Date post: | 18-Jan-2018 |
Category: |
Documents |
Upload: | sylvia-king |
View: | 214 times |
Download: | 0 times |
To BAA or not to BAA
Understanding and Navigating the Business Associate Agreement
IT, Privacy, & eCommerce Committee
Introductions• Robyn Diaz, Senior Vice President and Chief Legal Officer, St.
Jude Children’s Research [email protected]
• Martin Edwards, Compliance Officer, Dell Services Healthcare and Life [email protected] @mle615
• K Royal, VP, AGC, Privacy & Compliance, CellTrust [email protected] @HeartofPrivacy
• Brian Smith, Assistant General Counsel, Wellmark, [email protected]
Agenda• Speaker views• Brief HIPAA overview• What is and is not a BA• Contract Negotiation
– Templates– Important Clauses
• Vendor Oversight
Explain rules of game
$25,000$15,000$10,000$7,000$5,000$3,000$2,000$1,000$500$100
RulesDon’t know value until answer questionCan stop and keep half the moneyIf miss, lose it all
Three lifelines: ask the crowd, 50/50, and plus 1(for our purposes, we will rotate)
Rely on honor system.
Develop playsheet with money amounts, lifelines, and amount win. List Question 1-10 with checkboxes to side for using a lifeline, amount to win, and if quit.Develop graphics and sound
Question 1The U.S. federal law that governs health information is:
A. HIPAAB. HIPPAC. FERPAD. The U.S. does not have one
7
8
HIPAA OVERVIEW
HIPAA• HIPAA Privacy Rule
• Use and Disclosure• Access
• HIPAA Security Rule• Protection and integrity of health information• Availability of health information• Administrative, Technical and Physical controls
Question 2HITECH means:
A. Health Information Technology B. Health Information Transformation of Existing
Collaborative HealthC. Highly Intelligent Technological Enabled Consumer
HealthD. Health Information Technology for Economic and
Clinical Health
HITECHHITECH (Health Information Technology for Economic and Clinical Health)
– Adoption of electronic medical records– Widen the scope of privacy and Security
protections• Covered Entities• Business Associates
HITECH
12
Question 3OCR (in this presentation) means
A. Office of Civil RightsB. Optical Character RecognitionC. Office for Civil RightsD. Online Character References
Enforcement actions: OCR
• Oversees the enforcement of HIPAA Privacy and Security Rules
• As of June 30, 2015 (Since April 2003)– 117,474 complaints received– 1,219 compliance reviews– Resolved 94% of the complaints
OCR
Business Associate Breaches– Health Management Systems (HMS)
• 4,334 affected • Unauthorized disclosure
– Digital Health Management • 189,489 affected • Improper disposal of film/paper
– RCR Technology Corporation • 187,533• improper disposal of film/paper
– Shred-it International Inc • 277,014• improper disposal of paper BREACH
OCR AuditsPhase 1: Covered Entities
Privacy Rule requirements Security Rule requirements Breach Notification Rule.
Phase 2: Covered Entities and Business Associates 150 (approximately) of the 350 selected Ces – Security Standards
and 50 of the selected BAs 100 CEs for compliance with the Privacy Standards 100 CEs for compliance with the Breach Notification Standards
AUDIT
State Enforcement Examples:
– CT – HealthNet (2009) – MN – Accretive Health (2012– MA – South Shore Hospital (2012)– MA -- Goldthwait Associates (2013) – MA -- Woman and Infant’s Hospital of Rhode
Island (2014)
STATE
WHAT IS AND IS NOT A BA
Question 4Business Associates under HIPAA must:
A. Provide a notice of privacy practicesB. Follow the HIPAA security RulesC. Agree to all requests made by patientsD. Submit all records to the NSA
20
Question 5Which of the following is traditionally NOT a BA?
A. Law firmB. Radiology referralC. PaaS providerD. Audit firm retained by your company
Who is a Business AssociateExcept as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:
(i) On behalf of such CE or of an organized health care arrangement in which the CE participates, but other than in the capacity of a member of the workforce of such CE, creates, receives, maintains, or transmits PHI for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and repricing; or
(ii) Provides, other than in the capacity of a member of the workforce of such CE, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such CE, where the provision of the service involves the disclosure of PHI from such CE or from another BA of such CE to the person.
45 CFR 160.103
Who is not a Business Associate
(i) A health care provider, with respect to disclosures by a CE to the health care provider concerning the treatment of the individual.(ii) A plan sponsor, with respect to disclosures by a group health plan (…)(iii) A govt agency, with respect to determining eligibility for, or enrollment in, a govt health plan that provides public benefits and is administered by another govt agency, or collecting PHI for such purposes, to the extent such activities are authorized by law.(iv) A CE participating in an organized health care arrangement (…)
Scenarios
Downstream BAsDownstream BAs may be subcontractors performing BA related services for Bas
Flow down BAs HIPAA Security requirements
DOWNSTREAM
25
Question 6Who has ultimate responsibility for patient data?A. Covered EntityB. Business AssociateC. PatientD. OCR
Coordinating BA & Vendor Oversight• Protecting your data is your responsibility!• Validate security practices• Ensure compliance with laws• Protect your data (PHI/PII)• Ensure adequate insurance
OVERSIGHT
Contract Negotiation
Due Diligence & Contract Fulfillment• Types of Data• Vendor classification and due diligence• Will they execute a BAA• Formal due diligence process• Offshore resource use• Vendor Data Security training
responsibility• Vendor Compliance Management
To Do
Templates• Considerations
Administrative Resources AvailableNumber of ContractsCompany Philosophy
• Business Associate/Covered Entity/Both• Leverage/Bargaining power
BATTLE
HIPAA Required Clauses• Establish permitted and required uses and disclosures of
PHI – Not use or disclose PHI in a manner that would violate Privacy Rule if done
by CE– use appropriate safeguards to prevent use/disclosure of PHI – comply with Security Rules– report to CE security incidents or use or unauthorized disclosure of PHI– subcontractors agree to the same restrictions and conditions for PHI– patient's right to access – amendment to PHI– accounting of disclosures – make its internal practices, books and records available to the HHS
Secretary
• Include appropriate termination provisions
Question 7If a BA gets a subpoena for PHI, it should:
A. RefuseB. Fight itC. Acquiesce immediatelyD. Check legality and alert CE
Indemnity• Does BA direct liability make indemnification clauses unnecessary?• What if underlying agreement addresses indemnification?• Might include:
– Costs of breach notification and response– State penalties/costs– Select defense counsel– Attorney’s fees/Defense costs– Survival
• Mutual • Insurance/financial status INDEMNITY
Question 8Limitation of Liability is
A. Included in HIPAA provisionsB. Never in a BAAC. Cannot be negotiatedD. Must always be in a BAA
Limitation of Liability/Damages• Tie to underlying agreement• Negotiable . . .
– Limit to direct?– Consequential, special, indirect or incidental?– Should have known about possibility of damages?– Limit to value of service?– Link to risk/amount of PHI? LIMITS
Other clauses• Red Flag Rules• PCI DSS• Audit rights• Data Breach• Not outside the US
CLAUSES
36
Question 9What set of standards does HIPAA require?
A. NIST and ISO27000 seriesB. AICPA: GAPPC. None of theseD. All of these
Security Considerations• Amount of PHI • Financial status• Location • Annual Compliance Certification or conduct audit • Require Minimum Information Safeguards
Encryption – Federal Information Processing Standards (FIPS) 140-2/ NIST
Data Destruction – DoD Directive 5220.22-M; minimum seven-pass swipe
DR/BC – Testing and EventsAccess RestrictionsPen Tests
Security Considerations
Code Review/Code ScansLog ManagementAnti-Virus, Anti-Spyware – Installed and up-to-
dateIntrusion Detection and Prevention
SECURITY
State requirements• Preemption • Breach notification laws• State common law principles • Some state medical privacy laws
– California Confidentiality of Medical Information Act – Iowa Mental Health Disclosure Law– Texas Medical Records Privacy Act
• Massachusetts 201 CMR 17 (BAs as holders of PI)
Conflicting Contracts• Conflicts may exist between:
– You and upstream or downstream– Between your upstream and downstream
• Possible liability under agency concept?– insurance cover agency-related liability?– possible breaches by downstream BAs need for
additional insurance?– Should you review agreements impacting
potential downstream liability?CONFLICTS
Managing BAs• What information should be demanded of BAs
upfront?• Should CEs audit BAs for HIPAA compliance?• Should CEs require BAs to provide proof of
independent audits?
MANAGE
42
Question 10Which statement is true?
A. CEs always have the bargaining power.B. BAs may be accountable to OCR, but CEs still
have to do oversight.C. A SOC2 is the perfect audit report to have.D. BAs now know what they should do under
HIPAA.
Resources• HHS OCR http://www.hhs.gov/ocr/privacy/index.html • NCSL http://
www.ncsl.org/research/telecommunications-and-information-technology/privacy-and-security.aspx
• HIPAA Cow http://hipaacow.org/ • Bricker & Eckler http://
www.bricker.com/resource-center/hipaa • Mintz Levin chart http://
www.mintz.com/newsletter/2007/PrivSec-DataBreachLaws-02-07/state_data_breach_matrix.pdf