9 things you need to do to update your BA agreement

July 16, 2013

Chris Apgar, CISSPApgar & Associates, LLC

Andy NietoDataMotion

2

Overview

■Business Associates & Omnibus Rule – An Overview

■9 Things You Need to Do to Update Your Business Associate Agreement

■Encryption/securing data ■Summary

Business Associates & Omnibus Rule – An Overview

■HITECH Act requires business associates (BA) to comply with HIPAA Security Rule, as well as certain use and disclosure provisions of the Privacy Rule and the Breach Notification Rule

■BA contracts or agreements still required■U.S. Dept. of Health and Human

Services (HHS) expanded definition of BAs to include subcontractors

Business Associates & Omnibus Rule – An Overview

■Expanded definition of BA: » A person (vendor entity or individual) who

contracts directly or downstream from a covered entity and creates, receives, maintains/stores, or transmits PHI

» Subcontractor of BA who creates, receives, maintains/stores, or transmits PHI on behalf of a BA

Business Associates & Omnibus Rule – An Overview

■A “person” is determined to be a BA based on business or clinical functions performed involving PHI and not based on the fact that a BA contract has or has not been executed

■Covered entities, business associates, and subcontractors all responsible for ensuring a BA contract or agreement has been executed

Business Associates & Omnibus Rule – An Overview

■Subcontractor must execute and comply with a BA contract or agreement

■Subcontractor of subcontractor is also a BA, all the way “down the chain”

■Subcontractors required to adhere to certain use and disclosure provisions of the HIPAA Privacy Rule, the full Security Rule, and the Breach Notification Rule

■All subject to civil penalties

New Business Associates

■Rule includes specific entities in the definition of BAs:» Patient Safety Organizations (e.g., private

entities similar to Oregon Patient Safety Commission)

» Health information organizations » E-prescribing gateways» Covered entity contracted personal health

record vendors (does not include patient portal vendors)

New Business Associates

■Conduits not included but very narrowly defined – vendors who provide transmission services like ISPs, U.S. Postal Service, Comcast, Xfinity, and so forth

■Vendors who store PHI are BAs, even if the PHI is encrypted and there is no intended access to the PHI

■ Includes vendors who store non-electronic PHI■ Impacts cloud or SaaS vendors such as EHR,

hosting and data backup vendors

More on Business Associates

■ACO governance/management are business associates of all network providers

■BAs may use or disclose PHI only as defined pursuant to the BA contract or agreement or as required by law

■Subcontractors subject to requirements of the initial covered entity’s BA contract or agreement or BA’s contract or agreement, whichever is most stringent

More on Business Associates

■BAs and subcontractors required to adhere to minimum necessary rules – if not, it’s a breach of unsecured PHI

■If the BA knows of subcontractor's noncompliance and doesn’t take steps to cure the violation or terminate the contract, the BA may be subject to civil penalties

The Nine Things – Risk Analysis

■Look inside first and then make sure your BA has done the same

■One of the first requirements in the HIPAA Security Rule – conduct a risk analysis (and mitigate)

■A “must do,” HIPAA or no HIPAA■Don’t forget people – your biggest risk■Make sure you conduct one and your

downstream BA vendors do the same

The Nine Things – Risk Management

■Implement a risk management program after or while mitigation identified risks

■It needs to be robust, an on-going process and periodically updated to address new risks and risks you find need to be mitigated

■Ask the question, Has my BA implemented a risk management program

■Unaddressed BA risks become your risks

The Nine Things – Policies & Procedures

■Where are those policies and procedures?■HIPAA Privacy Rule and Security rule require

them■Referenced in OCR’s “Culture of Compliance”■Make sure current, accurate, enforceable and

communicated■Don’t make BAs use your policies but make

sure they have it covered – avoid agency while reducing risk

The Nine Things – Training

■You may be training those new employees but are you training your existing workforce?

■Training is not a one time event■Training equates to reduced people risk■Train your BAs in a non-proscriptive way

» Compliance requirements» Expectations (may be more stringent than HIPAA)» Don’t forget subcontractors

The Nine Things – Audit Program

■HIPAA and OCR require it – solid audit program» Information systems activity review» User login monitoring» Audit log monitoring» Evaluation

■Just because it’s addressable doesn’t mean it’s optional

■Periodically conduct mini-BA audit

The Nine Things – Security Incidents & Breaches

■If a security incident occurs, do you know what to do?

■Security incidents versus breaches and what’s reportable now and in September

■Encryption – not reportable ■Security incident response plan – is it

complete and is it tested?■Prepare for mitigation and notification

The Nine Things – Security Incidents & Breaches

■Breaches often the starting point for OCR investigations

■BAs should know – CEs only determine risk unless specifically delegated by contract

■Make sure to add who will pay the bills – BA breach indemnification language

■Do your BAs know who to notify if a breach of unsecure PHI occurs?

The Nine Things – Timeline to Amend & Execute BA Contracts

■Omnibus Rule compliant amended or new BA contracts or agreements (BAA) must be executed by September 23, 2013

■Covered entities may have additional time to execute amended BAAs, but BAs do not when it comes to subcontractors

■ If evergreen and periodically expiring contracts were compliant with pre–Omnibus Rule provisions (including HITECH) by January 24, 2013, covered entities have one additional year to amend contracts

The Nine Things – Timeline to Amend & Execute BA Contracts

■If current BAAs don’t comply with pre–Omnibus Rule or no BAA has been executed, must execute compliant BAAs by September 23, 2013

■New or amended BAAs executed after March 26, 2013, should be compliant with Omnibus Rule

■All BAAs must be updated no later than September 22, 2014

The Nine Things – Mobile Device & BYOD

■ If you have a BYOD program, are you limiting your risks?» Workforce training» Mobile device management applications» Sign that BYOD use agreement» Encrypt hard drives, flash drives and portable media» Encryption at rest/in motion

■Mobile device management programs need to be formal, communicated and enforceable to limit risk

The Nine Things – Business Continuity

■Are you and your downstream vendors ready for data loss or corruption, loss of power or greater disaster?

■If you rely on a BA to support you in a disaster, do you have a plan, a contract and have you tested it?

■A draft plan or a plan that hasn’t communicated won’t work when things fail and bad things happen

HIPAA, Business Associates and Encryption

Andy Nieto

HIPAA Privacy Rule

■The Privacy Rule provides federal protections for personal health information held by covered entities, and gives patients an array of rights with respect to that information.

■At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

Electronic Communication

The Privacy Rule is not anti-electronic. You can communicate with patients, providers, and others by

electronic means, with the implementation of appropriate safeguards to protect patient privacy.

Encryption

Secure Messaging

Encryption is a HIPAA Silver Bullet

BA contract contents should identify - Privacy

■Ensure privacy by controlling access

■Encrypt the data

■Control who can decrypt

BA contract contents should identify - Security

■Require safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity;

■Encrypt data in all modes » Storage» Transport

■Provide the ability to track and retract as needed

Assumption of Breach

■Guilty until proven innocent

■Encrypt, track, audit

Protection from Breach Notification

■Only exception to breach notification is if PHI disclosed was secured with encryption

But I don’t want to encrypt!

■ It’s not required.

■Covered entities must employ “reasonable and appropriate” solutions to ensure PHI security. If not encrypted than …?

Best Practices

■Assess what needs to be encrypted■Make it easy to use and train■Use logging and tracking■Maintain normal business processes

Other Considerations

■Attachments and moving data (how)■Mobile device integration ■End user initiated communication

Summary

■Time to comply is running out■Educate but don’t proscribe – avoid agency

while reasonably ensuring compliance■Pay close attention to the two top risks – BYOD

and risk analysis■Leverage technology solutions for secure

messaging and encryption

Questions

Chris Apgar, CISSPAndy Nieto

capgar@apgarandassoc.comandyn@datamotion.com