Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

KPMG: Most Business Associates Not Ready For Security Standards

Posted on October 17, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new study by consulting firm KPMG has concluded that two-thirds of business associates aren’t completely ready to step up to industry demands for protecting patient health information. Specifically, the majority of business associates don’t seem to be ready to meet HITRUST standards for securing protected health information. Plus, it’s worth noting that HITRUST certification doesn’t mean your organization is HIPAA compliant or protected from a breach. It’s just the first steps and many aren’t doing it.

HITRUST has established a Common Security Framework which is used by healthcare organizations (as well as others that create, access, store or exchange sensitive and/or regulated data). The CSF includes a set of controls designed to harmonize the requirements of multiple regulations and standards.

According to KPMG’s Emily Frolick, third-party risk and assurance leader for KPMG’s healthcare practice, a growing number of healthcare organizations are asking their business associates to obtain a HITRUST CSF Certification or pass an SOC 2 + HITRUST CSF examination to demonstrate that they are making a good-faith effort to protect patient information. The CSF assessment is an internal control-based approach allowing organizations such as business associates to assess and demonstrate the measures they are taken to protect healthcare data.

To see if vendors targeting the healthcare industry seemed capable of meeting these standards, KPMG surveyed 600 professionals in this category to determine their organization’s security status. The survey found that half of those responding weren’t ready for HITRUST examination or certification, while 17.4% were planning for the CSF assessment.

When asked how they were progressing toward meeting HITRUST CSF requirements, just 7% said they were completely ready. Meanwhile, 8% said their organization was well along in its implementation process, and 17.4% said they were in the early stages of CSF implementation.

One the biggest barriers to CSF readiness seems to be having adequate staff in place, ranking ahead of cultural, technological and financial concerns, KPMG found. When asked whether they had the staff in place to meet the standard, 53% said they did, but 47% said they did not have “the right staff the right level skills to execute against the HITRUST CSF.” That being said, 27% said all four factors were at issue. (Interestingly, 23% said” none of the above” posed barriers to CSF readiness.)

Readers won’t be surprised to learn that KPMG has reason to encourage vendors to seek the HITRUST cert and examination – specifically, that it works as a HITRUST Qualified CSF Assessor for healthcare organizations. Also, KPMG works with very large organizations which need to establish high levels of structure in how they evaluate their health data security measures. Hopefully this means they go well beyond what HITRUST requires.

Nonetheless, even if you work with a relatively small healthcare organization that doesn’t have the resources to engage in obtaining formal healthcare security certifications, this discussion serves as a good reminder. Particularly given that many breaches take place due to slips by business associates, it doesn’t hurt to take a close look at their security practices now and then. Even asking them some commonsense questions about how they and their contractors handle data is a good idea. After all, even if business associates cause a breach to your data, you still have to explain the breach to your patients.

A Look At Vendor IoT Security And Vulnerability Issues

Posted on October 5, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Much of the time, when we discuss the Internet of Things, we’re looking at issues from an end-user perspective.  We talk about the potential for IoT options like mobile medical applications and wearable devices, and ponder how to connect smart devices to other nodes like the above to offer next-generation care. Though we’re only just beginning to explore such networking models, the possibilities seem nearly infinite.

That being said, most of the responsibility for enabling and securing these devices still lies with the manufacturers, as healthcare networks typically don’t integrate fully with IoT devices as of yet.

So I was intrigued to find a recent article in Dark Reading which lays out some security considerations manufacturers of IoT devices should keep in mind. Not only do the suggestions give you an idea of how vendors should be thinking about vulnerabilities, they also offer some useful insights for healthcare organizations.

Security research Lysa Myers offers IoT device-makers several recommendations to consider, including the following:

  • Notify users of any changes to device features. In fact, it may make sense to remind them repeatedly of significant changes, or they may simply ignore them out of habit.
  • Put a protocol in place for handling vulnerability reports, and display your vulnerability disclosure policy prominently on your website. Ideally, Myers notes, makers of IoT medical devices should send vulnerability reports to the FDA.
  • When determining how to handle a vulnerability issue, let the most qualified person decide what should happen. In the case of automated medical diagnosis, for example, the right person would probably be a doctor.
  • Make it quick and easy to update IoT device software when you find an error. Also, make it simple for customers to spot fraudulent updates.
  • Create an audit log for all devices, even those that might seem too mundane to interest criminals, as even the least important of devices can assist criminals in launching a DDoS attack or spamming.
  • See to it that users can tell when the changes made to an IoT device’s software are made by the authorized user or a designated representative rather than a cybercriminal or other inappropriate person.
  • Given that many IoT devices require cloud-based services to operate, it’s important to see that end users aren’t dropped abruptly with no cloud alternative. Manufacturers should give users time to transition their service if discontinuing a device, going out of business or otherwise ending support for their own cloud-based option.

If we take a high-level look at these recommendations, there’s a few common themes to be considered:

Awareness:  Particularly in the case of IoT devices, it’s critical to raise awareness among both technical staffers and users of changes, both in features and security configurations.

Protection:  It’s becoming more important every day to protect IoT devices from attacks, and see to it that they are configured properly to avoid security and continuity failures. Also, see to that these devices are protected from outages caused by vendor issues.

Monitoring:  Health IT leaders should find ways to integrate IoT devices into their monitoring routine, tracking their behavior, the state of security updates to their software and any suspicious user activity.

As the article suggests, IoT device-makers probably need to play a large role in helping healthcare organizations secure these devices. But clearly, healthcare organizations need to do their part if they hope to maintain these devices successfully as health IT models change.

2.7 Million Reasons Cloud Vendors and Data Centers ARE HIPAA Business Associates

Posted on July 25, 2016 I Written By

The following is a guest blog post by Mike Semel, President of Semel Consulting.
Cloud backup
Some cloud service providers and data centers have been in denial that they are HIPAA Business Associates. They refuse to sign Business Associate Agreements and comply with HIPAA.

Their excuses:

“We don’t have access to the data so we aren’t a HIPAA Business Associate.”

“The data is encrypted so we aren’t a HIPAA Business Associate.”

Cloud and hosted phone vendors claim “We are a conduit where the data just passes through us temporarily so we aren’t a HIPAA Business Associate.”

“We tell people not to store PHI in our cloud so we aren’t a HIPAA Business Associate.”

Wrong. Wrong. Wrong. And Wrong.

2.7 million reasons Wrong.
Lawsuit
Oregon Health & Science University (OHSU) just paid $2.7 million to settle a series of HIPAA data breaches “including the storage of the electronic protected health information (ePHI) of over 3,000 individuals on a cloud-based server without a business associate agreement.”

Another recent penalty cost a medical practice $750,000 for sharing PHI with a vendor without having a Business Associate Agreement in place.

The 2013 changes to HIPAA that published in the Federal Register (with our emphasis) state that:

“…we have modified the definition of “business associate” to generally provide that a business associate includes a person who “creates, receives, maintains, or transmits” protected health information on behalf of a covered entity.

…an entity that maintains protected health information on behalf of a covered entity is a business associate and not a conduit, even if the entity does not actually view the protected health information.  We recognize that in both situations, the entity providing the service to the covered entity has the opportunity to access the protected health information.  However, the difference between the two situations is the transient versus persistent nature of that opportunity.  For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.” 

A cloud service doesn’t need access to PHI – it just needs to manage or store it– to be a Business Associate. They must secure PHI and sign Business Associate Agreements.

The free, consumer-grade versions of DropBox and Google Drive are not HIPAA compliant. But, the fee-based cloud services, that utilize higher levels of security and for which the vendor will sign a Business Associate Agreement, are OK to use. DropBox Business and Google Apps cost more but provide both security and HIPAA compliance. Make sure you select the right service for PHI.
Encrypted
Encryption
Encryption is a great way to protect health information, because the data is secure and the HIPAA Breach Notification Rule says that encrypted data that is lost or stolen is not a reportable breach.

However, encrypting data is not an exemption to being a Business Associate. Besides, many cloud vendors that deny they have access to encrypted data really do.

I know because I was the Chief Operating Officer for a cloud backup company. We told everyone that the client data was encrypted and we could not access it. The problem was that when someone had trouble recovering their data, the first thing our support team asked for were the encryption keys so we could help them. For medical clients that gave us access to unencrypted PHI.

I also know of situations where data was supposed to be encrypted but, because of human error, made it to the cloud unencrypted.

Simply remembering that Business Associates are covered in the HIPAA Privacy Rule while encryption is discussed in the Breach Notification Rule is an easy way to understand that encryption doesn’t cancel out a vendor’s status as a Business Associate.
27864148 - it engineer or consultant working with backup server. shot in data center.
Data Centers
A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.

Taken together, a cloud vendor that stores PHI, and the data centers that house servers and storage devices, are all HIPAA Business Associates. If you have your own servers containing PHI in a rack at a data center, that makes the data center a HIPAA Business Associate. If you use a cloud service for offsite backups, or file sharing, they and their data centers are Business Associates.

Most data centers offer ‘Network Operations Center (NOC) services,’ an on-site IT department that can go to a server rack to perform services, so you don’t have to travel (sometimes across the country) to fix a problem.  A data center manager was denying they had access to the servers locked in racks and cages, while we watched his NOC services technician open a locked rack to restart a client server.

Our client, who had its servers containing thousands of patient records housed in that data center, used the on-site NOC services when their servers needed maintenance or just to be manually restarted.
37388020 - pushing cloud computing button on touch screen
Cloud-Based and Hosted Phone Services
In the old days, a voice message left on a phone system was not tied to computers. Faxes were paper-in and paper-out between two fax machines.

HIPAA defines a conduit as a business that simply passes PHI and ePHI through their system, like the post office, FedX, UPS, phone companies and Internet Service Providers that simply transport data and do not ever store it. Paper-based faxing was exempt from HIPAA.

One way the world has changed is that Voice Over Internet Protocol (VOIP) systems, that are local or cloud-based, convert voice messages containing PHI into data files, which can then be stored for access through a portal, phone, or mobile device, or are attached to an e-mail.

Another change is that faxing PHI is now the creation of an image file, which is then transmitted through a fax number to a computer system that stores it for access through a portal, or attaches it to an e-mail.

Going back to the Federal Register statement that it is the persistence of storage that is the qualifier to be a Business Associate, the fact that the data files containing PHI are stored at the phone service means that the vendor is a Business Associate. It doesn’t matter that the PHI started out as voice messages or faxes.

RingCentral is one hosted phone vendor that now offers a HIPAA-compliant phone solution. It encrypts voice and fax files during transit and when stored, and RingCentral will sign a Business Associate Agreement.

Don’t Store PHI With Us
Telling clients not to store PHI, or stating that they are not allowed to do so in the fine print of an agreement or on a website, is just a wink-wink-nod-nod way of a cloud service or data center denying they are a Business Associate even though they know they are maintaining PHI.

Even if they refuse to work with medical clients, there are so many other types of organizations that are HIPAA Business Associates – malpractice defense law firms, accounting firms, billing companies, collections companies, insurance agents – they may as well give it up and just comply with HIPAA.

If they don’t, it can cost their clients if they are audited or through a breach investigation.

Don’t let that be you!

About Mike Semel
Mike Semel is the President of Semel Consulting, which specializes in healthcare and financial regulatory compliance, and business continuity planning.

Mike is a Certified Security Compliance Specialist, has multiple HIPAA certifications, and has authored HIPAA courseware. He has been an MSP, and the CIO for a hospital and a K-12 school district. Mike helped develop the CompTIA Security Trustmark and coaches companies preparing for the certification.

Semel Consulting conducts HIPAA workshops for MSPs and has a referrals program for partners. Visit www.semelconsulting.com for more info.

Are You Ready for Stage 2 HIPAA Audits?

Posted on June 27, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Many organizations probably didn’t even realize that OCR (HHS’ department in charge of HIPAA) had put in place HIPAA audits since the pilot program only audited 115 covered entities. That’s likely to change for a lot more healthcare organizations (including business associates) as Stage 2 HIPAA Audits are rolled out. Is your organization ready for a HIPAA Audit?

After spending about 2 months scouring the Stage 2 HIPAA Audit prototol, HIPAA One put together a great comparison of the simplicity of stage 1 HIPAA audits versus stage 2 HIPAA audits:

What it was – Phase 1 of the OCR’s Privacy, Security and Breach Notification Audit Program:
  1. HITECH added Breach Notification to HIPAA and endorsed the OCR‘s Audit Program.
  2. Contained 169 total protocols.
  3. Pilot program included 115 covered entities.
What it is now – the HIPAA Audit Program-Phase 2:
  1. OCR is implementing Phase 2 to include both CEs and business associates (every covered entity and business associate is eligible for an audit)
  2. Provides an opportunity for the OCR to identify best practices, risks and issues before they result in bigger problems (e.g. resulting in a breach) through the expanded random audit program.
  3. 180 Enhanced protocols (groups of instructions) which contain the following updates:
    1. Privacy – 708 updates (individual lines of instructions)
      1. Most notable changes are more policies and procedures surrounding the HIPAA Privacy Officer as well as some changes for Health Plans and Business Associates.
    2. Security – 880 updates (individual lines of instructions)
      1. Most notable changes are that Health Plans must have assurances from their plan sponsors and all companies now have to get proof of HIPAA compliance from their business associates, vendors and subcontractors.

That’s a lot of changes that are going to impact a lot of organizations. How many organizations have spent the time seeing which of these changes are going to impact their organization? I’m sure the answer to that is not many since “ignorance is bliss” is the mantra of many healthcare organizations when it comes to HIPAA compliance.

Particularly interesting is that HIPAA One points out that many of the checklists, books, commercial compliance software, and even ONC’s own SRA tool are likely outdated for these new changes to the HIPAA audit protocol. They’re probably right, so make sure whatever tool you’re using to do a HIPAA SRA takes into account the new HIPAA audit protocol.

Just so we’re clear, there actually hasn’t been a change to the HIPAA Omnibus update in 2013. However, the HIPAA audit protocol clarifies how the HIPAA law will be interpreted during an audit. That means that many of the gray areas in the law have been clarified through the audit protocol.

In HIPAA One’s blog post, they outline some important next steps for healthcare organizations. I won’t replicate it here, but go and check it out if you’re a HIPAA compliance officer for your organization or forward it to your HIPAA compliance officer if you’re not. The first suggestion is a really key one since you want to make sure you’re getting your HIPAA audit emails from OCR.

It’s taken HHS and OCR a while to roll out the full HIPAA audit program. However, it’s fully functioning now and I expect 2016 will be a real wake-up call for many organizations that aren’t prepared for a HIPAA audit. Plus, many others will be woken up when their friends fail their HIPAA audit.

Is your organization ready for a HIPAA audit?

Full Disclosure: HIPAA One is an advertiser on Healthcare Scene.

OCR Cracking Down On Business Associate Security

Posted on May 13, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For most patients, a data breach is a data breach. While it may make a big difference to a healthcare organization whether the source of a security vulnerability was outside its direct control, most consumers aren’t as picky. Once you have to disclose to them that the data has been hacked, they aren’t likely be more forgiving if one of your business associates served as the leak.

Just as importantly, federal regulators seem to be growing increasingly frustrated that healthcare organizations aren’t doing a good job of managing business associate security. It’s little wonder, given that about 20% of the 1,542 healthcare data breaches affecting 500 more individuals reported since 2009 involve business associates. (This is probably a conservative estimate, as reports to OCR by covered entities don’t always mention the involvement of a business associate.)

To this point, the HHS Office for Civil Rights has recently issued a cyber-alert stressing the urgency of addressing these issues. The alert, which was issued by OCR earlier this month, noted that a “large percentage” of covered entities assume they will not be notified of security breaches or cyberattacks experienced by the business associates. That, folks, is pretty weak sauce.

Healthcare organizations also believe that it’s difficult to manage security incidents involving business associates, and impossible to determine whether data safeguards and security policies and procedures at the business associates are adequate. Instead, it seems, many covered entities operate on the “keeping our fingers crossed” system, providing little or no business associate security oversight.

However, that is more than unwise, given that the number of major breaches have taken place because of an oversight by business associates. For example, in 2011 information on 4.9 million individuals was exposed when unencrypted backup computer tapes are stolen from the car of a Science Applications International Corp. employee, who was transporting tapes on behalf of military health program, TRICARE.

The solution to this problem is straightforward, if complex to implement, the alert suggests. “Covered entities and business associates should consider how they will confront a breach at their business associates or subcontractors,” and make detailed plans as to how they’ll address and report on security incidents among these group, OCR suggests.

Of course, in theory business associates are required to put their own policies and procedures in place to prevent, detect, contain and correct security violations under HIPAA regs. But that will be no consolation if your data is exposed because they weren’t holding their feet to the fire.

Besides, OCR isn’t just sending out vaguely threatening emails. In March, OCR began Phase 2 of its HIPAA privacy and security audits of covered entities and business associates. These audits will “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standard interpretation specifications of the Privacy, Security, and Breach Notification Rules,” OCR said at the time.

The Need for Speed (In Breach Protection)

Posted on April 26, 2016 I Written By

The following is a guest blog post by Robert Lord, Co-founder and CEO of Protenus.
Robert Protenus
The speed at which a hospital can detect a privacy breach could mean the difference between a brief, no-penalty notification and a multi-million dollar lawsuit.  This month it was reported that health information from 2,000 patients was exposed when a Texas hospital took four months to identify a data breach caused by an independent healthcare provider.  A health system in New York similarly took two months to determine that 2,500 patient records may have been exposed as a result of a phishing scam and potential breach reported two months prior.

The rise in reported breaches this year, from phishing scams to stolen patient information, only underscores the risk of lag times between breach detection and resolution. Why are lags of months and even years so common? And what can hospitals do to better prepare against threats that may reach the EHR layer?

Traditional compliance and breach detection tools are not nearly as effective as they need to be. The most widely used methods of detection involve either infrequent random audits or extensive manual searches through records following a patient complaint. For example, if a patient suspects that his medical record has been inappropriately accessed, a compliance officer must first review EMR data from the various systems involved.  Armed with a highlighter (or a large excel spreadsheet), the officer must then analyze thousands of rows of access data, and cross-reference this information with the officer’s implicit knowledge about the types of people who have permission to view that patient’s records. Finding an inconsistency – a person who accessed the records without permission – can take dozens of hours of menial work per case.  Another issue with investigating breaches based on complaints is that there is often no evidence that the breach actually occurred. Nonetheless, the hospital is legally required to investigate all claims in a timely manner, and such investigations are costly and time-consuming.

According to a study by the Ponemon Institute, it takes an average of 87 days from the time a breach occurs to the time the officer becomes aware of the problem, and, given the arduous task at hand, it then takes another 105 days for the officer to resolve the issue. In total, it takes approximately 6 months from the time a breach occurs to the time the issue is resolved. Additionally, if a data breach occurs but a patient does not notice, it could take months – or even years – for someone to discover the problem. And of course, the longer it takes the hospital to identify a problem, the higher the cost of identifying how the breach occurred and remediating the situation.

In 2013, Rouge Valley Centenary Hospital in Scarborough, Canada, revealed that the contact information of approximately 8,300 new mothers had been inappropriately accessed by two employees. Since 2009, the two employees had been selling the contact information of new mothers to a private company specializing in Registered Education Savings Plans (RESPs). Some of the patients later reported that days after coming home from the hospital with their newborn child, they started receiving calls from sales representatives at the private RESP company. Marketing representatives were extremely aggressive, and seemed to know the exact date of when their child had been born.

The most terrifying aspect of this story is how the hospital was able to find out about the data breach: remorse and human error! One employee voluntarily turned himself in, while the other accidentally left patient records on a printer. Had these two events not happened, the scam could have continued for much longer than the four years it did before it was finally discovered.

Rouge Valley Hospital is currently facing a $412 million dollar lawsuit over this breach of privacy. Arguably even more damaging, is that they have lost the trust of their patients who relied on the hospital for care and confidentiality of their medical treatments.

As exemplified by the ramifications of the Rouge Valley Hospital breach and the new breaches discovered almost weekly in hospitals around the world, the current tools used to detect privacy breaches in electronic health records are not sufficient. A system needs to have the ability to detect when employees are accessing information outside their clinical and administrative responsibilities. Had the Scarborough hospital known about the inappropriately viewed records the first time they had been accessed, they could have investigated earlier and protected the privacy of thousands of new mothers.

Every person seeks a hospital’s care has the right to privacy and the protection of their medical information. However, due to the sheer volume of patient records accessed each day, it is impossible for compliance officers to efficiently detect breaches without new and practical tools. Current rule-based analytical systems often overburden the officers with alerts, and are only a minor improvement from manual detection methods.

We are in the midst of a paradigm shift with hospitals taking a more proactive and layered approach to health data security. New technology that uses machine learning and big data science to review each access to medical records will replace traditional compliance technology and streamline threat detection and resolution cycles from months to a matter of minutes. Making identifying a privacy breach or violation as simple and fast as the action that may have caused it in the first place.  Understanding how to select and implement these next-generation tools will be a new and important challenge for the compliance officers of the future, but one that they can no longer afford to delay.

Protenus is a health data security platform that protects patient data in electronic medical records for some of the nation’s top-ranked hospitals. Using data science and machine learning, Protenus technology uniquely understands the clinical behavior and context of each user that is accessing patient data to determine the appropriateness of each action, elevating only true threats to patient privacy and health data security.

Five Gray Areas of HIPAA You Can’t Ignore

Posted on March 22, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Scrypt, Inc. has released a guide called ‘Five gray areas of HIPAA you can’t ignore.’ With the phase 2 HIPAA audits looming, I know a lot of organizations that need to step up their HIPAA game. Unfortunately many organizations are practicing the “ignorance is bliss” approach to HIPAA compliance. Ask someone who’s been through a HIPAA audit how well ignorance worked for them as a defense. Short answer: It doesn’t.

Here’s a little graphic from Scrypt that highlights briefly the 5 “grey” areas that are covered in their guide:

5 Gray Areas of HIPAA Infographic

Will Misunderstandings Around The HIPAA Conduit Exception Rule Result In Organizations Failing The Phase 2 Audits?

Posted on December 14, 2015 I Written By

The following is a guest blog post by Gene Fry from Scrypt, Inc.
Gene Fry - HIPAA Expert
In January 2013, the HHS defined the ‘conduit exception’ as part of the HIPAA Omnibus Final Rule, which was created to strengthen the privacy and security protections for health information.

The HIPAA conduit exception rule is applicable to providers of conduit services who do not have access to protected health information (PHI) on a routine basis. This means that they do not have to sign a Business Associate Agreement (BAA). However, some providers who do not fall under this definition are still claiming that they are HIPAA compliant. It is crucial that healthcare organizations understand exactly what this rule means, and how it may affect them if selected for an audit, or if a breach should occur.

What is a HIPAA Business Associate Agreement?
There are a number of providers who state they offer HIPAA compliant solutions for transmitting or storing PHI, and yet they are unwilling to sign a BAA.

As stated in the HIPAA Privacy and Security Rules, a business associate is defined as:

“[a] Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.”

Therefore, any organization or business that handles personal health information is considered to be a business associate and must sign a BAA. As this acts as a contract between a HIPAA covered entity and a business associate, without one, the provider is not accountable for protecting the PHI it is handling or transmitting – meaning that they are not HIPAA compliant.

Phase 2 HIPAA audits are due to begin in early 2016, and the transmission and storage of PHI is likely to be an area that the Office of Civil Rights (OCR) focus on as a result of large numbers of noncompliance being reported in the phase 1 audits conducted in 2012. While the phase 1 audits applied only to covered entities, in this round, business associates will also be subject to audits by OCR. This means that business associates can be held accountable for data breaches, and penalized accordingly for noncompliance.

Every covered entity must have a BAA in place with the organization responsible for PHI managed on their behalf. Without it, like a weak link in the chain, the whole system becomes noncompliant.

When does the exception rule apply?
There are instances where the HIPAA conduit exception rule does apply. For entities that simply transport or transmit PHI (such as the United States Postal Service, couriers, and their electronic equivalents) who do not have routine access to PHI other than infrequently or randomly, and disclosure of the PHI to such entity is not intended, the HIPAA conduit exception rule is likely to apply.

The rule is rather confusing and open to interpretation when it comes to electronic protected health information (ePHI), as occasional, random access by a data transmission entity does not necessarily make the entity a HIPAA business associate. An example of an organization which would not require a BAA would be an ISP, as they review whether ePHI being transmitted over its network is arriving to its intended destination, but do not access or store the data.

Random or infrequent access defined by the HIPAA rules is explained in the preamble to the rules, which explicitly states that the “mere conduit” exception, is intended to include organizations that deal with “any temporary storage of transmitted data incident to such transmission.” It is the ‘temporary storage’ terminology used in the rule that healthcare organizations often misinterpret.

The preamble defines the distinction between transmission (including incidental storage associated with such transmission) and ongoing storage. The difference between those two situations “is the transient versus persistent nature of” the opportunity to access PHI. This means that a data storage company that has access to PHI still qualifies as a business associate, even if the entity does not view the information – or only does so on a random or infrequent basis.

Be wary of providers who refuse to sign a BAA
If a provider is unwilling to sign a BAA, the advice from David Holtzman of the U.S. Health and Human Services Department’s Office for Civil Rights, Privacy Division, is “If they refuse to sign, don’t use the service”.

However, providers are citing the HIPAA conduit exception rule as the reason that a BAA is not required. By stating that they are acting as a ‘simple conduit for information’, they are stipulating that they are excluded from the definition of a business associate. This effectively absolves the provider of signing a BAA, and gets them off the compliance hook, while putting their customers at risk of not being compliant.

An entity that manages the transmission and storage of PHI, such as a HIPAA compliant cloud hosting company, or a HIPAA compliant fax or messaging provider does have more than “random access” to PHI – meaning that they do meet the definition of a HIPAA business associate. Any organization that is transmitting and receiving information that includes PHI falls into the category of business associates – and should be willing to sign a BAA.

Some providers will not sign a BAA because they claim to only offer what they call a “conduit service” – technically making them able to state that they are HIPAA compliant, although this is untrue in many cases. In addition to offering services that relate to the transmission and storage of PHI, they may also include a guarantee that they will disable automatic forwarding of messages to email, disable SMS texting, and will delete all faxes, voicemails and recordings after a short period to get out of signing the BAA.

Providers who offer a range of telecommunications services – some of which are purely conduit – may also refuse to sign a BAA for customers only requiring data transmission services due to the fact that their fax and SMS services are not actually HIPAA compliant. Again, these providers claim that they are HIPAA compliant because they can provide purely conduit services as part of their offering.

How can I ensure compliance when selecting a provider?

  • Never select a provider who is unwilling to sign a BAA.
  • Be wary of providers who refer to the HIPAA conduit exception rule if they will have access to ePHI – even if it is random or infrequent
  • Ask the provider to prove its track record of safeguarding ePHI
  • Check that the provider is able to demonstrate that their staff are trained in HIPAA compliance

When selecting a provider, if they are truly HIPAA compliant, they will sign a business associate agreement because they are required to, and they should demonstrate a willingness to comply. A BAA acts as the a contract between a HIPAA covered entity and a business associate, and without one, the provider is not accountable for protecting the PHI it is handling or transmitting – meaning that they are not HIPAA compliant. Be wary of organizations that hide behind the conduit exception rule, or you may find your organization bears the brunt of OCR audits should a breach occur.

About Gene Fry
Gene joined the Scrypt, Inc. family in October of 2001. He has 25 years of IT experience working in industries such as healthcare and for companies based in the U.S. and in Latin America. Gene is a Certified HIPAA Professional (CHP) through the Management and Strategy Institute. In addition, he is certified as a HIPAA Privacy and Security Compliance Officer by the Identity Management Institute, as an Electronic Health Record Specialist Certification (CEHRS™) through the National Health Career Association and he holds a Gramm-Leach Bliley Act (GLBA) certification from BridgeFront and J.J Kellers.  In his spare time, Gene rides a Harley Davidson as part of the Austin, Texas Chapter.

Doing a Proper HIPAA Risk Assessment with Mike Semel

Posted on November 19, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

HIPAA Risk Assessments have become a standard in healthcare. However, not everyone is doing a proper HIPAA Risk Assessment that would hold up to a HIPAA audit. In this video, we sits down with HIPAA Expert Mike Semel to discuss the HIPAA Risk Assessment and what a health care organization can do to make sure they’ve done a proper HIPAA Risk Assessment.

Learn more about Mike Semel and his services on the Semel Consulting website.

Full Disclosure: Semel Consulting is a sponsor of Healthcare Scene.

Phase 2 HIPAA Audits Kick Off With Random Surveys

Posted on June 9, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Ideally, the only reason you would know about the following is due to scribes such as myself — but for the record, the HHS Office for Civil Rights has sent out a bunch of pre-audit screening surveys to covered entities. Once it gets responses, it will do a Phase 2 audit not only of covered entities but also business associates, so things should get heated.

While these take the form of Meaningful Use audits, covering incentives paid from January 1, 2011 through June 30, 2014, it’s really more about checking how well you protect ePHI.

This effort is a drive to be sure that providers and BAs are complying with the HIPAA privacy, security and breach notification requirements. Apparently OCR found, during Phase 1 pilot audits in 2011 and 2012, that there was “pervasive non-compliance” with regs designed to safeguard protected health information, the National Law Review reports.

However, these audits aren’t targeting the “bad guys.” Selection for the audits is random, according to HHS Office of the Inspector General.

So if you get one of the dreaded pre-screening letters, how should you respond? According a thoughtful blog post by Maryanne Lambert for CureMD, auditors will be focused on the following areas:

  • Risk Assessment audits and reports
  • EHR security plan
  • Organizational chart
  • Network diagram
  • EHR web sites and patient portals
  • Policies and procedures
  • System inventory
  • Tools to perform vulnerability scans
  • Central log and event reports
  • EHR system users list
  • Contractors supporting the EHR and network perimeter devices.

According to Lambert, the feds will want to talk to the person primarily responsible for each of these areas, a process which could quickly devolve into a disaster if those people aren’t prepared. She recommends that if you’re selected for an audit, you run through a mock audit ahead of time to make sure these staff members can answer questions about how well policies and processed are followed.

Not that anyone would take the presence of HHS on their premises lightly, but it’s worth bearing in mind that a stumble in one corner of your operation could have widespread consequences. Lambert notes that in addition to defending your security precautions, you have to make sure that all parts of your organization are in line:

Be mindful while planning for this audit as deficiencies identified for one physician in a physician group or one hospital within a multi-hospital system, may apply to the other physicians and hospitals using the same EHR system and/or implementing meaningful use in the same way.  Thus, the incentive payments at risk in this audit may be greater than the payments to the particular provider being audited.

But as she points out, there is one possible benefit to being audited. If you prepare well, it might save you not only trouble with HHS but possibly lawsuits for breaches of information. Hey, everything has some kind of silver lining, right?