3. Welcome!
Updating Business Associate requirements
The roles of BAs, Subcontractors and Agents
Amending Business Associate Agreements
New Violation Categories and Penalties
Audits, Remediation and Good Faith E!orts
4. Changing BA Rules
Prior to HITECH, management of ePHI security
was loosely defined. The law required BAs to
“use appropriate safeguards.”
There was no standard relating to how data would
be protected, and no way to validate whether the
BA was actually following the standard.
5. Changing BA Rules
Encryption and virus protection as cases in point
Laptops do not necessarily have discs encrypted
Workstation users often disable virus protection
System patching has also emerged as an issue
6. Changing BA Rules
Best intentions created worst-case scenarios
Limited IT resources in many CEs
Too many IT issues to handle
BA changes inevitable given EMR adoption
7. Redefining
Business Associates
BAs are “persons who, on behalf of a covered
entity (but other than as members of the covered
entity’s workforce) perform or assist in performing
a function or activity that involves the use or
disclosure of individually identifiable health
information, or that otherwise is regulated by
HIPAA.”
8. Redefining
Business Associates
HITECH requires BAs to comply directly with
Security Rule provisions directing implementation
of administrative, physical and technical
safeguards for ePHI and development and
enforcement of related policies, procedures and
documentation safeguards including designation
of a security o"cial.
9. Redefining
Business Associates
HITECH also imposes on the BA an obligation to
comply directly with HIPAA BA safeguards,
including limiting use and disclosure of ePHI as
specified in the BAA or required by law, facilitating
access and accounting for disclosures, opening
books and records to DHHS, and returning or
destroying all ePHI, if feasible, upon termination of
the Business Associate Agreement.
10. Redefining
Business Associates
HITECH deems BA to violate HIPAA if the BA
“knows of a pattern of activity or practice” by the
CE that breaches their BAA and if BA fails to cure
the breach, terminate the BAA or report the non-
compliance to DHHS.
11. Subcontractors
and Agents
The BA must require subcontractors and agents to
provide reasonable written assurance that they will
comply with the same restrictions and conditions
that apply to the BA under the terms of the BAA
with respect to PHI.
12. Required Capabilities
Accounting of Disclosures and Audit Trail issues
Accounting provision only covers “disclosures”
CEs and BAs must account for narrow category
Includes disclosures to law enforcement
13. Required Capabilities
Protecting Data
BA restricts access to PHI via password, criteria
Servers in secured computer room; limited access
Data received and forwarded automatically
Archives and backups in fireproof safe
14. Required Capabilities
Proper Disposal of Data
At end of BAA, data deleted from BA systems
No printed reports or paper copies retained by BA
Printed reports are shredded upon completion
15. Required Capabilities
Privacy and Security Measures
Employees, contractors, subs, agents must sign
BA supports 128-bit encryption for all reports
Restricted access to PHI on need-to-know basis
Automatic expiration of passwords
Restricted access to computer room, servers
16. Required Capabilities
Privacy and Security Measures
Mandatory HIPAA training for all employees
Monitored security system
Automated data backups, stored in safe
Automated virus checks
Employee termination security procedures
17. Elements of BAAs
BA agrees not to use PHI outside requirements
BA agrees to use appropriate safeguards
BA mitigates disclosure that violates BAA
BA reports disclosures to CE
BA agrees to document disclosures
18. Elements of BAAs
BAA specifies purposes for use of PHI
Functions, activities or services on behalf of CE
May use PHI to provide data aggregation to CE
May use PHI to report violations of the law
19. Elements of BAAs
CE must notify BA of limitations in privacy practice
Notify BA of changes in PHI disclosure procedures
Notify BA of any restriction of PHI use, disclosure
20. Elements of BAAs
BAA must set forth term and termination provision
Upon termination, BA returns or destroys PHI
Provision applies to subcontractor or agent PHI
BA shall retain no copies of PHI
If returning unfeasible, BA must specify conditions
21. Amendments
and Provisions
There’s no clear consensus on the implications of
HITECH for BAAs. Since HITECH directly
regulates BAs and imposes new privacy and
security obligations, there may be little need to
update existing contracts. However, § 13401 and
13404 mandate that HITECH security and privacy
provisions be “incorporated into the BAA.” Your
need to amend may depend on existing language
and interpretation by the parties to the agreement.
22. Making the Transition
CEs directly responsible for “workforce” conduct
“Workforce” includes employees, volunteers
Also trainees and others working under CE control
23. Making the Transition
A broader definition: Temporary employees,
outsourced sta!, BA employees who are, by
contract, the responsibility of the CE are all part of
the CE “workforce.” CEs that fail to properly
respond to BA non-compliance may have violated
HIPAA.
24. Making the Transition
Enhanced enforcement provisions in HITECH may
prompt CEs to seek broader assurances from BAs
– some form of indemnification. BAs are likely to
seek protection for actions taken at the direction
of the CE, and to impose other limits on liability in
connection with the BAA.
25. New Violation
Categories
The person did not know (and by exercising
reasonable diligence, would not have known) that
action would lead to violation:
$100 per violation; total per CY $25,000
29. Audits, Remediation
and Good Faith Efforts
HIPAA audits are relatively new and still very rare.
They include a site visit and an audit report. Site
visits comprise interviews with stakeholders and
examination of physical features of Health
Information Systems. Site audits check physical
safeguards, daily operations, adherence to policies
and compliance with HIPAA requirements.
30. Audits, Remediation
and Good Faith Efforts
HIPAA remediation addresses “gaps” identified via
risk analysis. After “gap analysis” is complete,
begin prioritizing remediation targets. “Quick hits”
are key and can be anything your organization is
confident will require little resources to correct ...
and will often demonstrate “good faith” progress
toward compliance.
31. Audits, Remediation
and Good Faith Efforts
Remember ... problems will not all be of the same
priority. Some problems will involve relatively
flagrant or obvious violations of HIPAA privacy
mandates. These generally need to be addressed
as high priorities. Identify the resources needed to
work through these issues first.