After the Omnibus Rule –

Who Can Touch Your e-PHIUsing a 3rd Party Vendor to Outsource Your e-PHI

Chad Kissinger

Chad Kissinger is a Texas Internet pioneer. In 1994, Chad founded OnRamp

as one of Texas’ first Internet operations companies that provided enterprises

the ability to connect to and effectively utilize the Internet. Over the years,

OnRamp (www.onr.com) has grown into a leading Data Center Operations

company that delivers a full suite of services designed to help its customers

effectively maintain the confidentiality, availability and integrity of their IT

operations without the cost or effort of building and maintaining data center

and IT infrastructure.

Chad brings a wealth of experience, expertise and intimate knowledge in

several areas of data center and Internet related technology, including: HIPAA

compliance, cloud computing, data centers, virtualization and disaster

recovery. Chad is a leader in the Internet community, and has been a founding

member, President and Legislative Chair of the Texas Internet Service

Provider Association. He is also a recognized expert on ISP issues and has

testified in front of the Texas House of Representatives, the Texas Senate and

the United States House Telecommunications Subcommittee on a variety of

Internet related topics.  

Learning Objectives

1. This presentation is intended to promote an understanding of the recent changes required by the HIPAA Omnibus Rule and Texas HB 300 in regards to third party IT relationships.

This is not a comprehensive HIPAA or Omnibus Rule primer.

2. The goal of this presentation is to elicit a discussion and answer questions about forming relationships with providers of data services that will support your e-PHI.

Perspective

Lawyer

Healthcare Provider

Covered Entity

Traditional Business Associate

Data Center Providers, Cloud Providers,

SAS Providers, etc.

OverviewIn the past, most providers of outsourced data services would execute Business Associate Agreements (BAAs) that required them to only take “reasonable” care in protecting the e-PHI they dealt with. Others declined to execute BAAs outright based on the conduit exception, a rule created for the US Postal Service and their electronic analogues – essentially an exception to HIPAA compliance for those who merely acted as a “conduit” for e-PHI. Covered Entities and their Business Associates wanted data service providers who would relieve them of their own responsibilities and data service providers wanted no responsibility – but still wanted the business.

The HIPAA Omnibus Rule and TX HB300 have clarified the responsibilities of Covered Entities, Business Associates and their agents, with specific emphasis on the role of IT vendors. The conduit exception has been clarified to only apply to the USPS (FedEx, etc.) and Internet and telephone service providers. It does not apply to Business Associates who have persistent access to PHI.

The Omnibus Rule establishes direct liability for both the covered entity and the business associate, even in the absence of a BAA. Subcontractors of Business Associates who handle e-PHI are also Business Associates and each link in the chain from the covered entity on down has responsibility for mistakes made “downstream”.

Now, more than ever, it is important for Covered Entities to seek out relationships with 3rd party vendors, and particularly IT vendors, who both understand the law, as outlined by HIPAA and HITECH, and are making a conscientious effort to achieve compliance under the HIPAA and HITECH Acts.

This presentation will cover the top issues Covered Entities and Business Associates should address when considering outsourcing the handling of patient data.

Glossary of Terms – Informal DefinitionsProtected Health Information (PHI) – Any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history.

Electronic Protected Health Information (e-PHI) – PHI that is created, maintained or transmitted electronically.

Covered Entity – A covered entity under HIPAA is a Health Care Provider, Health Care Plan or Health Care Clearinghouse.

Business Associate – Any person or company, that is not a covered entity, that “creates, receives, maintains or transmits” PHI for a covered entity or business associate.

Business Associate Agreement – The agreement between a covered entity and a business associate or between two Business Associates that clearly defines the permitted uses of PHI and the roles and responsibilities of each regarding the protection of PHI.

Glossary of Terms – Informal Definitions

Continued

Privacy Rule – The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

Security Rule – The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.

Glossary of Terms

Continued

Breach Notification Rule – The requirement that Covered Entities and Business Associates notify patients when there has been an impermissible use or disclosure of protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. Breach Notification can be triggered by simply losing control of protected health information (PHI) or electronic protected health information (e-PHI) or temporarily allowing others to have access the PHI or e-PHI.

Status Quo AnteBefore HITECH, data centers and other service providers would sign Business Associates Agreements (BAAs) stating they would take “reasonable care,” others would claim the conduit exception.

Status Quo Ante

Continued

Customers (Covered Entities/Business Associates) - wary of outsourcing or looked to providers that delivered services as “providing compliance.”

Providers (should be Business Associates) - refused to acknowledge responsibility or assumed an industry standard of low responsibility for protection of data in system.

Custodians of e-PHI - either had to forgo the advantages of outsourcing or deal with the risk of using providers not focused on HIPAA.

Provider’s Existing Regulatory Environments

Payment Card Industry (PCI)

Gramm-Leach-Bliley Act (GLBA)

SAS 70 (SSAE 16)

HITECH

HITECH established that Business Associates must comply with HIPAA and implement the specific protections contained

in the Security Rule.

Texas Medical Records Privacy Act / HB300

• Anyone who possesses, stores or obtains PHI is considered a covered entity.

i.e. Business Associate = Covered Entity

• HB 300 established the requirement for role based training.

The Final Omnibus Rule

The Role of Business Associates

• Business Associates are responsible for protecting PHI in their custody with or without a signed BAA (established direct liability).

• Business Associates are directly liable for their subcontractor’s protection of PHI.

• Covered Entities are directly liable for their Business Associates and their Business Associates’ subcontractor’s actions.

The Final Omnibus Rule

The Conduit Exception

Conduit exception is explicitly limited to USPS and electronic analogues:

• The conduit exception does not apply to entities that have persistent access to PHI.

• Cloud computing & data center providers, etc. must comply with HIPAA, TMRPA and HB 300.

The Final Omnibus Rule

Additional Features

• Covered Entities must receive “satisfactory assurances” from their Business Associates that their PHI will be protected (i.e. that the BA will follow HIPAA) and that their business associate will get similar assurances from their subcontractors.

• “Risk of Harm” Standard for Breach Notification Rule eliminated.

• Violations of “minimum necessary” principle regarded as security incidents that need to be properly evaluated for breach notification.

The Final Omnibus Rule

Risk Analysis – Breach or Security Incident

Covered Entities and Business Associates must conduct a risk analysis after a breach or security incident that examines the probability of exposure of the e-PHI rather than addressing the level of harm that an exposure would cause as in the previous standards.

The Final Omnibus Rule

Risk Analysis - “Must Haves”

1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification,

2. The unauthorized person who used the PHI or to whom the disclosure was made,

3. Whether the PHI was actually acquired or viewed; and

4. The extent to which the risk to the PHI has been mitigated.

The Final Omnibus Rule

Security Incident Risk Analysis – The Result

“Presumption of Breach”

Unless the Security Incident Risk Analysis shows that there is a low probability that the PHI has been compromised, there is a presumption that the PHI has been compromised and Breach Notification must be performed.

The Final Omnibus Rule

Breaches

Business Associates must report up the chain for breaches of unsecured PHI in addition to security incidents.

i.e. Business Associates report to their Covered Entity partners and Covered Entities report to individuals, the media, HHS, etc.

Implications

Covered Entities/Business Associates responsible for actions of their Business Associates

I. You can be indemnified, but you are still directly responsible for your business associate’s actions.

II. Covered Entities and Business Associates are required to establish BAAs with their Business Associates and subcontractors.

III. There must be coordination & supervision of the relationship between Covered Entities and Business Associates to ensure compliance.

Implications (cont.)

Ensuring Compliance

1. Responsibility matrix defining the division of responsibilities between entities for the protection of PHI.

2. Employee training designed to address the needs of the line of business of the entity and the employees scope of work.

3. Partner’s media handling & sanitization policies.

4. Information system development lifecycle.

5. Cooperative policies between you and your Business Associate.

6. Coordinated incident response procedures.

Key Take Aways

• You must strive to create relationships with knowledgeable, compliant Business Associates.

• You must make sure your Business Associates remain compliant in dealing with PHI.

• You and your Business Associates must have training for your employees that is designed to address their activities regarding PHI.

Workforce Security - Section: 164.308(a)(3)

Implementation Specifications

Description Required or Addressable

Customer Responsibility Provider Responsibility

Workforce Access

Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.

Required Customer will determine who has logical or physical access to Customer's systems at Provider's facilities or to systems provided by Provider for Customer's use.

Provider will restrict physical access to Customer's systems and systems supplied by Provider for Customer's use to those authorized by Customer and will only implement physical, logical or electronic changes to Customer's systems upon direction from Customer authorized personnel.

Authorization and/or

Supervision

Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed.

Addressable Customer will authorize and supervise all Customer personnel and vendors interacting with the systems located at Provider's facilities.

Provider will authorize and supervise all Provider personnel and vendors interacting with Customer systems located at Provider's facilities.

Workforce Clearance Procedure

Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

Addressable Customer will determine whether access is appropriate for all Customer personnel and vendors.

Provider will determine whether access is appropriate for all Provider personnel and vendors.

Helpful Links

Security Rule

Privacy Rule

Breach Notification Rule

The HIPAA Omnibus Rule

Texas HB 300

Questions?

Contact

OnRamp Corporate Office

2916 Montopolis Drive, Suite 300

Austin, TX 78741

(512) 322-9200

(888) 667-2660

sales@onr.com

Copyright © 2013 OnRamp - 2916 Montopolis Drive, Suite 300, Austin, Texas 78741