) - refused to acknowledgeresponsibility or assumed an industry standard of low responsibility forprotection of data in system.Custodians of e-PHI - either had to forgo the advantages of outsourcing ordeal with the risk of using providers not focused on HIPAA.
Provider’s Existing Regulatory Environments Payment Card Industry (PCI) Gramm-Leach-Bliley Act (GLBA) SAS 70 (SSAE 16)
HITECH HITECH established that Business Associates must comply with HIPAA and implement the specific protections contained in the Security Rule.
Texas Medical Records Privacy Act / HB300• Anyone who possesses, stores or obtains PHI is considered a covered entity. i.e. Business Associate = Covered Entity• HB 300 established the requirement for role based training.
The Final Omnibus RuleThe Role of Business Associates• Business Associates are responsible for protecting PHI in their custody with or without a signed BAA (established direct liability).• Business Associates are directly liable for their subcontractor’s protection of PHI.• Covered Entities are directly liable for their Business Associates and their Business Associates’ subcontractor’s actions.
The Final Omnibus RuleThe Conduit ExceptionConduit exception is explicitly limited to USPS and electronic analogues:• The conduit exception does not apply to entities that have persistent access to PHI.• Cloud computing & data center providers, etc. must comply with HIPAA, TMRPA and HB 300.
The Final Omnibus RuleAdditional Features• Covered Entities must receive “satisfactory assurances” from their Business Associates that their PHI will be protected (i.e. that the BA will follow HIPAA) and that their business associate will get similar assurances from their subcontractors.• “Risk of Harm” Standard for Breach Notification Rule eliminated.• Violations of “minimum necessary” principle regarded as security incidents that need to be properly evaluated for breach notification.
The Final Omnibus RuleRisk Analysis – Breach or Security IncidentCovered Entities and Business Associates must conduct a risk analysisafter a breach or security incident that examines the probability of exposureof the e-PHI rather than addressing the level of harm that an exposurewould cause as in the previous standards.
The Final Omnibus RuleRisk Analysis - “Must Haves”1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification,2. The unauthorized person who used the PHI or to whom the disclosure was made,3. Whether the PHI was actually acquired or viewed; and4. The extent to which the risk to the PHI has been mitigated.
The Final Omnibus RuleSecurity Incident Risk Analysis – The Result“Presumption of Breach”Unless the Security Incident Risk Analysis shows that there is a lowprobability that the PHI has been compromised, there is a presumption thatthe PHI has been compromised and Breach Notification must beperformed.
The Final Omnibus RuleBreachesBusiness Associates must report up the chain for breaches of unsecuredPHI in addition to security incidents.i.e. Business Associates report to their Covered Entity partners andCovered Entities report to individuals, the media, HHS, etc.
ImplicationsCovered Entities/Business Associates responsible for actions of their BusinessAssociatesI. You can be indemnified, but you are still directly responsible for your business associate’s actions.II. Covered Entities and Business Associates are required to establish BAAs with their Business Associates and subcontractors.III. There must be coordination & supervision of the relationship between Covered Entities and Business Associates to ensure compliance.
Implications (cont.)Ensuring Compliance1. Responsibility matrix defining the division of responsibilities between entities for the protection of PHI.2. Employee training designed to address the needs of the line of business of the entity and the employees scope of work.3. Partner’s media handling & sanitization policies.4. Information system development lifecycle.5. Cooperative policies between you and your Business Associate.6. Coordinated incident response procedures.
Key Take Aways• You must strive to create relationships with knowledgeable, compliant Business Associates.• You must make sure your Business Associates remain compliant in dealing with PHI.• You and your Business Associates must have training for your employees that is designed to address their activities regarding PHI.
Workforce Security - Section: 164.308(a)(3)Implementation Description Required or Customer Responsibility Provider Responsibility Specifications Addressable Workforce Implement policies and procedures to Required Customer will determine who Provider will restrict physical Access ensure that all members of its workforce has logical or physical access to access to Customers systems have appropriate access to electronic Customers systems at and systems supplied by protected health information, as provided Providers facilities or to systems Provider for Customers use to under paragraph (a)(4) of this section, and provided by Provider for those authorized by Customer to prevent those workforce members who Customers use. and will only implement do not have access under paragraph physical, logical or electronic (a)(4) of this section from obtaining access changes to Customers to electronic protected health information. systems upon direction from Customer authorized personnel. Authorization Implement procedures for the Addressable Customer will authorize and Provider will authorize and and/or authorization and/or supervision of supervise all Customer supervise all Provider Supervision workforce members who work with personnel and vendors personnel and vendors electronic protected health interacting with the systems interacting with Customer information or in locations where it might located at Providers facilities. systems located at Providers be accessed. facilities. Workforce Implement procedures to determine that Addressable Customer will determine Provider will determine whether Clearance the access of a workforce member to whether access is appropriate access is appropriate for all Procedure electronic protected health information is for all Customer personnel and Provider personnel and appropriate. vendors. vendors.