9 things you need to do to update your BA agreement


Published on

It’s a brave new world out there for business associates. The omnibus has finally been published and the industry is facing a September 2013 compliance deadline. Business associates needed to comply with the HIPAA security rule and the use and disclosure provisions of the privacy rule in February 2010 as a result of the HITECH Act. The Office for Civil Rights (OCR) held off on any enforcement activities. Now enforcement is set to begin September 23, 2013.

A big change is a re-definition of who are business associates that greatly expands the number of companies that need to step up compliance efforts to avoid potential civil penalties down the road. Subcontractors who have access to or who store PHI need to sign those business associate agreements by September and be in a position to demonstrate compliance.

If you represent a business associate or a soon-to-be business associate contractor, here are the top nine things you need to do to demonstrate compliance by September 23, 2013 and to avoid potential fines down the road.

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • NOTE FROM ED SERVICES: In first bullet, is text missing after the word “certain”? Otherwise, delete “of the”.
  • Safe harbor encryption – NIST standards “Safe Harbor” level for encryption
  • Explain addressable encryption – not addressable implementation
  • Safe harbor encryption – NIST standards “Safe Harbor” level for encryption
  • 9 things you need to do to update your BA agreement

    1. 1. 9 things you need to do to update your BA agreement July 16, 2013 Chris Apgar, CISSP Apgar & Associates, LLC Andy Nieto DataMotion
    2. 2. Overview ■ Business Associates & Omnibus Rule – An Overview ■ 9 Things You Need to Do to Update Your Business Associate Agreement ■ Encryption/securing data ■ Summary 2
    3. 3. Business Associates & Omnibus Rule – An Overview ■ HITECH Act requires business associates (BA) to comply with HIPAA Security Rule, as well as certain use and disclosure provisions of the Privacy Rule and the Breach Notification Rule ■ BA contracts or agreements still required ■ U.S. Dept. of Health and Human Services (HHS) expanded definition of BAs to include subcontractors
    4. 4. Business Associates & Omnibus Rule – An Overview ■ Expanded definition of BA: » A person (vendor entity or individual) who contracts directly or downstream from a covered entity and creates, receives, maintains/stores, or transmits PHI » Subcontractor of BA who creates, receives, maintains/stores, or transmits PHI on behalf of a BA
    5. 5. Business Associates & Omnibus Rule – An Overview ■ A “person” is determined to be a BA based on business or clinical functions performed involving PHI and not based on the fact that a BA contract has or has not been executed ■ Covered entities, business associates, and subcontractors all responsible for ensuring a BA contract or agreement has been executed
    6. 6. Business Associates & Omnibus Rule – An Overview ■ Subcontractor must execute and comply with a BA contract or agreement ■ Subcontractor of subcontractor is also a BA, all the way “down the chain” ■ Subcontractors required to adhere to certain use and disclosure provisions of the HIPAA Privacy Rule, the full Security Rule, and the Breach Notification Rule ■ All subject to civil penalties
    7. 7. New Business Associates ■ Rule includes specific entities in the definition of BAs: » Patient Safety Organizations (e.g., private entities similar to Oregon Patient Safety Commission) » Health information organizations » E-prescribing gateways » Covered entity contracted personal health record vendors (does not include patient portal vendors)
    8. 8. New Business Associates ■ Conduits not included but very narrowly defined – vendors who provide transmission services like ISPs, U.S. Postal Service, Comcast, Xfinity, and so forth ■ Vendors who store PHI are BAs, even if the PHI is encrypted and there is no intended access to the PHI ■ Includes vendors who store non-electronic PHI ■ Impacts cloud or SaaS vendors such as EHR, hosting and data backup vendors
    9. 9. More on Business Associates ■ ACO governance/management are business associates of all network providers ■ BAs may use or disclose PHI only as defined pursuant to the BA contract or agreement or as required by law ■ Subcontractors subject to requirements of the initial covered entity’s BA contract or agreement or BA’s contract or agreement, whichever is most stringent
    10. 10. More on Business Associates ■ BAs and subcontractors required to adhere to minimum necessary rules – if not, it’s a breach of unsecured PHI ■ If the BA knows of subcontractor's noncompliance and doesn’t take steps to cure the violation or terminate the contract, the BA may be subject to civil penalties
    11. 11. The Nine Things – Risk Analysis ■ Look inside first and then make sure your BA has done the same ■ One of the first requirements in the HIPAA Security Rule – conduct a risk analysis (and mitigate) ■ A “must do,” HIPAA or no HIPAA ■ Don’t forget people – your biggest risk ■ Make sure you conduct one and your downstream BA vendors do the same
    12. 12. The Nine Things – Risk Management ■ Implement a risk management program after or while mitigation identified risks ■ It needs to be robust, an on-going process and periodically updated to address new risks and risks you find need to be mitigated ■ Ask the question, Has my BA implemented a risk management program ■ Unaddressed BA risks become your risks
    13. 13. The Nine Things – Policies & Procedures ■ Where are those policies and procedures? ■ HIPAA Privacy Rule and Security rule require them ■ Referenced in OCR’s “Culture of Compliance” ■ Make sure current, accurate, enforceable and communicated ■ Don’t make BAs use your policies but make sure they have it covered – avoid agency while reducing risk
    14. 14. The Nine Things – Training ■ You may be training those new employees but are you training your existing workforce? ■ Training is not a one time event ■ Training equates to reduced people risk ■ Train your BAs in a non-proscriptive way » Compliance requirements » Expectations (may be more stringent than HIPAA) » Don’t forget subcontractors
    15. 15. The Nine Things – Audit Program ■ HIPAA and OCR require it – solid audit program » Information systems activity review » User login monitoring » Audit log monitoring » Evaluation ■ Just because it’s addressable doesn’t mean it’s optional ■ Periodically conduct mini-BA audit
    16. 16. The Nine Things – Security Incidents & Breaches ■ If a security incident occurs, do you know what to do? ■ Security incidents versus breaches and what’s reportable now and in September ■ Encryption – not reportable ■ Security incident response plan – is it complete and is it tested? ■ Prepare for mitigation and notification
    17. 17. The Nine Things – Security Incidents & Breaches ■ Breaches often the starting point for OCR investigations ■ BAs should know – CEs only determine risk unless specifically delegated by contract ■ Make sure to add who will pay the bills – BA breach indemnification language ■ Do your BAs know who to notify if a breach of unsecure PHI occurs?
    18. 18. The Nine Things – Timeline to Amend & Execute BA Contracts ■ Omnibus Rule compliant amended or new BA contracts or agreements (BAA) must be executed by September 23, 2013 ■ Covered entities may have additional time to execute amended BAAs, but BAs do not when it comes to subcontractors ■ If evergreen and periodically expiring contracts were compliant with pre–Omnibus Rule provisions (including HITECH) by January 24, 2013, covered entities have one additional year to amend contracts
    19. 19. The Nine Things – Timeline to Amend & Execute BA Contracts ■ If current BAAs don’t comply with pre– Omnibus Rule or no BAA has been executed, must execute compliant BAAs by September 23, 2013 ■ New or amended BAAs executed after March 26, 2013, should be compliant with Omnibus Rule ■ All BAAs must be updated no later than September 22, 2014
    20. 20. The Nine Things – Mobile Device & BYOD ■ If you have a BYOD program, are you limiting your risks? » Workforce training » Mobile device management applications » Sign that BYOD use agreement » Encrypt hard drives, flash drives and portable media » Encryption at rest/in motion ■ Mobile device management programs need to be formal, communicated and enforceable to limit risk
    21. 21. The Nine Things – Business Continuity ■ Are you and your downstream vendors ready for data loss or corruption, loss of power or greater disaster? ■ If you rely on a BA to support you in a disaster, do you have a plan, a contract and have you tested it? ■ A draft plan or a plan that hasn’t communicated won’t work when things fail and bad things happen
    22. 22. HIPAA, Business Associates and Encryption Andy Nieto
    23. 23. HIPAA Privacy Rule ■ The Privacy Rule provides federal protections for personal health information held by covered entities, and gives patients an array of rights with respect to that information. ■ At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
    24. 24. Electronic Communication The Privacy Rule is not anti-electronic. You can communicate with patients, providers, and others by electronic means, with the implementation of appropriate safeguards to protect patient privacy. Encryption Secure Messaging
    25. 25. Encryption is a HIPAA Silver Bullet
    26. 26. BA contract contents should identify - Privacy ■ Ensure privacy by controlling access ■ Encrypt the data ■ Control who can decrypt
    27. 27. BA contract contents should identify - Security ■ Require safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity; ■ Encrypt data in all modes » Storage » Transport ■ Provide the ability to track and retract as needed
    28. 28. Assumption of Breach ■ Guilty until proven innocent ■ Encrypt, track, audit
    29. 29. Protection from Breach Notification ■ Only exception to breach notification is if PHI disclosed was secured with encryption
    30. 30. But I don’t want to encrypt! ■ It’s not required. ■ Covered entities must employ “reasonable and appropriate” solutions to ensure PHI security. If not encrypted than …?
    31. 31. Best Practices ■ Assess what needs to be encrypted ■ Make it easy to use and train ■ Use logging and tracking ■ Maintain normal business processes
    32. 32. Other Considerations ■ Attachments and moving data (how) ■ Mobile device integration ■ End user initiated communication
    33. 33. Summary ■ Time to comply is running out ■ Educate but don’t proscribe – avoid agency while reasonably ensuring compliance ■ Pay close attention to the two top risks – BYOD and risk analysis ■ Leverage technology solutions for secure messaging and encryption
    34. 34. Questions Chris Apgar, CISSP Andy Nieto capgar@apgarandassoc.com andyn@datamotion.com