Healthcare organizations cite “willingness to sign a BAA” as their top consideration when evaluating cloud service providers (CSPs). But what are you really signing up for when you execute your CSP’s BAA? Are you getting the protection your organization needs? Steve Yoost, General Counsel of HOSTING, discusses how to ensure your BAA safeguards your PHI and meets your HIPAA compliance needs.
2. • This webinar is being recorded and an on-demand
version will be available at the same URL at the
conclusion of the webinar
• Please submit questions via the button on the upper left
of the viewer
• If we don’t get to your question during the webinar,
we will follow up with you via email
• Download related resources via the “Attachments”
button above the viewing panel
• On Twitter? Join the conversation: @HOSTINGdotcom
2
Housekeeping
3. HOSTING Overview
3
6
400
380 Employees
Independent Audits In 2014
US-based Datacenters
SOC 2
TYPE II
SOC 3
CERTIFIED
H I P A A
C O M P L I A N T
180 Healthcare Customers
1st CHIME Launch Partner
CHIME Technologies Cooperative
Member Services Program
4. HOSTING and CHIME
4
For more info, visit http://www.hosting.com/chime/ in the
“Attachments” section.
6. 6
Learning Objectives
• Discuss three actions to take before signing a
BAA
• Identify key terms that every BAA should have
• Describe terms and loopholes to avoid in a BAA
7. 7
HIPAA Basics: Omnibus Rule
• Requires the protection and confidential
handling of protected health information (PHI)
• Omnibus Rule (amendment) to HIPAA:
• January 2013 passage
• Subsequent compliance roll out
• Impact of Omnibus Rule with regard to third
party providers:
• Requires compliance from an entity that “creates,
receives, maintains, or transmits PHI on behalf of
customers that are health care providers, health
plans, or health care clearinghouses”
8. 8
HIPAA Basics: CEs and BAs
• “Covered Entities”
• Health care providers, health plans, and health care
clearinghouses
• Examples: physicians, hospitals, health insurance
companies, healthcare billing services, value-added
healthcare networks
• “Business Associates”
• Entities that create, receive, maintain, or transmit PHI
on behalf of Covered Entities
• Examples: records storage companies, data analysis
companies, hosting providers
9. 9
HIPAA Basics: CEs and BAs
• “Business Associates” Exceptions:
• “Janitor Clause” – organizations whose functions or
services do not involve the use or disclosure of
protected health information, and where any access
to PHI would be incidental, if at all
• “Conduit Clause” – organizations that merely act as
a conduit for protected health info
10. 10
HIPAA Basics: PHI
• “PHI”
• Information that (1) is created or received by a health care
provider, health plan, or health care clearinghouse; (2)
relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health
care to an individual; or the past, present, or future payment
for the provision of health care to an individual; and (3)
identifies or could be used to identify the individual
• Examples: name, address, dates (birthdate, admission date,
release date, etc.), phone numbers, fax numbers, email
addresses, social security numbers, medical record numbers,
health plan beneficiary numbers, account numbers,
certificate/license numbers, vehicle identifiers and license
plate numbers, URLs, IP address numbers, biometric
identifiers, and photographs
13. 13
What is a BAA?
• Contract that creates obligations between
parties:
• Business Associates and Covered Entities
• Business Associates and Subcontractors
• Purpose: ensure the parties have obligations to
treat PHI in compliance with HIPAA
• Required by HIPAA under certain
circumstances
14. 14
Two Kinds of BAAs
1. Between Covered Entities and Business
Associates
2. Between Business Associates and
Subcontractors
15. 15
Three Things to Do before Signing a
BAA
1. Assess your Risk
2. Assess your BAA
3. Assess your Business Associate
16. 16
Three Things to Do before Signing a
BAA: Assess Your Risk
1. Internal compliance
2. HIPAA compliance
3. Legal risk
4. Data breach expense
17. 17
Three Things to Do before Signing a
BAA: Assess Your BAA
1. Use a compliant BAA
2. Use the right kind of BAA
3. Ensure flow-down
18. 18
Three Things to Do before Signing a
BAA: Assess Your Business
Associate
1. Certification
2. Guarantees
3. Check the breach list
(https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf)
4. Insurance
19. 19
Key BAA Terms
• Preamble
• Section 1: Definitions
• Taken from HIPAA
• Section 2: What Business Associate will and will not
do
• Ex: use and disclosure restrictions, safeguards, notice
• Section 3: What Covered Entity will and will not do
• Ex: compliance with law, notice of changes
• Section 4: Term and Termination
• At end, return or destroy PHI; if keep, maintain protections
• Section 5: Miscellaneous
21. 21
HHS Form of BAA
See:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html
Business Associate Contracts
SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS
(Published January 25, 2013)
Introduction
A “business associate” is a person or entity, other than a member of the workforce of a
covered entity, who performs functions or activities on behalf of, or provides certain
services to, a covered entity that involve access by the business associate to protected
health information. A “business associate” also is a subcontractor that creates, receives,
maintains, or transmits protected health information on behalf of another business
associate. The HIPAA Rules generally require that covered entities and business
associates enter into contracts with their business associates to ensure that the business
associates will appropriately safeguard protected health information…
23. 23
Learning Objectives
• Discuss three actions to take before signing a
BAA
• Identify key terms that every BAA should have
• Describe terms and loopholes to avoid in a BAA
24. 24
Q&A
Steve Yoost | General Counsel, HOSTING
For more information about services by HOSTING, please contact our team at
888.894.4678.