To BAA or not to BAA

Understanding and Navigating the Business Associate Agreement

IT, Privacy, & eCommerce Committee

Introductions• Robyn Diaz, Senior Vice President and Chief Legal Officer, St.

Jude Children’s Research HospitalRobyn.Diaz@stjude.org

• Martin Edwards, Compliance Officer, Dell Services Healthcare and Life SciencesMartin_Edwards@dell.com @mle615

• K Royal, VP, AGC, Privacy & Compliance, CellTrust Corp.K.Royal@celltrust.com @HeartofPrivacy

• Brian Smith, Assistant General Counsel, Wellmark, Inc.Smithbl@wellmark.com

Agenda• Speaker views• Brief HIPAA overview• What is and is not a BA• Contract Negotiation

– Templates– Important Clauses

• Vendor Oversight

Explain rules of game

$25,000$15,000$10,000$7,000$5,000$3,000$2,000$1,000$500$100

RulesDon’t know value until answer questionCan stop and keep half the moneyIf miss, lose it all

Three lifelines: ask the crowd, 50/50, and plus 1(for our purposes, we will rotate)

Rely on honor system.

Develop playsheet with money amounts, lifelines, and amount win. List Question 1-10 with checkboxes to side for using a lifeline, amount to win, and if quit.Develop graphics and sound

Question 1The U.S. federal law that governs health information is:

A. HIPAAB. HIPPAC. FERPAD. The U.S. does not have one

7

8

HIPAA OVERVIEW

HIPAA• HIPAA Privacy Rule

• Use and Disclosure• Access

• HIPAA Security Rule• Protection and integrity of health information• Availability of health information• Administrative, Technical and Physical controls

Question 2HITECH means:

A. Health Information Technology B. Health Information Transformation of Existing

Collaborative HealthC. Highly Intelligent Technological Enabled Consumer

HealthD. Health Information Technology for Economic and

Clinical Health

HITECHHITECH (Health Information Technology for Economic and Clinical Health)

– Adoption of electronic medical records– Widen the scope of privacy and Security

protections• Covered Entities• Business Associates

HITECH

12

Question 3OCR (in this presentation) means

A. Office of Civil RightsB. Optical Character RecognitionC. Office for Civil RightsD. Online Character References

Enforcement actions: OCR

• Oversees the enforcement of HIPAA Privacy and Security Rules

• As of June 30, 2015 (Since April 2003)– 117,474 complaints received– 1,219 compliance reviews– Resolved 94% of the complaints

OCR

Business Associate Breaches– Health Management Systems (HMS)

• 4,334 affected • Unauthorized disclosure

– Digital Health Management • 189,489 affected • Improper disposal of film/paper

– RCR Technology Corporation • 187,533• improper disposal of film/paper

– Shred-it International Inc • 277,014• improper disposal of paper BREACH

OCR AuditsPhase 1: Covered Entities

Privacy Rule requirements Security Rule requirements Breach Notification Rule.

Phase 2: Covered Entities and Business Associates 150 (approximately) of the 350 selected Ces – Security Standards

and 50 of the selected BAs 100 CEs for compliance with the Privacy Standards 100 CEs for compliance with the Breach Notification Standards

AUDIT

State Enforcement Examples:

– CT – HealthNet (2009) – MN – Accretive Health (2012– MA – South Shore Hospital (2012)– MA -- Goldthwait Associates (2013) – MA -- Woman and Infant’s Hospital of Rhode

Island (2014)

STATE

WHAT IS AND IS NOT A BA

Question 4Business Associates under HIPAA must:

A. Provide a notice of privacy practicesB. Follow the HIPAA security RulesC. Agree to all requests made by patientsD. Submit all records to the NSA

20

Question 5Which of the following is traditionally NOT a BA?

A. Law firmB. Radiology referralC. PaaS providerD. Audit firm retained by your company

Who is a Business AssociateExcept as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:

(i) On behalf of such CE or of an organized health care arrangement in which the CE participates, but other than in the capacity of a member of the workforce of such CE, creates, receives, maintains, or transmits PHI for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing; or

(ii) Provides, other than in the capacity of a member of the workforce of such CE, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such CE, where the provision of the service involves the disclosure of PHI from such CE or from another BA of such CE to the person.

45 CFR 160.103

Who is not a Business Associate

(i) A health care provider, with respect to disclosures by a CE to the health care provider concerning the treatment of the individual.(ii) A plan sponsor, with respect to disclosures by a group health plan (…)(iii) A govt agency, with respect to determining eligibility for, or enrollment in, a govt health plan that provides public benefits and is administered by another govt agency, or collecting PHI for such purposes, to the extent such activities are authorized by law.(iv) A CE participating in an organized health care arrangement (…)

Scenarios

Downstream BAsDownstream BAs may be subcontractors performing BA related services for Bas

Flow down BAs HIPAA Security requirements

DOWNSTREAM

25

Question 6Who has ultimate responsibility for patient data?A. Covered EntityB. Business AssociateC. PatientD. OCR

Coordinating BA & Vendor Oversight• Protecting your data is your responsibility!• Validate security practices• Ensure compliance with laws• Protect your data (PHI/PII)• Ensure adequate insurance

OVERSIGHT

Contract Negotiation

Due Diligence & Contract Fulfillment• Types of Data• Vendor classification and due diligence• Will they execute a BAA• Formal due diligence process• Offshore resource use• Vendor Data Security training

responsibility• Vendor Compliance Management

To Do

Templates• Considerations

Administrative Resources AvailableNumber of ContractsCompany Philosophy

• Business Associate/Covered Entity/Both• Leverage/Bargaining power

BATTLE

HIPAA Required Clauses• Establish permitted and required uses and disclosures of

PHI – Not use or disclose PHI in a manner that would violate Privacy Rule if done

by CE– use appropriate safeguards to prevent use/disclosure of PHI – comply with Security Rules– report to CE security incidents or use or unauthorized disclosure of PHI– subcontractors agree to the same restrictions and conditions for PHI– patient's right to access – amendment to PHI– accounting of disclosures – make its internal practices, books and records available to the HHS

Secretary

• Include appropriate termination provisions

Question 7If a BA gets a subpoena for PHI, it should:

A. RefuseB. Fight itC. Acquiesce immediatelyD. Check legality and alert CE

Indemnity• Does BA direct liability make indemnification clauses unnecessary?• What if underlying agreement addresses indemnification?• Might include:

– Costs of breach notification and response– State penalties/costs– Select defense counsel– Attorney’s fees/Defense costs– Survival

• Mutual • Insurance/financial status INDEMNITY

Question 8Limitation of Liability is

A. Included in HIPAA provisionsB. Never in a BAAC. Cannot be negotiatedD. Must always be in a BAA

Limitation of Liability/Damages• Tie to underlying agreement• Negotiable . . .

– Limit to direct?– Consequential, special, indirect or incidental?– Should have known about possibility of damages?– Limit to value of service?– Link to risk/amount of PHI? LIMITS

Other clauses• Red Flag Rules• PCI DSS• Audit rights• Data Breach• Not outside the US

CLAUSES

36

Question 9What set of standards does HIPAA require?

A. NIST and ISO27000 seriesB. AICPA: GAPPC. None of theseD. All of these

Security Considerations• Amount of PHI • Financial status• Location • Annual Compliance Certification or conduct audit • Require Minimum Information Safeguards

Encryption – Federal Information Processing Standards (FIPS) 140-2/ NIST

Data Destruction – DoD Directive 5220.22-M; minimum seven-pass swipe

DR/BC – Testing and EventsAccess RestrictionsPen Tests

Security Considerations

Code Review/Code ScansLog ManagementAnti-Virus, Anti-Spyware – Installed and up-to-

dateIntrusion Detection and Prevention

SECURITY

State requirements• Preemption • Breach notification laws• State common law principles • Some state medical privacy laws

– California Confidentiality of Medical Information Act – Iowa Mental Health Disclosure Law– Texas Medical Records Privacy Act

• Massachusetts 201 CMR 17 (BAs as holders of PI)

Conflicting Contracts• Conflicts may exist between:

– You and upstream or downstream– Between your upstream and downstream

• Possible liability under agency concept?– insurance cover agency-related liability?– possible breaches by downstream BAs need for

additional insurance?– Should you review agreements impacting

potential downstream liability?CONFLICTS

Managing BAs• What information should be demanded of BAs

upfront?• Should CEs audit BAs for HIPAA compliance?• Should CEs require BAs to provide proof of

independent audits?

MANAGE

42

Question 10Which statement is true?

A. CEs always have the bargaining power.B. BAs may be accountable to OCR, but CEs still

have to do oversight.C. A SOC2 is the perfect audit report to have.D. BAs now know what they should do under

HIPAA.

Resources• HHS OCR http://www.hhs.gov/ocr/privacy/index.html • NCSL http://

www.ncsl.org/research/telecommunications-and-information-technology/privacy-and-security.aspx

• HIPAA Cow http://hipaacow.org/ • Bricker & Eckler http://

www.bricker.com/resource-center/hipaa • Mintz Levin chart http://

www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf