Blair Jerome, PhD, leverages over twenty years of experience in public and private education to assist healthcare organizations in achieving HIPAA and HITECH compliance through education and consulting. The document outlines the responsibilities of business associates, including new privacy requirements and penalties instituted by the HITECH Act, which enforces stricter guidelines for handling protected health information. Key recommendations include implementing encryption, mobile security programs, and periodic reviews of business associate agreements to mitigate risks.

1. Business Associate
Assessment

2. Presenter’s Background
Blair Jerome, PhD has worked in
public and private education for over
twenty years. Blair has designed and
taught courses for both the IT and
Pharmaceutical Industries. As an educational
administrator Blair’s experience includes working with
regulatory agencies and boards at the national,
regional and state level. Blair understands how a
changing audit landscape can impact planning,
budgeting, and decision making throughout an
organization. 2

3. Who are we
EHR 2.0 Mission: To assist healthcare
organizations develop and implement
practices to secure IT systems and comply
with HIPAA/HITECH regulations.
 Education
 Consulting
 Toolkit(Tools, Best Practices & Checklist)
Goal: To make compliance an enjoyable
and painless experience

4. Webinar Objective
Understand and Perform Business
Associate Agreement & Assessment to
Secure Protected Health Information(PHI).
4

5. Glossary
1. PHI: Protected Health Information
2. PHR: Personal Health Records
3. HHS: Health and Human Services
4. OCR: Office for Civil Rights
5. HITECH: Health Information Technology for Economic
and Clinical Health Act
5

6. HITECH Act
The Health Information Technology for Economic and
Clinical Health (“HITECH”) provisions of the
American Recovery and Reinvestment Act of 2009
(“ARRA”, also referred to as the “Stimulus Bill”) codify and
expand on many of the requirements contained in the
Health Insurance Portability and Accountability Act of 1996
(“HIPAA”) and its regulations to protect the privacy and
security of protected health information (“PHI”).
6

7. BA Applicability and Penalties
7

8. BA Contracts Required
8

9. Business Associate Audit by OCR
9

10. HITECH modifications to HIPAA
 Creating incentives for developing a meaningful use of
electronic health records
 Changing the liability and responsibilities of Business
Associates
 Redefining what a breach is
 Creating stricter notification standards
 Tightening enforcement
 Raising the penalties for a violation
 Creating new code and transaction sets (HIPAA 5010,
ICD10)
10

11. HITECH Requirements (BA Impact)
 New Privacy Requirements for Business Associates
i. Breach notification
ii. Use and disclosure limitations apply directly to business
associates
iii. Minimum necessary principle applies directly, must use limited
datasets
 Increased penalties
 Business Associates directly liable for violations
 Business Associate Agreements must be amended
 Business Associates must impose same requirements
on subcontractors that access PHI

12. HITECH Requirements (BA Impact)
 Breach:
According to HITECH, a breach is: the unauthorized acquisition, access, use, or
disclosure of protected health information which compromises the security or privacy of
the protected health information, except where an unauthorized person to whom such
information is disclosed would not reasonably have been able to retain such information.”
 Three Exceptions:
 unintentional acquisition, access, or use of protected
health information by a workforce member
 inadvertent disclosure of protected health information
from a person authorized to access protected health
information at a covered entity or business associate
 covered entity or business associate has a good faith
belief that the unauthorized individual, to whom the
impermissible disclosure was made, would not have
been able to retain the information.

13. What Is a “Business Associate?
A “business associate” is a person or entity that
performs certain functions or activities that
involve the use or disclosure of protected health
information on behalf of, or provides services to,
a covered entity.
A member of the covered entity’s workforce is
not a business associate.
13

14. Examples of a Business Associate
 A third party administrator that assists a health
plan with claims processing.
 A CPA firm whose accounting services to a
health care provider involves access to
protected health information.
 An attorney whose legal services to a health
plan involves access to protected health
information.
14

15. Examples of No Business Associate
Relationship
 Physician Services
 Nursing Services
 Laboratory Services
 Radiology Services
 Physical Therapy
 Occupational Therapy
 Bank Services
 Courier Services
15

16. Responsibilities, Obligations and
Duties of BA
 Must comply with HIPAA
 May not use or disclose PHI
 Minimum necessary use
 Civil and criminal liability directly
16

17. Business Associate Cycle
Covered Entity BA HHS/OCR
• BA Contract • HIPAA Privacy and
• Breach Notification Security Rule
• Minimum Necessary
• Breach Notification
Sub-
contractors
17

18. HIPAA Titles - Overview
18

19. HIPAA Security Rule
19

20. Information Security Model
Confidentiality
Limiting information access and
disclosure to authorized users (the right
people)
Integrity
Trustworthiness of information
resources (no inappropriate changes)
Availability
Availability of information resources (at
the right time)
20

21. PHI
Health
Information
Individually
Identifiable
Health
Information
PHI
21

22. ePHI – 18 Elements
Elements Examples
Name Max Bialystock
1355 Seasonal Lane
Address (all geographic subdivisions smaller than state,
including street address, city, county, or ZIP code)
Dates related to an individual Birth, death, admission, discharge
212 555 1234, home, office, mobile etc.,
Telephone numbers
212 555 1234
Fax number
Email address LeonT@Hotmail.com, personal, official
Social Security number 239-68-9807
Medical record number 189-88876
Health plan beneficiary number 123-ir-2222-98
Account number 333389
Certificate/license number 3908763 NY
Any vehicle or other device serial number SZV4016
Device identifiers or serial numbers Unique Medical Devices
Web URL www.rickymartin.com
Internet Protocol (IP) address numbers 19.180.240.15
Finger or voice prints finger.jpg
Photographic images mypicture.jpg
Any other characteristic that could uniquely 22
identify the individual

23. Business Associate Requirement Chart
Requirements Tier 1 Tier 2 Tier 3
Right to Audit &
Yes May be No
Review
Baseline Security
Yes No No
Controls
Standards and
Certification Yes May be No
Clause
Every 6 months or
Contract Review Every year Every year
any major change
Breach Notification Stringent Standard Standard
Training and
Yes Yes Yes
Education
Periodic Risk
Yes May be N/A
Assessment

24. Criteria for Business Associates
‐ Corporate size of the BA
‐ Volume of data accessed by BA
‐ Number of facilities serviced by BABA
‐ Type of services provided by BA
‐ Complexity of services provided by BA
‐ Location of BA
‐ Previous data breaches, complaints or
incidents involving BA

25. HIPAA Security Rule Standard Implementati Yes/No/Comm
HIPAA Sections Implementation Specification on Requirement Description Solution ents
Policies and procedures to manage
164.308(a)(1)(i) Security Management Process Required security violations
164.308(a)(1)(ii)( Penetration test, vulnerability
A) Risk Analysis Required Conduct vulnerability assessment assessment
SIM/SEM, patch management,
164.308(a)(1)(ii)( Implement security measures to reduce vulnerability management, asset
B) Risk Management Required risk of security breaches management, helpdesk
164.308(a)(1)(ii)( Worker sanction for policies and Security policy document
C) Sanction Policy Required procedures violations management
164.308(a)(1)(ii)( Log aggregation, log analysis, security
D) Information System Activity Review Required Procedures to review system activity event management, host IDS
Identify security official responsible for
164.308(a)(2) Assigned Security Responsibility Required policies and procedures
Implement policies and procedures to
164.308(a)(3)(i) Workforce Security Required ensure appropriate PHI access
Mandatory, discretionary and role-
164.308(a)(3)(ii)( based access control: ACL, native OS
A) Authorization and/or Supervision Addressable Authorization/supervision for PHI access policy enforcement
164.308(a)(3)(ii)( Procedures to ensure appropriate PHI
B) Workforce Clearance Procedure Addressable access Background checks
164.308(a)(3)(ii)( Procedures to terminate PHI access Single sign-on, identity management,
C) Termination Procedures Addressable security policy document management access controls
Policies and procedures to authorize
164.308(a)(4)(i) Information Access Management Required access to PHI
164.308(a)(4)(ii)( Isolation Health Clearinghouse Policies and procedures to separate PHI Application proxy, firewall, mandatory
A) Functions Required from other operations UPN, SOCKS
164.308(a)(4)(ii)( Policies and procedures to authorize Mandatory, discretionary and role-
B) Access Authorization Addressable access to PHI based access control
164.308(a)(4)(ii)( Access Establishment and Policies and procedures to grant access Security policy document
C) Modification Addressable to PHI management
Training program for workers and
164.308(a)(5)(i) Security Awareness Training Required managers
164.308(a)(5)(ii)( Sign-on screen, screen savers,
A) Security Reminders Addressable Distribute periodic security updates monthly memos, e-mail, banners

26. Sample Business Associate
Agreement
Send us an e-mail at info@ehr20.com for
sample BAA
26

27. Trends in Healthcare IT
Informatics Collaboration
Mobile EHR
Computing HIE
27

28. Handheld Usage in Healthcare
• 25% usage with providers
• Another 21% expected to use
• 38% physicians use medical
apps
• 70% think it is a high priority
• 1/3 use hand-held for accessing EMR/EHR
28
compTIA 2011 Survey

29. EMR and EHR systems
29

30. Health Information Exchange (HIE)
30

31. Social Media
 How does your practice use it?
 How do your employees use it?
 Do you have policies?
31

32. Cloud-based services
 Public Cloud
 EHR Applications
HIPAA regulations  Private-label e-mail
remain barriers to full
cloud adoption
 Private Cloud
 Archiving of Images
 File Sharing
Cloud Computing is taking
all batch processing, and  On-line Backups
farming it out to a huge
central or virtualized
 Hybrid 32
computers.

33. Informatics
33

34. Sample Risk Analysis Template
Likelihood
High Medium Low
High Unencrypted Lack of auditing on Missing security
laptop ePHI EHR systems patches on web server
hosting patient
information
Impact
Medium Unsecured Outdated anti-virus External hard drives
wireless network software not being backed up
in doctor’s office
Sales presentation Web server backup Weak password on
Low on USB thumb tape not stored in a internal document
drive secured location server
34

35. Top 5 Recommendations
1. Ensure encryption on all protected health information
in storage and transit.(at least de-identification)
2. Implement a mobile device security program.
3. Strengthen information security user awareness and
training programs.
4. Ensure that business associate due diligence includes
clearly written contract, a periodic review of
implemented controls.
5. Minimize sensitive data capture, storage and sharing.
35

36. Key Takeaways
 HITECH act treats business associates as a covered
entity
 Processing of PHI elements drives business associates
scope, agreement and assessment
 Updated contract and controls assessment (due
diligence) considered as best practices for mitigating
risks
 Periodic review of your top tier business associates and
training requirements 36

37. Additional Resources
 HHS FAQ -
http://www.hhs.gov/ocr/privacy/hipaa/faq/busine
ss_associates/index.html
37

38. How can you help us?
 Follow-us on social media
facebook.com/ehr20 (Like)
linkedin.com/company/ehr-2-0 (Follow us)
https://twitter.com/#!/EHR_20 (Follow)
 Next Webinar on HIPAA/HITECH Security Assessment ( 3/28)
 http://ehr20.com/services/
We sincerely appreciate your referrals! 38

39. Thank you!!
Visit us at ehr20.com
39