Category: BAA

Business Associate Agreements Between Covered Entities

During our mock HIPAA audit process, we always verify Business Associate Agreements (BAAs) for our clients who are either Covered Entities (CEs) or Business Associates (BAs). In the process of deciding which BAAs are required, we are often asked about what agreement needs to be in place between two CEs who are working together.

For instance, one physician may refer a patient to a specialist physician. The first physician may send over medical records to the specialist. My clients want to know if a BAA is required between these two physicians.

At first glance, it seems as though a BAA might be required. Let’s look at the law itself:

 

Business associate:

(1) Except as provided in paragraph (4) of this definition, business associate means, with respect to a covered entity, a person who:

  • (i) On behalf of such covered entity or of an organized health care arrangement (as defined in this section) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, creates, receives, maintains, or transmits protected health information for a function or activity regulated by this subchapter, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities listed at 42 CFR 3.20, billing, benefit management, practice management, and repricing; or
  • (ii) Provides, other than in the capacity of a member of the workforce of such covered entity, legal, actuarial, accounting, consulting, data aggregation (as defined in § 164.501 of this subchapter), management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of protected health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.

(2) A covered entity may be a business associate of another covered entity.

(3)Business associate includes:

  • (i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.
  • (ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.
  • (iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

(4)Business associate does not include:

  • (i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.
  • (ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of § 164.504(f) of this subchapter apply and are met.
  • (iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.
  • (iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.

The answer, it turns out, is that two CEs both treating the same patient do not need a BAA to share Protected Health Information (PHI).

For Example:

  • A hospital is not required to have a business associate contract with the specialist to whom it refers a patient and transmits the patient’s medical chart for treatment purposes.
  • A physician is not required to have a business associate contract with a laboratory as a condition of disclosing PHI for the treatment of an individual.
  • A hospital laboratory is not required to have a business associate contract to disclose PHI to a reference laboratory for treatment of the individual.

Alternatively, there could be a situation where two Covered Entities want to work together and share PHI for patients that aren’t being treated by both CEs. In that case, a Covered Entity can also be classified as a Business Associate requiring a Business Associate Agreement between the two organizations.

It is unusual for a Covered Entity to be a BA of another Covered Entity, but it does happen. For instance, two research hospitals might be working together on a research project. They may share PHI in the course of their research. If both CEs aren’t treating the patient, depending on other circumstances, the two hospitals may need a BAA on file

If your situation doesn’t involve caring for the same patient, double check the law and see if you need a Business Associate Agreement.

If you fall into the majority by only sharing PHI with other CEs who are also treating your patient, you should not need a formal agreement drawn up and signed.

How to Prepare For HIPAA Breaches

There are many steps you can take to prepare your organization for a HIPAA breach. If you are proactive, you can mitigate the severity of a breach considerably. And if you have the right policies in place, you can save your practice from large fines and other financial costs. Lets go over the things your practice should do to prepare for a HIPAA breach.

Be Prepared

The first step to handling HIPAA breaches is preparation. Do you have a written policy outlining steps to follow if you suspect or know there is a breach? Your written policy should touch on everything else I will mention below. It should be fairly comprehensive including who is in charge of investigating the breach and how each step will be handled.

Train Your Staff

Writing a plan is not enough, your employees must be taught how to find and follow that plan. During your yearly HIPAA trainings you must review the steps an employee should take if they suspect or know about a breach.

Give Employees A Way To Anonymously Report Breaches

It’s the law that employees should not be afraid of retaliation for reporting a breach. To accomplish this, there must be a way for employees to report breaches anonymously if they feel that they would be retaliated against. You must teach them how to report a breach anonymously during their annual HIPAA trainings.

Teach Your Business Associates To Report Breaches Back To You

Make sure each outside company you do business with that has access to your patients’ data is aware that they must report suspected breaches to you. Make sure your Business Associate Agreements are updated to include who is responsible for contacting patients in the case of a breach. Generally you would want this responsibility to fall on the Business Associate if they cause the breach. This moves most of the liability and cost on to the Business Associate who causes a breach.

As Soon As A Breach Is Known About Or Suspected, Perform A Risk Assessment

After finding out about a breach situation, immediately begin an investigation. Perform a risk assessment to find out what was breached and if any Protected Health Information may have been stolen or lost. Find out what caused the breach so you can remediate any gaps you have in security or policies.

Notify All Affected Parties

You have 60 days from finding out about the breach to notify any patients whose data was breached. You will need to send notices by first class mail (or email if your patients have opted in to receive notices that way) to each patient affected. You will likely be required to provide credit monitoring to the affected patients. You must also notify the Office of Civil Rights about any breaches. If a breach affects fewer than 500 patients, you must notify the OCR within 60 days of the end of the calendar year in which the breach was discovered. If a breach affects 500 or more patients, you must notify the OCR within 60 days of discovery of the breach and you must contact the media and provide them with a press release. Contacting the media allows the affected patients to find out about the potential threat of identity theft more quickly.

Log Everything

If there is a breach. From day one, start logging everything: any discussions you have with employees, any information about the breach, whom you contact, what led to the breach, what you are doing to stop future breaches, etc. Log it all and keep it on hand for the OCR. They will want to see that you acted promptly and did what you could to protect your patients.

Rules For Sending And Receiving Protected Health Information (PHI)

HIPAA requires that covered entities (organizations who provide treatment to patients, bill insurance plans, or create protected health information (PHI)) must protect their PHI. This protection extends to sending and receiving PHI. Moreover, there are specific rules for how to send PHI to outside entities like other practices, insurance companies, and patients themselves.

First, lets define Protected Health Information.

  • Protected Health Information is medical information that contains any of the following uniquely identifying characteristics:
    • Names
    • All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
    • All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
    • Phone numbers
    • Fax numbers
    • Email addresses
    • Social Security numbers
    • Medical record numbers
    • Health plan beneficiary numbers
    • Account numbers
    • Certificate/license numbers
    • Vehicle identifiers and serial numbers, including license plate numbers
    • Device identifiers and serial numbers
    • Web Universal Resource Locators (URLs)
    • Internet Protocol (IP) address numbers
    • Biometric identifiers, including finger and voice prints
    • Full face photographic images and any comparable images
    • Any other unique identifying number, characteristic, or code

That’s a pretty hefty list of uniquely identifying characteristics. Basically, if you can use a piece of information to single a person’s medical information out, all of the information becomes Protected Health Information

Sending PHI through email

The most common way to exchange information these days is via email. This will likely be the easiest way to get patient records over to other practices or to send a record to a patient who is requesting something. Consequently, it’s important to distinguish between standard email and encrypted email. Many practices assume that because their email system uses SSL or TLS encryption, it’s encrypted to HIPAA standards and they never give it another thought. Almost all email systems: Gmail, Hotmail, Yahoo, Godaddy, Microsoft Exchange, Outlook.com, AOL, etc. are encrypted with either SSL or TLS. This protects the information in the email being sent from being intercepted somewhere between the sender and the receiver. HIPAA says this is not enough.

HIPAA requires that when sending an email containing PHI, you accomplish 3 things:

  • Encrypt the PHI so that it can’t be intercepted by an unintended party.
  • Verify the identity of the receiving party before they can open the encrypted email attachment.
  • Have a way to revoke access to the encrypted attachment when it is no longer needed, or if it was sent in error.

To achieve all three of these goals, generally your practice will want to employ an email encryption service like Virtru or Hushmail. These services separate the file attachment (that you can use to send PHI) from the rest of the email so that PHI isn’t stored in non-secure ways. They make users on the receiving end of the email confirm their identity before allowing the file attachment to be viewed. And they allow the file attachment to be revoked at any time; either by setting an expiration date or by manually revoking access. Also, your practice will need  a Business Associate Agreement on file with any encryption service you decide to use. The encryption service has to prove they will be protecting your PHI while it is being transferred or stored on their systems.

Using a standard email account without a secure encrypted file attachment to send PHI is a violation of the HIPAA security and privacy rules. There is nothing to stop an unintended recipient from opening a sensitive attachment and there is no way to revoke access to the PHI after the email is sent.

As with all communications involving PHI, you should be logging any time you send or receive PHI. A patient has the right to know who you sent their PHI to. Your practice software likely has a place for you to log these PHI disclosures.

Sending PHI through the mail

When sending PHI through the mail, you must use certified mail or a similar service that requires a signature from the recipient. This is to ensure that any PHI makes it to its destination. If you don’t have a record of when the PHI was both sent and received, you can’t be sure who has the PHI if you were audited. And if a patient wanted a complete list of all entities that has access to their PHI, you couldn’t give them an accurate list without proper record keeping. With certified mail, you will have access to a signature of the person who received the letter and a date and time when they received it.

Using standard mail is not allowed because of the lack of tracking inherent to standard mail.

Face to face and phone conversations

Face to face conversations and phone calls are both common ways practices disclose PHI. All PHI disclosures should be tracked. Accordingly, you must keep a log if you gave out PHI via conversation or phone call. Again, the patient has a right to know who has access to their PHI. If you communicated PHI to another doctor for instance and now that doctor is aware of your patients medical information, your patient has the right to know that.

Faxing PHI

Faxing is considered a gray area as far as HIPAA is concerned. HIPAA recognizes that fax machines are sometimes the only way for one practice to quickly send information to another entity. Conversely, HIPAA is aware that fax technology is inherently insecure. Faxes can be intercepted via phone tap and generally fax machines just print out any fax that comes through and leaves it sitting in its tray for all to see. These problems are hard to overcome for most practices, nonetheless you can make some headway in securing your fax to eliminate many chances of a breach occurring.

The HIPAA security rule says that fax machines should be kept behind a locked door. This way non-employees cannot easily access any faxes that may have printed out, but not been picked up yet. And if your fax machine supports it, faxes should be stored in the fax machine’s memory until an authorized user signs in to the fax machine and prints them out.

I expect that as secure encrypted email becomes more prevalent, the HIPAA security rule will be updated to remove faxing from the list of approved methods to send PHI.

You should get in the practice now of avoiding faxes that contain PHI and only use this method as a last resort.

The Importance of Encryption for HIPAA Compliance

Encryption. . .what does it mean to encrypt something? Why is it important? And why is it particularly important for covered entities and business associates in the health services industry? What can you do to make sure your data is encrypted while it is being transferred from one place to another and while it is at rest on servers and backup drives? These are all questions I am asked regularly when I do initial HIPAA risk assessments and audits. My clients tend to downplay the importance of encryption initially until they fully understand the risks of not encrypting data properly.

Encryption is defined as the translation of data into a secret code. Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. If you were to send a file across the internet in a non-encrypted format, it could be intercepted anywhere along the way and you would have no idea that your data had been breached. Additionally, if you were to store data on a storage device in a non-encrypted format, and that device was lost or stolen, your data would be accessible to anyone. Using encryption nullifies both of those scenarios by only allowing someone with your secret encryption key to decrypt the data and read it.

For the purposes of HIPAA compliance, encryption is absolutely necessary for one particular category of data: protected health information (PHI). This includes patient medical records, personal patient information like phone numbers, addresses, and social security numbers. Encryption of PHI is important for a few reasons. First, and foremost, you have a duty to your patients to keep their personal information safe from unauthorized access. One quick way to lose patients and your practice is to betray patient trust. Additionally, as a covered entity or business associate you are bound by federal law to protect PHI from breach or loss. The Office of Civil Rights has the authority to fine you up to $50,000 per record breached or lost if they deem that you haven’t implemented and followed a good faith HIPAA compliance plan.

email encryptionWhat is a practice to do? How can you be sure your PHI is encrypted? There are three places you’ll want to double check for encryption. During our HIPAA audits we most commonly find that practices aren’t employing encryption when emailing patient health records to other practices or to the patients themselves. This is a fairly easy problem to fix. There are a multitude of available email encryption services such as Virtru, Office 365 Encrypted Email, and Hushmail. These services generally integrate directly into your browser or Microsoft Outlook so that it’s as easy as pressing a button to convert any email into an encrypted email that requires the user at the other end to verify their identity to receive the email.

It is more complicated to find out if the other two categories have HIPAA compliant encryption enabled. These two areas are data stored on devices like servers, desktops, laptops, and mobile phones. And separately, data stored on backup devices and backed up to the cloud. You will want to contact a HIPAA compliant IT specialist to verify that your devices and backup storage is HIPAA compliant. An IT specialist can tell you what level of encryption you are using and whether the encryption is turned on and configured properly. Additionally, in the case of a cloud backup service, the IT specialist can make sure that the cloud provider is HIPAA compliant themselves and is willing to sign a Business Associate Agreement (BAA) for your practice and share some of the liability for storing that sensitive data.

J.J. Micro IT Consulting is available for a free HIPAA risk assessment. During that assessment we will look for proper encryption methods in addition to possible HIPAA compliance issues in the categories of security, privacy, and administrative procedures. Please give us a call at 636-556-0009 to schedule an appointment today.

HIPAA Compliance for Dental Practices and Their Business Associates

For almost 20 years since the Health Insurance Portability and Accountability Act (HIPAA) came into existence, the health care industry has had to deal with increasingly complex layers of regulations. Dental practices are acutely affected by HIPAA, namely by the recently added rule that holds a dental practice responsible for the security procedures of any company or individual it does business with.

With the increasing complexity of regulation and the huge possible fines for noncompliance, many dental practices find that working with a third-party company that is already an expert on HIPAA compliance is the the best way to stay in compliance. Below I have given an overview of the issues, and shown why working with a company like J.J. Micro LLC IT Consulting can eliminate the fear of HIPAA compliance for your practice.

BASIC HIPAA REQUIREMENTS

The HIPAA Privacy Rule, effective since 2003, is probably familiar to most dentists. This rule gives patients various rights regarding their protected health information (PHI). These rights include the right to change what is in their records and to limit the sharing of these records. The HIPAA Security Rule, (2005), relates to a dental practices’s management of its patients’ electronic health records (EHRs) and mandates a set of ongoing, practice wide, security protocols. These protocols include staff education, regular risk audits, secure redundant backups, email encryption, and documentation of these protocols. An Enforcement Rule (2009) and a Breach Notification Rule (2010) added more requirements regarding when the media has to be alerted to a breach and what kinds of civil penalties can be levied. As stringent as these regulations are, they seem simple to follow when compared to the HIPAA Privacy and Security Omnibus Final Ruling from January of 2013.

YOU ARE NOW RESPONSIBLE FOR YOUR CONTRACTORS

The Omnibus Final Ruling strengthens and expands the regulations enacted previously. But it also adds another level of regulations that make a dental practice responsible for the security protocols of any outside entity it does business with. HIPAA calls these outside entities Business Associates. These are entities such as a collection agency, a document storage or disposal company, billing providers, and IT service providers. Every dental practice must keep on file a Business Associate Agreement (BAA) that outlines who is allowed to be in contact with protected health information (PHI) and what is allowed to be done with that information. If a dental practice were to give a 3rd party access to PHI without a BAA in place, the practice will be liable for any non-compliance penalties.

LET AN EXPERT HANDLE YOUR INFORMATION TECHNOLOGY HIPAA COMPLIANCE

You’re dedicated to providing the best possible care for your patients. This probably takes up the vast majority of your time. With an already busy work schedule, why spend time trying to be your own IT manager. As time goes on, privacy and security laws will only continue to become more complex. Let J.J. Micro LLC IT Consulting stay abreast of the changing state of HIPAA compliance regulations and leave you and your staff to what you do best, caring for patients. Contact J.J. Micro today to schedule a free HIPAA compliance checkup. We will help you develop a plan to become compliant and then keep you in compliance going forward.

For more specifics on the ways J.J. Micro will help you become HIPAA compliant, read our article on HIPAA compliance IT recommendations

And here is more information about HIPAA compliance from the American Dental Association.