Business Associate Risk Assessing and Managing Business Associate Risk Presented by CJ Wolf, MD, COC, CPC, CHC, CCEP, CIA Healthicity Senior Compliance Executive Disclaimer: Nothing in this presentation should be construed as legal advice nor replied upon as legal expertise. 1
Breaches of 500+ individuals As required by section 13402(e)(4) of the HITECH Act, the HHS must post a list of breaches of unsecured protected health information affecting 500 or more individuals. As of Feb. 2016 approximately 20% were due to business associates https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf 2
RevSpring, Inc. 3,000 individuals Due to a printing error at the covered entity s (CE) business associate (BA), patients received billing statements containing other patients protected health information (PHI). The breach included names, account numbers, balances owed, procedure codes and descriptions, provider names, and dates of services. Following the breach, the CE obtained assurances from its BA that additional safeguards were implemented to prevent future disclosures. As a result of OCR s investigation, OCR reviewed the CE s policies and procedures to ensure compliance with the HIPAA Rules and reviewed the breach notification provided to affected individuals and the media. 3
4
KPMG LLP An employee of Newark Beth Israel Medical Center business associate (BA), KPMG LLP, lost an unencrypted USB drive that contained the electronic protected health information (ephi) of 956 individuals. The ephi included names and clinical information. The CE provided breach notification to HHS, the Media and affected individuals. As a result of OCR's investigation, the BA installed and implemented encryption software to its electronic equipment and devices. In addition, the BA encrypted and password protected all equipment and devices that could contain the CE's data. The BA also reprimanded and retrained the employee and retrained all employees on safeguarding ephi. 5
Global Care Delivery Five password-protected, but unencrypted laptop computers were stolen from Global Care Delivery, a business associate (BA) of the covered entity (CE), North Shore LIJ Health System The laptops contained the protected health information (PHI) of 18,213 individuals, including names, dates of birth, insurance identification numbers (which contained social security numbers), and diagnoses and/or treatment codes related to claims. The BA notified police at the time of the incident, but did not notify the CE until May 11, 2015. The business relationship between the CE and BA ended effective May 11, 2015. The BA has closed its business. 6
E-dreamz The credit card information of 9,988 patients of the covered entity (CE), Presbyterian Anesthesia Associates, P.A. (now known as Providence Anesthesia Associates, P.A.), was compromised when an unauthorized person gained access to the servers of E-dreamz, the CE s website hosting business associate (BA). The CE provided breach notification to HHS, the media, and affected individuals, and offered them a year of free credit monitoring and identity theft protection. In response to the breach, the CE hired an outside forensic computer specialist to investigate. Additionally, the CE terminated its service agreement with the BA and entered into a satisfactory BA agreement with a new website hosting vendor. The BA agreement prohibits storage of any PHI on the vendor s servers. The CE also reviewed and updated its HIPAA policies and procedures. 7
Dr. Veronica Joann Barber Veronica Joann Barber, O.D., (VB) copied the covered entity s (CE) entire data base and used the electronic protected health information (ephi) to solicit patients for her own practice. VB worked at the CE s office under a space-sharing agreement until the CE terminated the agreement. The CE requested that VB cease and desist using the PHI, but she did not agree. The theft occurred on December 15, 2013, and affected 4,000 individuals. The ephi involved in the breach included individuals names, social security numbers, addresses, driver s licenses, dates of births, other identifiers, credit card and bank account numbers, claims information, other financial information, diagnoses and medical conditions, medications, and other treatment information. The CE provided breach notification to HHS and affected individuals. Following the breach the CE installed computer firewalls. Based on OCR s provision of technical assistance, the CE notified the media and completed a risk assessment. It also improved safeguards by denying access by unlicensed persons to its computer systems and updating its policies and procedures regarding computer user names and passwords. The CE improved physical safeguards by moving the computer with the ephi behind a 5-foot tall counter. Pharmacy Chain Enters into Business Associate Agreement with Law Firm Covered Entity: Pharmacy Chain Issue: Impermissible Uses and Disclosures; Business Associates A complaint alleged that a law firm working on behalf of a pharmacy chain in an administrative proceeding impermissibly disclosed the PHI of a customer of the pharmacy chain. OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customer s PHI. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is appropriately safeguarded. Without a properly executed agreement, a covered entity may not disclose PHI to its law firm. To resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement. 8
http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html Steps to Protect Yourself Assess Business Associate s Preparedness/Exposure (due diligence) Contractual Protections Specificity of Tasks and Requirements (Statement of Work) 9
Has the BA performed a risk analysis? When? What were the results? What reasonably anticipated threats to ephi and system vulnerabilities were identified? What were the top 3 risks identified? What mitigation steps have been taken to identify the risks? Does the BA have a written privacy policy? Are employees required to attest to policy annually? Does the BA have a privacy officer? Are the privacy duties part-time? Are the privacy duties full-time? Is the privacy officer a high level employee? 10
Does the BA have a written security policy? Are employees required to attest to policy annually? Does the BA have a security officer (HPI)? Are the security duties part-time? Are the security duties full-time? Is the security officer a high level employee? Does the BA require employees to complete HIPAA training? Is completion of the training documented? Must the training be completed before the employee is given access to functions that expose PHI? 11
Has the BA proactively had an independent third party audit of their HIPAA compliance program? When? What were the results? What were the top 3 risks identified? What mitigation steps have been taken to identify the risks? Was penetration testing performed? Encryption: What are the encryption levels? Are all portable devices encrypted? Mobile Phones? Laptops? Tablets? Portable flash drives/usb drives? 12
What is the documented communication plan if contacted by OCR or other regulatory body? Does it include timely deadlines for contacting the CE? Who will be contacted? How? What is the documented plan for a breach? Is there a written policy that incorporates Breach Notification Rules? What are the physical security standards for all the sites of the BA? Does the BA have a written procedure for compliant destruction of PHI? Has the CE reviewed the procedure? 13
Compliance Manager Total Management Complete Guidance Affordable for Everyone Bonus Resources Compliance Services Leverage an Expert Optimize Revenue Improve Accuracy Save Time 14
Questions? cj.wolf@healthicity.com 15