The document provides an overview of changes to HIPAA regulations regarding third party handling of electronic protected health information (e-PHI) under the Omnibus Rule. It discusses how the rule clarifies responsibilities for covered entities, business associates, and their subcontractors. It also explains how the conduit exception was limited and how risk analysis for security incidents and breaches must now consider probability of exposure rather than level of harm. Covered entities must now seek relationships with knowledgeable business associates that understand and follow HIPAA compliance requirements.
After the Omnibus Rule - Who Can Touch Your e-PHI Using a 3rd Party Vendor
1. After the Omnibus Rule –
Who Can Touch Your e-PHI
Using a 3 rd Party Vendor to Outsource Your e-PHI
2. Chad Kissinger
Chad Kissinger is a Texas Internet pioneer. In 1994, Chad founded
OnRamp as one of Texas’ first Internet operations companies that
provided enterprises the ability to connect to and effectively utilize the
Internet. Over the years, OnRamp (www.onr.com) has grown into a
leading Data Center Operations company that delivers a full suite of
services designed to help its customers effectively maintain the
confidentiality, availability and integrity of their IT operations without the
cost or effort of building and maintaining data center and IT infrastructure.
Chad brings a wealth of experience, expertise and intimate knowledge in
several areas of data center and Internet related technology, including:
HIPAA compliance, cloud computing, data centers, virtualization and
disaster recovery. Chad is a leader in the Internet community, and has
been a founding member, President and Legislative Chair of the Texas
Internet Service Provider Association. He is also a recognized expert on
ISP issues and has testified in front of the Texas House of
Representatives, the Texas Senate and the United States House
Telecommunications Subcommittee on a variety of Internet related
topics.
3. Learning Objectives
1. This presentation is intended to promote an understanding of
the recent changes required by the HIPAA Omnibus Rule and
Texas HB 300 in regards to third party IT relationships.
This is not a comprehensive HIPAA or Omnibus Rule primer.
2. The goal of this presentation is to elicit a discussion and answer
questions about forming relationships with providers of data
services that will support your e-PHI.
5. Overview
In the past, most providers of outsourced data services would execute Business Associate Agreements
(BAAs) that required them to only take “reasonable” care in protecting the e-PHI they dealt with. Others
declined to execute BAAs outright based on the conduit exception, a rule created for the US Postal
Service and their electronic analogues – essentially an exception to HIPAA compliance for those who
merely acted as a “conduit” for e-PHI. Covered Entities and their Business Associates wanted data
service providers who would relieve them of their own responsibilities and data service providers wanted
no responsibility – but still wanted the business.
The HIPAA Omnibus Rule and TX HB300 have clarified the responsibilities of Covered Entities, Business
Associates and their agents, with specific emphasis on the role of IT vendors. The conduit exception has
been clarified to only apply to the USPS (FedEx, etc.) and Internet and telephone service providers. It
does not apply to Business Associates who have persistent access to PHI.
The Omnibus Rule establishes direct liability for both the covered entity and the business associate,
even in the absence of a BAA. Subcontractors of Business Associates who handle e-PHI are also
Business Associates and each link in the chain from the covered entity on down has responsibility for
mistakes made “downstream”.
Now, more than ever, it is important for Covered Entities to seek out relationships with 3rd party vendors,
and particularly IT vendors, who both understand the law, as outlined by HIPAA and HITECH, and are
making a conscientious effort to achieve compliance under the HIPAA and HITECH Acts.
This presentation will cover the top issues Covered Entities and Business Associates should address
when considering outsourcing the handling of patient data.
6. Glossary of Terms – Informal Definitions
Protected Health Information (PHI) – Any information about health status, provision
of health care, or payment for health care that can be linked to a specific individual.
This is interpreted rather broadly and includes any part of a patient’s medical record
or payment history.
Electronic Protected Health Information (e-PHI) – PHI that is created, maintained
or transmitted electronically.
Covered Entity – A covered entity under HIPAA is a Health Care Provider, Health
Care Plan or Health Care Clearinghouse.
Business Associate – Any person or company, that is not a covered entity, that
“creates, receives, maintains or transmits” PHI for a covered entity or business
associate.
Business Associate Agreement – The agreement between a covered entity and a
business associate or between two Business Associates that clearly defines the
permitted uses of PHI and the roles and responsibilities of each regarding the
protection of PHI.
7. Glossary of Terms – Informal Definitions
Continued
Privacy Rule – The HIPAA Privacy Rule establishes national standards to protect
individuals’ medical records and other personal health information and applies to
health plans, health care clearinghouses, and those health care providers that
conduct certain health care transactions electronically. The Rule requires appropriate
safeguards to protect the privacy of personal health information, and sets limits and
conditions on the uses and disclosures that may be made of such information without
patient authorization. The Rule also gives patients rights over their health
information, including rights to examine and obtain a copy of their health records, and
to request corrections.
Security Rule – The HIPAA Security Rule establishes national standards to protect
individuals’ electronic personal health information that is created, received, used, or
maintained by a covered entity. The Security Rule requires appropriate
administrative, physical and technical safeguards to ensure the
confidentiality, integrity, and security of electronic protected health information.
8. Glossary of Terms
Continued
Breach Notification Rule – The requirement that Covered Entities and Business
Associates notify patients when there has been an impermissible use or disclosure of
protected health information such that the use or disclosure poses a significant risk of
financial, reputational, or other harm to the affected individual. Breach Notification
can be triggered by simply losing control of protected health information (PHI) or
electronic protected health information (e-PHI) or temporarily allowing others to have
access the PHI or e-PHI.
9. Status Quo Ante
Before HITECH, data centers and other service providers would
sign Business Associates Agreements (BAAs) stating they would
take “reasonable care,” others would claim the conduit exception.
10. Status Quo Ante
Continued
Customers (Covered Entities/Business Associates) - wary of
outsourcing or looked to providers that delivered services as “providing
compliance.”
Providers (should be Business Associates) - refused to acknowledge
responsibility or assumed an industry standard of low responsibility for
protection of data in system.
Custodians of e-PHI - either had to forgo the advantages of outsourcing or
deal with the risk of using providers not focused on HIPAA.
12. HITECH
HITECH established that Business Associates must comply
with HIPAA and implement the specific protections contained
in the Security Rule.
13. Texas Medical Records Privacy Act / HB300
• Anyone who possesses, stores or obtains PHI is considered a covered
entity.
i.e. Business Associate = Covered Entity
• HB 300 established the requirement for role based training.
14. The Final Omnibus Rule
The Role of Business Associates
• Business Associates are responsible for protecting PHI in their
custody with or without a signed BAA (established direct liability).
• Business Associates are directly liable for their subcontractor’s
protection of PHI.
• Covered Entities are directly liable for their Business Associates and
their Business Associates’ subcontractor’s actions.
15. The Final Omnibus Rule
The Conduit Exception
Conduit exception is explicitly limited to USPS and electronic analogues:
• The conduit exception does not apply to entities that have persistent
access to PHI.
• Cloud computing & data center providers, etc. must comply with
HIPAA, TMRPA and HB 300.
16. The Final Omnibus Rule
Additional Features
• Covered Entities must receive “satisfactory assurances” from their
Business Associates that their PHI will be protected (i.e. that the BA will
follow HIPAA) and that their business associate will get similar
assurances from their subcontractors.
• “Risk of Harm” Standard for Breach Notification Rule eliminated.
• Violations of “minimum necessary” principle regarded as security
incidents that need to be properly evaluated for breach notification.
17. The Final Omnibus Rule
Risk Analysis – Breach or Security Incident
Covered Entities and Business Associates must conduct a risk analysis
after a breach or security incident that examines the probability of exposure
of the e-PHI rather than addressing the level of harm that an exposure
would cause as in the previous standards.
18. The Final Omnibus Rule
Risk Analysis - “Must Haves”
1. The nature and extent of the PHI involved, including the types of
identifiers and the likelihood of re-identification,
2. The unauthorized person who used the PHI or to whom the disclosure
was made,
3. Whether the PHI was actually acquired or viewed; and
4. The extent to which the risk to the PHI has been mitigated.
19. The Final Omnibus Rule
Security Incident Risk Analysis – The Result
“Presumption of Breach”
Unless the Security Incident Risk Analysis shows that there is a low
probability that the PHI has been compromised, there is a presumption that
the PHI has been compromised and Breach Notification must be
performed.
20. The Final Omnibus Rule
Breaches
Business Associates must report up the chain for breaches of unsecured
PHI in addition to security incidents.
i.e. Business Associates report to their Covered Entity partners and
Covered Entities report to individuals, the media, HHS, etc.
21. Implications
Covered Entities/Business Associates responsible for actions of their Business
Associates
I. You can be indemnified, but you are still directly responsible for your
business associate’s actions.
II. Covered Entities and Business Associates are required to establish BAAs
with their Business Associates and subcontractors.
III. There must be coordination & supervision of the relationship between
Covered Entities and Business Associates to ensure compliance.
22. Implications (cont.)
Ensuring Compliance
1. Responsibility matrix defining the division of responsibilities between
entities for the protection of PHI.
2. Employee training designed to address the needs of the line of
business of the entity and the employees scope of work.
3. Partner’s media handling & sanitization policies.
4. Information system development lifecycle.
5. Cooperative policies between you and your Business Associate.
6. Coordinated incident response procedures.
23. Key Take Aways
• You must strive to create relationships with
knowledgeable, compliant Business Associates.
• You must make sure your Business Associates remain compliant
in dealing with PHI.
• You and your Business Associates must have training for your
employees that is designed to address their activities regarding
PHI.
24. Workforce Security - Section: 164.308(a)(3)
Implementation Description Required or Customer Responsibility Provider Responsibility
Specifications Addressable
Workforce Implement policies and procedures to Required Customer will determine who Provider will restrict physical
Access ensure that all members of its workforce has logical or physical access to access to Customer's systems
have appropriate access to electronic Customer's systems at and systems supplied by
protected health information, as provided Provider's facilities or to systems Provider for Customer's use to
under paragraph (a)(4) of this section, and provided by Provider for those authorized by Customer
to prevent those workforce members who Customer's use. and will only implement
do not have access under paragraph physical, logical or electronic
(a)(4) of this section from obtaining access changes to Customer's
to electronic protected health information. systems upon direction from
Customer authorized
personnel.
Authorization Implement procedures for the Addressable Customer will authorize and Provider will authorize and
and/or authorization and/or supervision of supervise all Customer supervise all Provider
Supervision workforce members who work with personnel and vendors personnel and vendors
electronic protected health interacting with the systems interacting with Customer
information or in locations where it might located at Provider's facilities. systems located at Provider's
be accessed. facilities.
Workforce Implement procedures to determine that Addressable Customer will determine Provider will determine whether
Clearance the access of a workforce member to whether access is appropriate access is appropriate for all
Procedure electronic protected health information is for all Customer personnel and Provider personnel and
appropriate. vendors. vendors.