Welcome!Updating Business Associate requirementsThe roles of BAs, Subcontractors and AgentsAmending Business Associate AgreementsNew Violation Categories and PenaltiesAudits, Remediation and Good Faith E!orts
Changing BA RulesPrior to HITECH, management of ePHI securitywas loosely deﬁned. The law required BAs to“use appropriate safeguards.”There was no standard relating to how data wouldbe protected, and no way to validate whether theBA was actually following the standard.
Changing BA RulesEncryption and virus protection as cases in pointLaptops do not necessarily have discs encryptedWorkstation users often disable virus protectionSystem patching has also emerged as an issue
Changing BA RulesBest intentions created worst-case scenariosLimited IT resources in many CEsToo many IT issues to handleBA changes inevitable given EMR adoption
RedeﬁningBusiness AssociatesBAs are “persons who, on behalf of a coveredentity (but other than as members of the coveredentity’s workforce) perform or assist in performinga function or activity that involves the use ordisclosure of individually identiﬁable healthinformation, or that otherwise is regulated byHIPAA.”
RedeﬁningBusiness AssociatesHITECH requires BAs to comply directly withSecurity Rule provisions directing implementationof administrative, physical and technicalsafeguards for ePHI and development andenforcement of related policies, procedures anddocumentation safeguards including designationof a security o"cial.
RedeﬁningBusiness AssociatesHITECH also imposes on the BA an obligation tocomply directly with HIPAA BA safeguards,including limiting use and disclosure of ePHI asspeciﬁed in the BAA or required by law, facilitatingaccess and accounting for disclosures, openingbooks and records to DHHS, and returning ordestroying all ePHI, if feasible, upon termination ofthe Business Associate Agreement.
RedeﬁningBusiness AssociatesHITECH deems BA to violate HIPAA if the BA“knows of a pattern of activity or practice” by theCE that breaches their BAA and if BA fails to curethe breach, terminate the BAA or report the non-compliance to DHHS.
Subcontractorsand AgentsThe BA must require subcontractors and agents toprovide reasonable written assurance that they willcomply with the same restrictions and conditionsthat apply to the BA under the terms of the BAAwith respect to PHI.
Required CapabilitiesAccounting of Disclosures and Audit Trail issuesAccounting provision only covers “disclosures”CEs and BAs must account for narrow categoryIncludes disclosures to law enforcement
Required CapabilitiesProtecting DataBA restricts access to PHI via password, criteriaServers in secured computer room; limited accessData received and forwarded automaticallyArchives and backups in ﬁreproof safe
Required CapabilitiesProper Disposal of DataAt end of BAA, data deleted from BA systemsNo printed reports or paper copies retained by BAPrinted reports are shredded upon completion
Required CapabilitiesPrivacy and Security MeasuresEmployees, contractors, subs, agents must signBA supports 128-bit encryption for all reportsRestricted access to PHI on need-to-know basisAutomatic expiration of passwordsRestricted access to computer room, servers
Required CapabilitiesPrivacy and Security MeasuresMandatory HIPAA training for all employeesMonitored security systemAutomated data backups, stored in safeAutomated virus checksEmployee termination security procedures
Elements of BAAsBA agrees not to use PHI outside requirementsBA agrees to use appropriate safeguardsBA mitigates disclosure that violates BAABA reports disclosures to CEBA agrees to document disclosures
Elements of BAAsBAA speciﬁes purposes for use of PHIFunctions, activities or services on behalf of CEMay use PHI to provide data aggregation to CEMay use PHI to report violations of the law
Elements of BAAsCE must notify BA of limitations in privacy practiceNotify BA of changes in PHI disclosure proceduresNotify BA of any restriction of PHI use, disclosure
Elements of BAAsBAA must set forth term and termination provisionUpon termination, BA returns or destroys PHIProvision applies to subcontractor or agent PHIBA shall retain no copies of PHIIf returning unfeasible, BA must specify conditions
Amendmentsand ProvisionsThere’s no clear consensus on the implications ofHITECH for BAAs. Since HITECH directlyregulates BAs and imposes new privacy andsecurity obligations, there may be little need toupdate existing contracts. However, § 13401 and13404 mandate that HITECH security and privacyprovisions be “incorporated into the BAA.” Yourneed to amend may depend on existing languageand interpretation by the parties to the agreement.
Making the TransitionCEs directly responsible for “workforce” conduct“Workforce” includes employees, volunteersAlso trainees and others working under CE control
Making the TransitionA broader deﬁnition: Temporary employees,outsourced sta!, BA employees who are, bycontract, the responsibility of the CE are all part ofthe CE “workforce.” CEs that fail to properlyrespond to BA non-compliance may have violatedHIPAA.
Making the TransitionEnhanced enforcement provisions in HITECH mayprompt CEs to seek broader assurances from BAs– some form of indemniﬁcation. BAs are likely toseek protection for actions taken at the directionof the CE, and to impose other limits on liability inconnection with the BAA.
New ViolationCategoriesThe person did not know (and by exercisingreasonable diligence, would not have known) thataction would lead to violation:$100 per violation; total per CY $25,000
New ViolationCategoriesReasonable cause (not willful neglect):$1000 per violation; total per CY $100,000
New ViolationCategoriesWillful Neglect, corrected:$10,000 per violation; total per CY $250,000
New ViolationCategoriesWillful Neglect, uncorrected:$50,000 per violation; total per CY $1,500,000
Audits, Remediationand Good Faith EffortsHIPAA audits are relatively new and still very rare.They include a site visit and an audit report. Sitevisits comprise interviews with stakeholders andexamination of physical features of HealthInformation Systems. Site audits check physicalsafeguards, daily operations, adherence to policiesand compliance with HIPAA requirements.
Audits, Remediationand Good Faith EffortsHIPAA remediation addresses “gaps” identiﬁed viarisk analysis. After “gap analysis” is complete,begin prioritizing remediation targets. “Quick hits”are key and can be anything your organization isconﬁdent will require little resources to correct ...and will often demonstrate “good faith” progresstoward compliance.
Audits, Remediationand Good Faith EffortsRemember ... problems will not all be of the samepriority. Some problems will involve relativelyﬂagrant or obvious violations of HIPAA privacymandates. These generally need to be addressedas high priorities. Identify the resources needed towork through these issues ﬁrst.
Questions and CommentsHIPAA, HITECH, and the roleof Business Associates