SlideShare a Scribd company logo

Business Associate Risk - HC SC Sept 2014

G
garyjohnson500

The new HIPAA rules have expanded the definition of a business associate, greatly increasing the number of vendors that hospitals must have agreements with. Business associate data breaches can be expensive and damaging to a hospital's reputation. Hospitals often underestimate the number of business associates they have, leaving many unidentified and unmanaged, increasing risk. Effective board oversight requires understanding compliance challenges and risks, and ensuring hospitals have policies and agreements in place with all identified business associates.

1 of 4
Download to read offline
http://insurancenewsnet.com/oarticle/2014/09/29/Business-associates-Understanding-the-true- risks-a-561097.html Sept 29, 2014 Business associates: Understanding the true risks Johnson, Gary 3 By Johnson, Gary Proquest LLC How to keep on top of HIPAAs latest requirements. New Health Insurance Portability and Accountability Act (HIPAA) rules put in place to safeguard patient data are putting hospitals' business associate relationships and policies front and center. The stepped-up regulations greatly expand the number of vendors that fall into the business associate (BA) category, and all agreements between hospitals and BAs must be in compliance with the new rules by September 22, 2014. In truth, however, the rules are not the central reason hospitals should be concerned about how their BAs handle patient data. Equally important is the fact that BA data breaches are high-impact, high-probability events that can dramatically affect a hospital's reputation as a trusted provider. Breaches are also expensive, costing an average $316 per patient record, according to thePonemon Institute ("2014 Cost of Data Breach Study: Global Analysis"). The penalties for HIPAA violations can be steep, with fines ranging from $ 100 to $50,000 per violation. For example, New York Presbyterian Hospital and Columbia University recently agreed to a $4.8 million settlement with the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) for a breach that caused the protected health information of 6,800 individuals to be publically accessible via Internet search engines. Hospitals are also on the hook for costs associated with not attaining Meaningful Use Stage 1, which requires them to have strong data security policies and procedures in place to oversee BA vendors (Core Measure 15). AIS Health reports that the Centers for Medicare & Medicaid Services(CMS) is taking an all-or-nothing approach - hospitals must return their entire Meaningful Use incentive payment if an audit turns up even a
minor error in a core measure ("CMS Recoups All Meaningful Use Money From Providers if Audits Turn Up Errors," Nina Youngstrom, September 9, 2013). Tracking breaches The OCR tracks all reported patient data breaches, both accidental and malicious. This year, for instance, more than 931 breaches involving more than 500 patients already have been posted, affecting more than 31 million patients overall. OCR does not always indicate BA involvement, so the numbers vary. A significant percentage - around 35 percent - of BA breaches involve theft, in part because health records are attractive to identity thieves. An April 2014 report from the FBI's Cyber Division said cyber criminals regularly sell partial EHRs for $50 each on the black market, compared to $1 each for stolen social security numbers or credit card numbers. Nor are attacks on healthcare systems likely to abate. The report predicts that lax cyber-security standards, the mandatory transition to EHRs and the high financial payout for medical records will likely lead to an increase in cyber intrusions. Hospitals earn low marks in pilot audit The Health Information Technology for Economic and Clinical Health Act (HITECH) requires periodic audits of providers and business associates. In April 2013, OCR released the findings of its 2011 pilot audit program, which measured the efforts of 115 covered entities. OCR found that most evaluated entities did not meet HIPAA standards for breach notification, privacy and security. It found that two-thirds failed to perform a comprehensive, accurate security risk assessment and that the most common cause of noncompliance was ignorance of the requirement. Many experts predict that the next round of audits will focus on timely and thorough security risk assessments, effective and ongoing risk mitigation plans, breach notification procedures, encryption, training, and policies and procedures. "What typically happens is you sign on a new vendor and get the BA agreement [BAA] signed. But then a year goes by, and they fail to keep their documentation up to date and no one realizes it," says Jane Girling, Assistant Vice President of Corporate Materials Management of CentraState Hospital in Freehold, NJ. "For us, it's been critical to tie our vendor and managed care contract requirements to the compliance piece." Without at least partial automation of the process, getting these policies in place can be overwhelming. "The Deficit Reduction Act is being very stringently administered in New Jersey, so I had to get notices out to vendors concerning state and federal compliance laws on an annual basis, which would have been a total nightmare without a vendor management system. Now, that system is helping us with BAA audits," says Alice Guttler, Sr. Vice President & Corporate Counsel at CentraState.
Hospitals underestimate BA numbers Correctly identifying all BAs is the biggest problem hospitals encounter as they work to comply with HIPAA Omnibus (which expands the definition of a BA vendor). Assessing a hospital's entire vendor list is a major undertaking. The majority of hospitals have 5,000 or more total vendors, and a significant number of them meet the definition of BA under Omnibus. Every unidentified BA is an unmanaged BA, adding to a hospital's degree of risk. "Until you start the BAA audit process, you don't realize how many vendors you're actually dealing with," says Guttler. "We have about 2,500 employees and 283 beds, but we're dealing with hundreds of vendors. Initially, the Office of Civil Rights will be [playing an educational role], but they'll start assessing penalties, and that may become pretty costly." Often, BA risk assessment and oversight is done by the compliance or legal department without coordination with supply chain/purchasing. Because purchasing agents are responsible for vendor selection, managing the relationship and contractual fulfillment, this lack of synchronization can lead to serious challenges. It's not unusual for the number of BAs identified in an initial assessment to be around 250, when the actual number obtained through a complete vendor analysis is closer to 750 or more. Furthermore, individuals in charge of identifying BAs and overseeing their health information policies often are so laser focused on getting vendors to sign a business associate agreement that other policy omissions result. For each BA, for example, hospitals should have breach notification policies on file. Best practices for trustee oversight and governance Effective board oversight of BAs begins with an understanding of HIPAA Omnibus, Meaningful Use Stage 1 and the risks related to noncompliance. To ensure a hospital is taking necessary steps, trustees should ask senior managers the following: 1. How many BA vendors does the hospital have? How many have an up-to-date (compliant) BAA? 2. How often is a report on BA/BAA status distributed, and to whom? 3. Does the hospital have a single, up-to-date vendor master file, or is the data stored in multiple files? 4. What percentage of the hospital's vendors have been screened for BA risk? 5. How many patient data breaches have occurred in the last two years? What was the nature of the breaches? What steps have been taken to prevent similar breaches?
6. How many of the patient data breaches that occurred in the last two years have involved a vendor? 7. What is the status of the hospital's compliance with all the requirements needed to fulfill Core Measure 15 of Meaningful Use Stage 1? 8. Which individuals will be in charge of preparing for an OCR audit? How many days do they estimate they will need to prepare? With these basics established, board focus should turn to investigating whether or not the organization is adequately preparing for an audit. HHS has specifically stated that covered entities must take dual responsibility for patient data protection by obtaining satisfactory assurances from each BA. Armed with a full understanding of the challenges of breach prevention - as well as the financial and reputation-related consequences of not meeting the new HIPAA standards - board members can successfully assist senior management with proper planning and budgeting for best practices. Every unidentified BA is an unmanaged BA, adding to a hospital's degree of risk. Gary Johnson, Chief Marketing Officer, Vendormate

Recommended

Insurance Fraud Whitepaper
Insurance Fraud WhitepaperInsurance Fraud Whitepaper
Insurance Fraud Whitepaper
Gabriele Stonkute
 
AIS Article
AIS ArticleAIS Article
AIS Article
Shaun Greene
 
In Good News For Providers, OIG and CMS Propose Extensions And Modifications ...
In Good News For Providers, OIG and CMS Propose Extensions And Modifications ...In Good News For Providers, OIG and CMS Propose Extensions And Modifications ...
In Good News For Providers, OIG and CMS Propose Extensions And Modifications ...
Patton Boggs LLP
 
How Big Data Analysis Can Protect You From Fraud
How Big Data Analysis Can Protect You From FraudHow Big Data Analysis Can Protect You From Fraud
How Big Data Analysis Can Protect You From Fraud
Trendwise Analytics
 
Third-Party Relationships and Your Confidential Data
Third-Party Relationships and Your Confidential DataThird-Party Relationships and Your Confidential Data
Third-Party Relationships and Your Confidential Data
Grant Thornton LLP
 
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
Matthew J McMahon
 
Guarding Your Client's Valuation from Attack--Dos and Don'ts for Requesting, ...
Guarding Your Client's Valuation from Attack--Dos and Don'ts for Requesting, ...Guarding Your Client's Valuation from Attack--Dos and Don'ts for Requesting, ...
Guarding Your Client's Valuation from Attack--Dos and Don'ts for Requesting, ...
PYA, P.C.
 
eHI privacy and security DC roundtable_April 2014
eHI privacy and security DC roundtable_April 2014eHI privacy and security DC roundtable_April 2014
eHI privacy and security DC roundtable_April 2014
Barbara Gabriel
 

Recommended

Insurance Fraud Whitepaper
Insurance Fraud WhitepaperInsurance Fraud Whitepaper
Insurance Fraud Whitepaper
Gabriele Stonkute
 
AIS Article
AIS ArticleAIS Article
AIS Article
Shaun Greene
 
In Good News For Providers, OIG and CMS Propose Extensions And Modifications ...
In Good News For Providers, OIG and CMS Propose Extensions And Modifications ...In Good News For Providers, OIG and CMS Propose Extensions And Modifications ...
In Good News For Providers, OIG and CMS Propose Extensions And Modifications ...
Patton Boggs LLP
 
How Big Data Analysis Can Protect You From Fraud
How Big Data Analysis Can Protect You From FraudHow Big Data Analysis Can Protect You From Fraud
How Big Data Analysis Can Protect You From Fraud
Trendwise Analytics
 
Third-Party Relationships and Your Confidential Data
Third-Party Relationships and Your Confidential DataThird-Party Relationships and Your Confidential Data
Third-Party Relationships and Your Confidential Data
Grant Thornton LLP
 
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
Matthew J McMahon
 
Guarding Your Client's Valuation from Attack--Dos and Don'ts for Requesting, ...
Guarding Your Client's Valuation from Attack--Dos and Don'ts for Requesting, ...Guarding Your Client's Valuation from Attack--Dos and Don'ts for Requesting, ...
Guarding Your Client's Valuation from Attack--Dos and Don'ts for Requesting, ...
PYA, P.C.
 
eHI privacy and security DC roundtable_April 2014
eHI privacy and security DC roundtable_April 2014eHI privacy and security DC roundtable_April 2014
eHI privacy and security DC roundtable_April 2014
Barbara Gabriel
 
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
mosmedicalreview
 
Price Transparency and No Surprises Act: Details You Need to Know to be Prepared
Price Transparency and No Surprises Act: Details You Need to Know to be PreparedPrice Transparency and No Surprises Act: Details You Need to Know to be Prepared
Price Transparency and No Surprises Act: Details You Need to Know to be Prepared
Healthcare Resource Group Inc.
 
Don’t Stumble Coming Out of the Gate –Top Ten Issues to Address When Acquirin...
Don’t Stumble Coming Out of the Gate –Top Ten Issues to Address When Acquirin...Don’t Stumble Coming Out of the Gate –Top Ten Issues to Address When Acquirin...
Don’t Stumble Coming Out of the Gate –Top Ten Issues to Address When Acquirin...
PYA, P.C.
 
WhitepaperBlockchainForClaims_V11
WhitepaperBlockchainForClaims_V11WhitepaperBlockchainForClaims_V11
WhitepaperBlockchainForClaims_V11
Kyle Culver
 
Infographic: Symantec Healthcare IT Security Risk Management Study
Infographic: Symantec Healthcare IT Security Risk Management StudyInfographic: Symantec Healthcare IT Security Risk Management Study
Infographic: Symantec Healthcare IT Security Risk Management Study
CheapSSLsecurity
 
PYA Presents Intro to Healthcare Valuation
PYA Presents Intro to Healthcare Valuation PYA Presents Intro to Healthcare Valuation
PYA Presents Intro to Healthcare Valuation
PYA, P.C.
 
6 Self-Pay Must Dos for 2021
6 Self-Pay Must Dos for 20216 Self-Pay Must Dos for 2021
6 Self-Pay Must Dos for 2021
Healthcare Resource Group Inc.
 
Splash 4 Partners Urgent Care Industry
Splash 4 Partners Urgent Care IndustrySplash 4 Partners Urgent Care Industry
Splash 4 Partners Urgent Care Industry
Splash 4 Partners
 
Fair Market Value: What Rural Providers Need to Know
Fair Market Value: What Rural Providers Need to Know Fair Market Value: What Rural Providers Need to Know
Fair Market Value: What Rural Providers Need to Know
PYA, P.C.
 
Request for Comments on Risk-Based Regulatory Framework for Health IT
Request for Comments on Risk-Based Regulatory Framework for Health ITRequest for Comments on Risk-Based Regulatory Framework for Health IT
Request for Comments on Risk-Based Regulatory Framework for Health IT
Patton Boggs LLP
 
hex0815
hex0815hex0815
hex0815
Shaun Greene
 
94_1428928253823_2
94_1428928253823_294_1428928253823_2
94_1428928253823_2
Adam Gobin
 
Transforming the Business of Oncology Through Science and Technology
Transforming the Business of Oncology Through Science and TechnologyTransforming the Business of Oncology Through Science and Technology
Transforming the Business of Oncology Through Science and Technology
PYA, P.C.
 
Seven Hiring Mistakes that Could Cost You Thousands
Seven Hiring Mistakes that Could Cost You ThousandsSeven Hiring Mistakes that Could Cost You Thousands
Seven Hiring Mistakes that Could Cost You Thousands
Patrick Barnett
 
Diagnostics Lab Executives Reveal Their Biggest Revenue Cycle Management Chal...
Diagnostics Lab Executives Reveal Their Biggest Revenue Cycle Management Chal...Diagnostics Lab Executives Reveal Their Biggest Revenue Cycle Management Chal...
Diagnostics Lab Executives Reveal Their Biggest Revenue Cycle Management Chal...
Patrick Hurley
 
Panel Discusses Healthcare Facility Bankruptcy
Panel Discusses Healthcare Facility Bankruptcy Panel Discusses Healthcare Facility Bankruptcy
Panel Discusses Healthcare Facility Bankruptcy
PYA, P.C.
 
Regulatory Compliance, Risk Management, and the Trustee's Role
Regulatory Compliance, Risk Management, and the Trustee's RoleRegulatory Compliance, Risk Management, and the Trustee's Role
Regulatory Compliance, Risk Management, and the Trustee's Role
PYA, P.C.
 
Compliance
ComplianceCompliance
Compliance
Mark Lanterman
 
Kaiser August 2013 Health Tracking Poll Chartpack
Kaiser August 2013 Health Tracking Poll ChartpackKaiser August 2013 Health Tracking Poll Chartpack
Kaiser August 2013 Health Tracking Poll Chartpack
KFF
 
Medical Billing Software Trends
Medical Billing Software TrendsMedical Billing Software Trends
Medical Billing Software Trends
Manny Oliverez
 
Page 1 Executive Summary Policy makers are looking.docx
Page 1 Executive Summary Policy makers are looking.docxPage 1 Executive Summary Policy makers are looking.docx
Page 1 Executive Summary Policy makers are looking.docx
smile790243
 
arcsight_scmag_hcspecial
arcsight_scmag_hcspecialarcsight_scmag_hcspecial
arcsight_scmag_hcspecial
Paul Brian Contino
 

More Related Content

What's hot

Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
mosmedicalreview
 
Price Transparency and No Surprises Act: Details You Need to Know to be Prepared
Price Transparency and No Surprises Act: Details You Need to Know to be PreparedPrice Transparency and No Surprises Act: Details You Need to Know to be Prepared
Price Transparency and No Surprises Act: Details You Need to Know to be Prepared
Healthcare Resource Group Inc.
 
Don’t Stumble Coming Out of the Gate –Top Ten Issues to Address When Acquirin...
Don’t Stumble Coming Out of the Gate –Top Ten Issues to Address When Acquirin...Don’t Stumble Coming Out of the Gate –Top Ten Issues to Address When Acquirin...
Don’t Stumble Coming Out of the Gate –Top Ten Issues to Address When Acquirin...
PYA, P.C.
 
WhitepaperBlockchainForClaims_V11
WhitepaperBlockchainForClaims_V11WhitepaperBlockchainForClaims_V11
WhitepaperBlockchainForClaims_V11
Kyle Culver
 
Infographic: Symantec Healthcare IT Security Risk Management Study
Infographic: Symantec Healthcare IT Security Risk Management StudyInfographic: Symantec Healthcare IT Security Risk Management Study
Infographic: Symantec Healthcare IT Security Risk Management Study
CheapSSLsecurity
 
PYA Presents Intro to Healthcare Valuation
PYA Presents Intro to Healthcare Valuation PYA Presents Intro to Healthcare Valuation
PYA Presents Intro to Healthcare Valuation
PYA, P.C.
 
6 Self-Pay Must Dos for 2021
6 Self-Pay Must Dos for 20216 Self-Pay Must Dos for 2021
6 Self-Pay Must Dos for 2021
Healthcare Resource Group Inc.
 
Splash 4 Partners Urgent Care Industry
Splash 4 Partners Urgent Care IndustrySplash 4 Partners Urgent Care Industry
Splash 4 Partners Urgent Care Industry
Splash 4 Partners
 
Fair Market Value: What Rural Providers Need to Know
Fair Market Value: What Rural Providers Need to Know Fair Market Value: What Rural Providers Need to Know
Fair Market Value: What Rural Providers Need to Know
PYA, P.C.
 
Request for Comments on Risk-Based Regulatory Framework for Health IT
Request for Comments on Risk-Based Regulatory Framework for Health ITRequest for Comments on Risk-Based Regulatory Framework for Health IT
Request for Comments on Risk-Based Regulatory Framework for Health IT
Patton Boggs LLP
 
hex0815
hex0815hex0815
hex0815
Shaun Greene
 
94_1428928253823_2
94_1428928253823_294_1428928253823_2
94_1428928253823_2
Adam Gobin
 
Transforming the Business of Oncology Through Science and Technology
Transforming the Business of Oncology Through Science and TechnologyTransforming the Business of Oncology Through Science and Technology
Transforming the Business of Oncology Through Science and Technology
PYA, P.C.
 
Seven Hiring Mistakes that Could Cost You Thousands
Seven Hiring Mistakes that Could Cost You ThousandsSeven Hiring Mistakes that Could Cost You Thousands
Seven Hiring Mistakes that Could Cost You Thousands
Patrick Barnett
 
Diagnostics Lab Executives Reveal Their Biggest Revenue Cycle Management Chal...
Diagnostics Lab Executives Reveal Their Biggest Revenue Cycle Management Chal...Diagnostics Lab Executives Reveal Their Biggest Revenue Cycle Management Chal...
Diagnostics Lab Executives Reveal Their Biggest Revenue Cycle Management Chal...
Patrick Hurley
 
Panel Discusses Healthcare Facility Bankruptcy
Panel Discusses Healthcare Facility Bankruptcy Panel Discusses Healthcare Facility Bankruptcy
Panel Discusses Healthcare Facility Bankruptcy
PYA, P.C.
 
Regulatory Compliance, Risk Management, and the Trustee's Role
Regulatory Compliance, Risk Management, and the Trustee's RoleRegulatory Compliance, Risk Management, and the Trustee's Role
Regulatory Compliance, Risk Management, and the Trustee's Role
PYA, P.C.
 
Compliance
ComplianceCompliance
Compliance
Mark Lanterman
 
Kaiser August 2013 Health Tracking Poll Chartpack
Kaiser August 2013 Health Tracking Poll ChartpackKaiser August 2013 Health Tracking Poll Chartpack
Kaiser August 2013 Health Tracking Poll Chartpack
KFF
 
Medical Billing Software Trends
Medical Billing Software TrendsMedical Billing Software Trends
Medical Billing Software Trends
Manny Oliverez
 

What's hot (20)

Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
 
Price Transparency and No Surprises Act: Details You Need to Know to be Prepared
Price Transparency and No Surprises Act: Details You Need to Know to be PreparedPrice Transparency and No Surprises Act: Details You Need to Know to be Prepared
Price Transparency and No Surprises Act: Details You Need to Know to be Prepared
 
Don’t Stumble Coming Out of the Gate –Top Ten Issues to Address When Acquirin...
Don’t Stumble Coming Out of the Gate –Top Ten Issues to Address When Acquirin...Don’t Stumble Coming Out of the Gate –Top Ten Issues to Address When Acquirin...
Don’t Stumble Coming Out of the Gate –Top Ten Issues to Address When Acquirin...
 
WhitepaperBlockchainForClaims_V11
WhitepaperBlockchainForClaims_V11WhitepaperBlockchainForClaims_V11
WhitepaperBlockchainForClaims_V11
 
Infographic: Symantec Healthcare IT Security Risk Management Study
Infographic: Symantec Healthcare IT Security Risk Management StudyInfographic: Symantec Healthcare IT Security Risk Management Study
Infographic: Symantec Healthcare IT Security Risk Management Study
 
PYA Presents Intro to Healthcare Valuation
PYA Presents Intro to Healthcare Valuation PYA Presents Intro to Healthcare Valuation
PYA Presents Intro to Healthcare Valuation
 
6 Self-Pay Must Dos for 2021
6 Self-Pay Must Dos for 20216 Self-Pay Must Dos for 2021
6 Self-Pay Must Dos for 2021
 
Splash 4 Partners Urgent Care Industry
Splash 4 Partners Urgent Care IndustrySplash 4 Partners Urgent Care Industry
Splash 4 Partners Urgent Care Industry
 
Fair Market Value: What Rural Providers Need to Know
Fair Market Value: What Rural Providers Need to Know Fair Market Value: What Rural Providers Need to Know
Fair Market Value: What Rural Providers Need to Know
 
Request for Comments on Risk-Based Regulatory Framework for Health IT
Request for Comments on Risk-Based Regulatory Framework for Health ITRequest for Comments on Risk-Based Regulatory Framework for Health IT
Request for Comments on Risk-Based Regulatory Framework for Health IT
 
hex0815
hex0815hex0815
hex0815
 
94_1428928253823_2
94_1428928253823_294_1428928253823_2
94_1428928253823_2
 
Transforming the Business of Oncology Through Science and Technology
Transforming the Business of Oncology Through Science and TechnologyTransforming the Business of Oncology Through Science and Technology
Transforming the Business of Oncology Through Science and Technology
 
Seven Hiring Mistakes that Could Cost You Thousands
Seven Hiring Mistakes that Could Cost You ThousandsSeven Hiring Mistakes that Could Cost You Thousands
Seven Hiring Mistakes that Could Cost You Thousands
 
Diagnostics Lab Executives Reveal Their Biggest Revenue Cycle Management Chal...
Diagnostics Lab Executives Reveal Their Biggest Revenue Cycle Management Chal...Diagnostics Lab Executives Reveal Their Biggest Revenue Cycle Management Chal...
Diagnostics Lab Executives Reveal Their Biggest Revenue Cycle Management Chal...
 
Panel Discusses Healthcare Facility Bankruptcy
Panel Discusses Healthcare Facility Bankruptcy Panel Discusses Healthcare Facility Bankruptcy
Panel Discusses Healthcare Facility Bankruptcy
 
Regulatory Compliance, Risk Management, and the Trustee's Role
Regulatory Compliance, Risk Management, and the Trustee's RoleRegulatory Compliance, Risk Management, and the Trustee's Role
Regulatory Compliance, Risk Management, and the Trustee's Role
 
Compliance
ComplianceCompliance
Compliance
 
Kaiser August 2013 Health Tracking Poll Chartpack
Kaiser August 2013 Health Tracking Poll ChartpackKaiser August 2013 Health Tracking Poll Chartpack
Kaiser August 2013 Health Tracking Poll Chartpack
 
Medical Billing Software Trends
Medical Billing Software TrendsMedical Billing Software Trends
Medical Billing Software Trends
 

Similar to Business Associate Risk - HC SC Sept 2014

Page 1 Executive Summary Policy makers are looking.docx
Page 1 Executive Summary Policy makers are looking.docxPage 1 Executive Summary Policy makers are looking.docx
Page 1 Executive Summary Policy makers are looking.docx
smile790243
 
arcsight_scmag_hcspecial
arcsight_scmag_hcspecialarcsight_scmag_hcspecial
arcsight_scmag_hcspecial
Paul Brian Contino
 
databreach whitepaper
databreach whitepaperdatabreach whitepaper
databreach whitepaper
Paige Schaffer
 
Emerging-Trends-Whats-Next.pdf
Emerging-Trends-Whats-Next.pdfEmerging-Trends-Whats-Next.pdf
Emerging-Trends-Whats-Next.pdf
SubashDangal4
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast
- Mark - Fullbright
 
Urgent Care Billing Services, Revenue Cycle & EHR Services
Urgent Care Billing Services, Revenue Cycle & EHR ServicesUrgent Care Billing Services, Revenue Cycle & EHR Services
Urgent Care Billing Services, Revenue Cycle & EHR Services
everestar
 
Data Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector PlanData Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector Plan
sarahb171
 
Kathryn Flynn
Kathryn Flynn Kathryn Flynn
Kathryn Flynn
Informa Australia
 
Fraud Analytics- Healthcare
Fraud Analytics- HealthcareFraud Analytics- Healthcare
Fraud Analytics- Healthcare
Kurt Krueger
 
Fifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity TheftFifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity Theft
- Mark - Fullbright
 
Accounting
AccountingAccounting
Accounting
jerryrabin
 
Reasons for the Popularity of Medical Record Theft
Reasons for the Popularity of Medical Record TheftReasons for the Popularity of Medical Record Theft
Reasons for the Popularity of Medical Record Theft
OPSWAT
 
Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...
Patton Boggs LLP
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
Sarah Kim
 
Fighting FWA in the Payer Industry Using Big Data
Fighting FWA in the Payer Industry Using Big DataFighting FWA in the Payer Industry Using Big Data
Fighting FWA in the Payer Industry Using Big Data
CitiusTech
 
Healthcare - Customer-Centric Healthcare Best Practices for CIO and CISOs
Healthcare - Customer-Centric Healthcare Best Practices for CIO and CISOsHealthcare - Customer-Centric Healthcare Best Practices for CIO and CISOs
Healthcare - Customer-Centric Healthcare Best Practices for CIO and CISOs
Nicholas Christiano Jr.
 
Analytics-Driven Healthcare: Improving Care, Compliance and Cost
Analytics-Driven Healthcare: Improving Care, Compliance and CostAnalytics-Driven Healthcare: Improving Care, Compliance and Cost
Analytics-Driven Healthcare: Improving Care, Compliance and Cost
Cognizant
 
HPN Sept 2014
HPN Sept 2014HPN Sept 2014
HPN Sept 2014
garyjohnson500
 
The below stated are the Challenges and business requirements faced .pdf
The below stated are the Challenges and business requirements faced .pdfThe below stated are the Challenges and business requirements faced .pdf
The below stated are the Challenges and business requirements faced .pdf
apleather
 
, law.36 Part One Organizations, Management, and the Ne.docx
, law.36 Part One Organizations, Management, and the Ne.docx, law.36 Part One Organizations, Management, and the Ne.docx
, law.36 Part One Organizations, Management, and the Ne.docx
mercysuttle
 

Similar to Business Associate Risk - HC SC Sept 2014 (20)

Page 1 Executive Summary Policy makers are looking.docx
Page 1 Executive Summary Policy makers are looking.docxPage 1 Executive Summary Policy makers are looking.docx
Page 1 Executive Summary Policy makers are looking.docx
 
arcsight_scmag_hcspecial
arcsight_scmag_hcspecialarcsight_scmag_hcspecial
arcsight_scmag_hcspecial
 
databreach whitepaper
databreach whitepaperdatabreach whitepaper
databreach whitepaper
 
Emerging-Trends-Whats-Next.pdf
Emerging-Trends-Whats-Next.pdfEmerging-Trends-Whats-Next.pdf
Emerging-Trends-Whats-Next.pdf
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast
 
Urgent Care Billing Services, Revenue Cycle & EHR Services
Urgent Care Billing Services, Revenue Cycle & EHR ServicesUrgent Care Billing Services, Revenue Cycle & EHR Services
Urgent Care Billing Services, Revenue Cycle & EHR Services
 
Data Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector PlanData Breach Insurance - Optometric Protector Plan
Data Breach Insurance - Optometric Protector Plan
 
Kathryn Flynn
Kathryn Flynn Kathryn Flynn
Kathryn Flynn
 
Fraud Analytics- Healthcare
Fraud Analytics- HealthcareFraud Analytics- Healthcare
Fraud Analytics- Healthcare
 
Fifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity TheftFifth Annual Study on Medical Identity Theft
Fifth Annual Study on Medical Identity Theft
 
Accounting
AccountingAccounting
Accounting
 
Reasons for the Popularity of Medical Record Theft
Reasons for the Popularity of Medical Record TheftReasons for the Popularity of Medical Record Theft
Reasons for the Popularity of Medical Record Theft
 
Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...Protecting Patient Information - Feds Find Security Lapses in State and Local...
Protecting Patient Information - Feds Find Security Lapses in State and Local...
 
Sarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small ProvidersSarah Kim HIPAA for Small Providers
Sarah Kim HIPAA for Small Providers
 
Fighting FWA in the Payer Industry Using Big Data
Fighting FWA in the Payer Industry Using Big DataFighting FWA in the Payer Industry Using Big Data
Fighting FWA in the Payer Industry Using Big Data
 
Healthcare - Customer-Centric Healthcare Best Practices for CIO and CISOs
Healthcare - Customer-Centric Healthcare Best Practices for CIO and CISOsHealthcare - Customer-Centric Healthcare Best Practices for CIO and CISOs
Healthcare - Customer-Centric Healthcare Best Practices for CIO and CISOs
 
Analytics-Driven Healthcare: Improving Care, Compliance and Cost
Analytics-Driven Healthcare: Improving Care, Compliance and CostAnalytics-Driven Healthcare: Improving Care, Compliance and Cost
Analytics-Driven Healthcare: Improving Care, Compliance and Cost
 
HPN Sept 2014
HPN Sept 2014HPN Sept 2014
HPN Sept 2014
 
The below stated are the Challenges and business requirements faced .pdf
The below stated are the Challenges and business requirements faced .pdfThe below stated are the Challenges and business requirements faced .pdf
The below stated are the Challenges and business requirements faced .pdf
 
, law.36 Part One Organizations, Management, and the Ne.docx
, law.36 Part One Organizations, Management, and the Ne.docx, law.36 Part One Organizations, Management, and the Ne.docx
, law.36 Part One Organizations, Management, and the Ne.docx
 

Business Associate Risk - HC SC Sept 2014

  • 1. http://insurancenewsnet.com/oarticle/2014/09/29/Business-associates-Understanding-the-true- risks-a-561097.html Sept 29, 2014 Business associates: Understanding the true risks Johnson, Gary 3 By Johnson, Gary Proquest LLC How to keep on top of HIPAAs latest requirements. New Health Insurance Portability and Accountability Act (HIPAA) rules put in place to safeguard patient data are putting hospitals' business associate relationships and policies front and center. The stepped-up regulations greatly expand the number of vendors that fall into the business associate (BA) category, and all agreements between hospitals and BAs must be in compliance with the new rules by September 22, 2014. In truth, however, the rules are not the central reason hospitals should be concerned about how their BAs handle patient data. Equally important is the fact that BA data breaches are high-impact, high-probability events that can dramatically affect a hospital's reputation as a trusted provider. Breaches are also expensive, costing an average $316 per patient record, according to thePonemon Institute ("2014 Cost of Data Breach Study: Global Analysis"). The penalties for HIPAA violations can be steep, with fines ranging from $ 100 to $50,000 per violation. For example, New York Presbyterian Hospital and Columbia University recently agreed to a $4.8 million settlement with the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) for a breach that caused the protected health information of 6,800 individuals to be publically accessible via Internet search engines. Hospitals are also on the hook for costs associated with not attaining Meaningful Use Stage 1, which requires them to have strong data security policies and procedures in place to oversee BA vendors (Core Measure 15). AIS Health reports that the Centers for Medicare & Medicaid Services(CMS) is taking an all-or-nothing approach - hospitals must return their entire Meaningful Use incentive payment if an audit turns up even a
  • 2. minor error in a core measure ("CMS Recoups All Meaningful Use Money From Providers if Audits Turn Up Errors," Nina Youngstrom, September 9, 2013). Tracking breaches The OCR tracks all reported patient data breaches, both accidental and malicious. This year, for instance, more than 931 breaches involving more than 500 patients already have been posted, affecting more than 31 million patients overall. OCR does not always indicate BA involvement, so the numbers vary. A significant percentage - around 35 percent - of BA breaches involve theft, in part because health records are attractive to identity thieves. An April 2014 report from the FBI's Cyber Division said cyber criminals regularly sell partial EHRs for $50 each on the black market, compared to $1 each for stolen social security numbers or credit card numbers. Nor are attacks on healthcare systems likely to abate. The report predicts that lax cyber-security standards, the mandatory transition to EHRs and the high financial payout for medical records will likely lead to an increase in cyber intrusions. Hospitals earn low marks in pilot audit The Health Information Technology for Economic and Clinical Health Act (HITECH) requires periodic audits of providers and business associates. In April 2013, OCR released the findings of its 2011 pilot audit program, which measured the efforts of 115 covered entities. OCR found that most evaluated entities did not meet HIPAA standards for breach notification, privacy and security. It found that two-thirds failed to perform a comprehensive, accurate security risk assessment and that the most common cause of noncompliance was ignorance of the requirement. Many experts predict that the next round of audits will focus on timely and thorough security risk assessments, effective and ongoing risk mitigation plans, breach notification procedures, encryption, training, and policies and procedures. "What typically happens is you sign on a new vendor and get the BA agreement [BAA] signed. But then a year goes by, and they fail to keep their documentation up to date and no one realizes it," says Jane Girling, Assistant Vice President of Corporate Materials Management of CentraState Hospital in Freehold, NJ. "For us, it's been critical to tie our vendor and managed care contract requirements to the compliance piece." Without at least partial automation of the process, getting these policies in place can be overwhelming. "The Deficit Reduction Act is being very stringently administered in New Jersey, so I had to get notices out to vendors concerning state and federal compliance laws on an annual basis, which would have been a total nightmare without a vendor management system. Now, that system is helping us with BAA audits," says Alice Guttler, Sr. Vice President & Corporate Counsel at CentraState.
  • 3. Hospitals underestimate BA numbers Correctly identifying all BAs is the biggest problem hospitals encounter as they work to comply with HIPAA Omnibus (which expands the definition of a BA vendor). Assessing a hospital's entire vendor list is a major undertaking. The majority of hospitals have 5,000 or more total vendors, and a significant number of them meet the definition of BA under Omnibus. Every unidentified BA is an unmanaged BA, adding to a hospital's degree of risk. "Until you start the BAA audit process, you don't realize how many vendors you're actually dealing with," says Guttler. "We have about 2,500 employees and 283 beds, but we're dealing with hundreds of vendors. Initially, the Office of Civil Rights will be [playing an educational role], but they'll start assessing penalties, and that may become pretty costly." Often, BA risk assessment and oversight is done by the compliance or legal department without coordination with supply chain/purchasing. Because purchasing agents are responsible for vendor selection, managing the relationship and contractual fulfillment, this lack of synchronization can lead to serious challenges. It's not unusual for the number of BAs identified in an initial assessment to be around 250, when the actual number obtained through a complete vendor analysis is closer to 750 or more. Furthermore, individuals in charge of identifying BAs and overseeing their health information policies often are so laser focused on getting vendors to sign a business associate agreement that other policy omissions result. For each BA, for example, hospitals should have breach notification policies on file. Best practices for trustee oversight and governance Effective board oversight of BAs begins with an understanding of HIPAA Omnibus, Meaningful Use Stage 1 and the risks related to noncompliance. To ensure a hospital is taking necessary steps, trustees should ask senior managers the following: 1. How many BA vendors does the hospital have? How many have an up-to-date (compliant) BAA? 2. How often is a report on BA/BAA status distributed, and to whom? 3. Does the hospital have a single, up-to-date vendor master file, or is the data stored in multiple files? 4. What percentage of the hospital's vendors have been screened for BA risk? 5. How many patient data breaches have occurred in the last two years? What was the nature of the breaches? What steps have been taken to prevent similar breaches?
  • 4. 6. How many of the patient data breaches that occurred in the last two years have involved a vendor? 7. What is the status of the hospital's compliance with all the requirements needed to fulfill Core Measure 15 of Meaningful Use Stage 1? 8. Which individuals will be in charge of preparing for an OCR audit? How many days do they estimate they will need to prepare? With these basics established, board focus should turn to investigating whether or not the organization is adequately preparing for an audit. HHS has specifically stated that covered entities must take dual responsibility for patient data protection by obtaining satisfactory assurances from each BA. Armed with a full understanding of the challenges of breach prevention - as well as the financial and reputation-related consequences of not meeting the new HIPAA standards - board members can successfully assist senior management with proper planning and budgeting for best practices. Every unidentified BA is an unmanaged BA, adding to a hospital's degree of risk. Gary Johnson, Chief Marketing Officer, Vendormate