NTC Health Care Whitepaper by Jessica Hill

ʹͲͳʹ

Ǥ Ǥ

Compliance Beyond the Covered Entity 1

Thought Leadership:

Kyle Duke, CISO Andy Flatt, CIO

Underwritten by:

Health Care Privacy & Security Summit Sponsored by:

Compliance Beyond the Covered Entity 2

Executive Summary This white paper is the result of a collaborative effort among practitioners, industry experts, and academics. Its purpose is to educate health care organizations and service providers regarding their responsibility to protect individually identifiable health information. The findings also demonstrate that compliance efforts cannot be delegated solely to the information technology (IT) department or chief information security officer. Technology is an enabler, not the silver bullet. While small to medium organizations may benefit the most from the information contained in this paper, research suggests that even large organizations may not have adequately addressed all of their legal requirements. The regulations around compliance are complex, their scope is far reaching, and ramifications are significant. Non-compliance can lead to fines, damage a company’s reputation, and more importantly, result in unlawful disclosure and abuse of health information. In order to comply with today’s requirements, organizations must review their compliance programs and make improvements where needed. Additionally, they must understand the chain-of-custody as they share individually identifiable health information with other entities since they are responsible for protection of that information as it travels through the health care ecosystem.

“If compliance is hard for large organizations, it is almost insurmountable for small ones. Organizations are being told they need to ‘do it’ but they don’t always know where to start.” Bryan Thornton, Net Reaction

With the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enforcement of the Health Insurance Portability and Accountability Act (HIPAA) was expanded to include business partners with whom the principal entity shares individually identifiable health information. In addition to designating someone to oversee compliance efforts, organizations must implement policies and procedures, conduct risk assessments, clean up and classify data, implement an incident response plan, increase security awareness, improve physical security, and strengthen data access controls. These efforts are time consuming and often require assistance from third party experts such as legal counsel, health care privacy and security consultants, and technology professionals. The goal is to go beyond just the letter of the law, ensuring that patients’ health information remains private and secure, and protected from those who should not have access to it. Ensuring that service agreements between a principal health care entity and its business partners meet requirements for sharing health information is not an easy task. It requires reviewing existing service agreements, determining whether regulations apply and if they do, ensuring adequate terms exist to address these requirements. The process can be difficult when establishing new service agreements and even more so when addressing inadequacies in existing ones. The areas to be addressed in service agreements include clearly defining obligations of the principal entity and the business partner. This white paper highlights today’s requirements and provides recommendations for addressing them. It contains suggestions regarding how to begin and provides a framework for moving forward. Finally, it demonstrates how compliance is difficult but not impossible.

Compliance Beyond the Covered Entity 3

Introduction Securing health information is a top concern for every organization within the health care ecosystem. While progress has been made, ensuring the privacy and security of health related data that flows between entities is becoming more important as regulations evolve and the ecosystem expands. The number of entities involved in processing health information is over 1.2 million according to recent estimates. Many entities do not have adequate procedures in place to ensure data leaving their organization remains protected as it flows through the ecosystem. Under HIPAA, most health care providers (such as physicians and hospitals) and payors (such as insurance companies and self-insured group health plans), as well as the clearinghouses that process health care transactions, are called “covered entities.”i Parties that provide services to those covered entities involving access to or possession of protected health information (such as billing companies, software vendors, and lawyers) are called “business associates.”ii Protected health information (PHI) is individually identifiable health information held or transmitted by a covered entity or its business associates, in any form or media, whether electronic, paper, or oral.iii If a business associate (BA) does not maintain equally strict standards of protection for PHI, the covered entity (CE) can be held responsible as well. The penalties and fines, as well as damage to the organization’s reputation, that result from breaches associated with shared PHI, are becoming more severe as regulations evolve and are more rigorously enforced. In addition to the challenge of ensuring that business associates have adequate measures in place, the HITECH Act, established through the

American Recovery Reinvestment Act (ARRA) of 2009,iv mandates tighter security measures for security, privacy, and breach notification, among other things, and increases the chances of incurring penalties for non-compliance.v If the CE or its business associate’s PHI is breached, the covered entity must report the breach to Health and Human Services (HHS), risking significant damage to the covered entity’s reputation and costs far exceeding potential fines. This notification is covered under the Breach Notification Rule mandated in HITECH.vi

“HIPAA compliance isn’t enough. Breach notification requirements are a game changer.” Adam Greene, Partner, Davis Wright Tremaine LLP, and former regulator, U.S. Department HHS

This white paper summarizes the risks and penalties of data breaches, describes how these breaches affect patients, and provides recommendations for improving security of PHI as it flows through the health care ecosystem. It discusses challenges and recommendations for improvement as described by representatives of Nashville’s health care community as they seek to continually improve security controls and ensure that agreements with their business associates address requirements. The white paper shows how compliance requires a team approach where the IT department and chief information security officer (CISO) play an important but not solo role. It includes a sample security checklist and considerations for a business associate agreement, as well as links to additional information to assist organizations navigating through the process of securing protected health Information.

Compliance Beyond the Covered Entity 4

Why It Matters Today’s health care organizations are prime targets for professional hackers and cyber criminals. PHI is highly valued on the black market, yielding much higher payouts for hackers than other personal information. For example, a cyber criminal’s payout for stolen PHI ranges from $28 to $50 per record where credit card information only garners $1 to $5 per record. In addition to a higher payout for PHI, cyber criminals find the process of hacking a health care organization relatively easy to accomplish and difficult to get caught doing. Health records, regardless of format, can contain some of the most private information about an individual and typically include social security numbers, birth dates, home addresses, family information, and billing information such as bank and credit card numbers.

“Since no boundaries exist in cyber space, health care records are attractive targets for transnational organized criminal enterprises. Once the cyber criminals steal information, recovery by law enforcement is very difficult.” Scott E. Augenbaum, Federal Bureau of Investigation

Clearly, hackers have the ability to do significant damage with this information. Risks to individuals include identity theft, health insurance fraud, significant financial loss, and exposure of a person’s health status, including history, outcomes, and diagnosis. If any of these areas is exploited, a person may spend several years cleaning up the aftermath to regain what has been lost. As such, organizations storing PHI are gold mines for hackers.

According to a recent study by Ponemon Institute published in the Information Management Journal,vii nearly $6 billion per year is spent on data breaches. The findings reveal that, while HITECH requires even tighter controls, many health care organizations are still not taking adequate steps to ensure privacy and security of PHI. The study indicates that numerous breaches are going undetected and vulnerabilities in most systems are putting organizations and, more importantly, patients at risk. One example of this issue is described in the article “Mobile Devices Contribute to PHI Breaches.”viii The article outlines how “the HITECH Act has increased fines associated with breaches in an effort to ensure health care organizations understand how seriously they are taking these issues.” It goes on to describe how Massachusetts General Hospital was fined $1 million after it experienced a HIPAA violation. Even though Massachusetts General was able to resolve the issue and put protections in place, they were fined for the violation. In more recent news, the Alaska Department of Health and Social Services (DHSS) agreed to pay HHS $1.7 million to settle a possible HIPAA Security Rule violation. This settlement is the second largest in history and marks the first enforcement action against a state agency by the Office of Civil Rights (OCR), the entity charged with auditing compliance. The vulnerability was found after Alaska’s DHSS reported to HHS that a stolen USB hard drive contained 2,000 patient records. In accordance with the HITECH Act, since the breach affected more than 500 individuals, it had to be reported to the HHS and the media (organizations are only required to report breaches affecting less than 500 individuals on an annual basis). The OCR moved forward with the investigation, uncovering significant vulnerabilities and a lack

of adequate security controls. Information regarding the breach was highly publicized throughout various media channels, seriously damaging DHSS’s reputation.ix For the foreseeable future, Alaska’s DHSS will be monitored closely by the OCR.

Nashville’s Experts Weigh In At the Nashville Technology Council’s (NTC) Privacy and Security Summit, held in March of 2012, representatives from Nashville’s health care community voiced concerns regarding security of PHI. The purpose of the Summit was to discuss security concerns and identify ways to address them. Several questions were posed to Summit attendees. A summary of those discussions follows. What are the primary concerns your organization has related to sharing PHI? The attendees voiced concerns about the unclear chain-of-custody for health care information as it passes through the ecosystem and a lack of well-defined agreements between covered entities and data trading partners. They expressed additional concern about the lack of clarity around which party is accountable for what data and at what times. Many do not believe that business associates employ consistent security frameworks or have adequate security controls in place, especially related to policies for employee owned devices being used in the workplace.

Compliance Beyond the Covered Entity 5 Considering the concerns identified above, what steps can be taken or have your organizations taken to address these concerns? A majority of attendees agreed that ensuring service agreements meet today’s legal requirements is an important and required step toward improving privacy and security of PHI. However, they recommended cleaning up data (knowing what type of data exists and where it resides) and promoting encryption should also be top priorities. Another popular response among the attendees was the need to establish a training program to educate employees and business associates regarding privacy and security policies and procedures.

“Encryption, properly done, cures many ills.” Steve Wood, Baker Donelson

Some attendees went further to suggest organizations hire a third-party auditing firm to ensure vulnerabilities are identified and addressed from an objective point of view. They stated a belief that this type of engagement would compel an organization to strengthen its compliance practices upfront and ensure that only necessary information is captured, stored, and shared. As more organizations allow employees to “bring their own devices” to work,

Middle Tennessee has an unparalleled concentration of health care companies and supporting organizations. The area's leadership and innovation have a significant impact locally, nationally, and internationally. x The health care industry is Nashville’s largest and fastest growing employer x Locally - nearly $30 billion in revenue annually and more than 200,000 jobs x Globally - more than $70 billion in revenue annually and over 400,000 jobs x More than 250 health care companies have operations in Nashville x 16 publicly traded health care companies are located in Nashville Information obtained from Nashville Health Care Council

attendees recommended careful consideration of this practice and deployment of modern controls such as policy based mobile device security. Attendees also suggested these issues be specifically addressed through policies and procedures, as well as through adoption of a security framework. Since many legal requirements leave gray areas, what are the common practices and standards that your organization is using? Most attendees expressed a strong movement toward adoption of a security framework such as the Health Information Trust Alliance (HITRUST) Common Security Framework,x the National Institute for Standards and Technology (NIST) HIPAA Security Rule Toolkit,xi or the International Standards Organization (ISO) standard for managing health information security.xii They also suggested that compliance programs are a team effort, led by a designated responsible party, but staffed by internal and external professionals with expertise in information security, law, contracting, HIPAA compliance, etc. Attendees also emphasized stronger enforcement of existing policies and procedures. Obtaining breach insurance was also suggested.

Enforcement Begins Included in the HITECH Act is a mandate that HHS establish an audit program, which was launched in 2011. The audit program is designed to review current compliance and identify vulnerabilities that may exist so they can be corrected. The audits, conducted by the OCR, impose penalties on organizations that are not meeting HITECH requirements, which increase business associate liability and impose

Compliance Beyond the Covered Entity 6 additional restrictions on the sale, use, and exchange of PHI. Although the effective date for many HITECH provisions has passed (February 17, 2010), according to HHS, “the final rule that will follow provides specific information regarding the expected date of compliance and enforcement of these new requirements. However, interim final rules implementing HITECH Act provisions in two areas have already been issued and are currently in effect: enforcement and breach notification.”xiii Among other provisions, covered entities and business associates alike must now comply with breach notification obligations. The “OCR will enforce the Breach Notification Interim Final Rule, including the possible imposition of sanctions, as it does with the HIPAA Privacy and Security Rule requirements.”xiv As a part of ARRA, specifically section 13411 of the HITECH Act, HSS gave the OCR responsibility for enforcing HIPAA rules for privacy, security, and breach notification through periodic audits of covered entities and business associates. The goal is to achieve optimum protection of the privacy and security of PHI. In November of 2011, the OCR began the first round of audits in conjunction with the professional public accounting firm, KPMG LLC (KPMG), the company tasked with administering the audits and reporting findings. The first round of audits includes 150 covered entities and business associates. Organizations selected for an audit receive a notification letter from the OCR requiring their cooperation with KPMG in providing documentation regarding their compliance practices. According to HIPAA, they are expected to supply all requested information at the time of the audit. The organizations being audited should prepare

for an on-site visit from KPMG within 30 to 90 days after notice.xv By these actions, the HHS is clearly demonstrating that they take their responsibility very seriously. Twenty of the 150 planned audits were completed as of March 2012. The findings revealed that small covered entities (companies generating $50 million or less in yearly revenue) have the most security compliance issues. Business associates, such as clearinghouses and health insurance plans, fared better than health care providers in the first 20 audits.xvi

“A retention policy is critical since 40% of breaches occur against data for which the organization no longer has a defined business need.” Bryan Thornton, Net Reaction

It’s important to note that although often used interchangeably, security and privacy are not the same. Privacy is defined as freedom from unauthorized intrusion,xvii while security entails measures to protect against sabotage, crime, or attack.xviii Given the difference, two rules were established to protect PHI. The goal of the Privacy Rule is to increase individuals’ rights related to health information and to ensure greater privacy protections for protected health information.xix The Security Rule pertains to the physical and electronic protection of information that preserves confidentiality.xx Overall, compliance with the Security Rule was clearly more problematic than compliance related to privacy. The audits found that 65% of major findings were related to the Security Rule;; 26% were related to the Privacy Rule;; and 9% were related to the Breach Notification Rule.

Compliance Beyond the Covered Entity 7 The most frequent issues found were related to: x User activity monitoring, x Contingency planning, x Authentication, x Media reuse and destruction, x Conducting risk assessments, x Access, and x Managing third party risks. xxi

Getting Started: Security Checklist For many organizations, creating and maintaining an up-to-date security and compliance program is an overwhelming and seemingly daunting task. Despite its complexity, every organization can establish or improve its security and compliance program. To ensure success, this effort must be supported from the top of the organization and a responsible party dedicated to overseeing and maintaining the program must be designated and given the time, training, and support necessary to manage the program. The person responsible for the compliance program might be a CISO or compliance officer in a large organization or a doctor or office administrator in a small one. Regardless of who is responsible for the compliance program, every organization should create and follow a checklist of controls and have a plan to enforce and review such controls. However, this effort is not a static process. It must be iterative to address variables such as the formation of new business partnerships and changes in legislation. The recent emphasis on enforcement means that covered entities and business associates can no longer just check off tasks on a list. They must demonstrate serious intent by operationalizing their security and compliance programs through policies and procedures, education and training, assessments, and enforcement.

Compliance Beyond the Covered Entity 8

Following is a sample high-level security checklist designed to aid organizations in establishing or improving their security and compliance programs. This list does not represent a full compliance program and should not be used as such. Each organization’s security checklist should be tailored to reflect its specific situation, responsibilities, and requirements.

ADMINISTRATIVE Controls Risk Assessment Create roadmap from assessment results Classify Data Map PHI data at rest & in motion Categorize PHI data Identify who has access Implement Policies & Procedures Change management Granting/modifying access Access termination Password management Data backup Acceptable use Segregation of duties Data retention Implement an Incident Response Program Document chain of custody for all PHI Security Awareness New hire training Annual review and attestation Adopt a security framework Formalize data trading partnerships Business Associate Agreement for each PHI data trading partner Complete training for business associates Send 3rd party security questionnaire If applicable, perform on-site reviews Mobile Device/BYOD Develop policy & train employees

Responsible Party

Due Date

Date Completed

Compliance Beyond the Covered Entity 9

TECHNICAL Controls

Responsible Party

Due Date

Date Completed

Due Date

Date Completed

Perform periodic access reviews Check segregation of duties Ensure access is appropriate Implement process to audit access (audit log) Change privileged account passwords on scheduled basis Monitor data classification Ensure PHI is accessed by appropriate personal Identify and address data leakage Encrypt data (in motion and at rest) Devices (desktops, laptop, mobile, etc.) Writable media Audit Identify how user activity is monitored Conduct annual access reviews Establish a processes to monitor Conduct random audits

PHYSICAL Controls Physical Security Implement badge access at all perimeter doors Ensure data center(s) access has access levels Use visitor Sign In/Out and escort procedures After-hours security process & system Data center(s) environmental controls Fire suppression UPS power backup Air conditioning Elevated floors Fire/smoke/water detection Climate control

Responsible Party

Components of a Business Associate Agreement HIPAA imposes an enforcement scheme unique among Federal laws. While it provides for enforcement by the government like any other law, HIPAA also requires enforcement through contractual obligations between covered entities and their business associates.

“The government is watching and the stakes are high.” Steve Wood, Baker Donelson

Essentially, the law mandates that covered entities impose certain privacy and security obligations on their business associates and in turn, business associates must make promises to covered entities in written contracts typically called “business associate agreements,” or BAAs. The HIPAA Final Rule will most likely extend this requirement downstream to subcontractors of business associates that handle PHI (such as vendors that host applications on behalf of software companies). Until the HITECH Act, only covered entities were regulated by HIPAA, so the BAA was the mechanism by which Congress sought to ensure that business associates would be limited in their rights to use and disclose patient information obtained from covered entities. It also requires that business associates implement appropriate measures to safeguard PHI. Now business associates are directly regulated by HIPAA and are subject to most of the same requirements as covered entities.

Compliance Beyond the Covered Entity 10 Thus, a business associate that fails to do what is required under HIPAA faces the potential of both government enforcement action and a lawsuit for breach of contract from the customer, i.e. the covered entity. If being sued for potentially astronomical damages is not enough, the threat of enforcement action by the government should strike fear in the hearts of business associates. Under HITECH, Congress authorized state attorneys general to enforce HIPAA in addition to the OCR, the arm of HHS that historically had that power. Besides a lot more cops on the beat, violations of HIPAA now bring much higher penalties and even criminal prosecution. Organizations Supporting Nashville’s Health Care Ecosystem Tennessee Chapter of HIMSS Provides statewide leadership for the advancement and management of healthcare information and technology. www.tnhimss.org Entrepreneur Center Connects entrepreneurs with investors, mentors and the critical resources they need to accelerate the launch of start-up businesses, where health care is one of four industry sectors. www.entrepreneurcenter.com Nashville Health Care Council An association of health care industry leaders working together to further establish Nashville’s position as the nation’s health care industry capital www.healthcarecouncil.com Nashville Technology Council Helps Middle Tennessee’s technology community succeed. www.technologycouncil.com

The principal topics addressed under most BAAs include the following.

¾ Permitted and prohibited uses of PHI (in addition to using PHI as necessary for provision of the services, such as for the proper business management and administration of the business associate and as necessary to meet its legal requirements). ¾ Permitted and prohibited disclosures of PHI (again, addressing disclosures in addition to those necessary for provision of the services, such as for the proper business management and administration of the business associate and as necessary to meet its legal requirements). ¾ Whether and under what circumstances the business associate will de-identify data, who owns it, and what can be done with it. ¾ Whether data from the covered entity will be aggregated with data from other covered entities, and for what purposes. ¾ How to deal with patients’ requests for access to their data or amendment of their data. ¾ How to deal with patients’ requests for an accounting of any disclosures of their data. ¾ The Minimum Use Rule (which essentially dictates that covered entities provide to business associates only the minimum information necessary for whatever service is being performed, and the business associate likewise is limited to requesting only that minimum data from the covered entity).

Compliance Beyond the Covered Entity 11 ¾ The conditions under which the business associate may further disclose PHI to subcontractors. ¾ The safeguards that must be implemented and maintained by the business associate to protect PHI in electronic format (i.e., the information security requirements). ¾ The time lines and procedures for the business associate to notify the covered entity of a data breach or of a security incident that does not result in a data breach (note that breach notification is a critically important item in the BAA). ¾ Who has the responsibility to send data breach notifications to affected individuals and who pays for the notices. ¾ What happens if the government decides to conduct a compliance audit. ¾ The obligations of the covered entity to advise the business associate of circumstances such as a patient’s request for a restriction on the disclosure of his or her PHI. Additional matters often addressed under the BAA include the following. ¾ Whether the business associate is required to comply with laws other than HIPAA (as a matter of contract under the BAA, regardless of whether the BAA is required to comply as a matter of those laws;; i.e., whether the covered entity can sue the business associate for not complying with those laws).

¾ Whether the covered entity has rights to audit the business associate’s compliance with its obligations under the BAA and whether the business associate is obligated to complete and certify compliance questionnaires from the covered entity. ¾ That the business associate may not store or transmit PHI outside the United States. ¾ The methods by which the business associate will securely destroy PHI in paper and electronic forms. ¾ If the business associate will be conducting HIPAA electronic transactions, that the business associate must comply with each requirement for Standard Transactions established in HIPAA. ¾ Whether the business associate must encrypt electronic PHI, and if so, to what standard. ¾ Whether the business associate is required to maintain a cyber-liability insurance policy to cover the costs of a data breach. ¾ Whether the business associate must indemnify the covered entity (i.e., cover the potentially large costs incurred) for a data breach in addition to breach notification costs, such as forensic investigation, legal fees, public relations expenses, setting up and operating a call center, and providing credit monitoring services to affected persons.

The last bullet point above, regarding indemnification, has become perhaps the most contentious item in the negotiation of BAAs recently, as both covered entities and business associates have seen the costs associated with data breaches. Practically speaking, data breach is less of a concern if the business associate will

Compliance Beyond the Covered Entity 12 only have access and not actual possession of PHI, but when the business associate is in control of protecting the data, covered entities generally should push hard for broad, unlimited indemnification. On the other hand, business associates must evaluate how much financial risk they are willing to take and resist or limit the scope of such indemnification. In any case, both parties need to remember that a BAA always accompanies some sort of services agreement and that agreement may have provisions limiting the business associate’s liability that, if not carefully crafted, could override the indemnification obligation in the BAA. Due to the complexity inherent in developing a BAA that is appropriate to a given circumstance and the high stakes involved, seeking counsel from attorneys well-versed in HIPAA is critical for both covered entities and business associates. Simply pulling a BAA off the Internet or trying to prepare one based on someone else’s BAA is laden with peril. Likewise, this white paper is not intended to explain every nuance and all the variations that a given BAA provision might take from the opposing standpoints of the covered entity and the business associate. It simply outlines considerations that come into play including the following. ¾ Will the business associate actually possess PHI or merely have occasional access to it? If access, will it be on site (such as a contract computer technician) or remote (such as a software vendor connecting to perform diagnostics or maintenance)? ¾ Will the PHI be used to make decisions about patients (i.e., will it constitute a “designated record set” as defined under HIPAA)?

¾ Will the volume of patient records be substantial (as in the case of a Software as a Service vendor hosting the entire electronic medical records or electronic health records system) or will the business associate only handle a small number of patient records (for example, an attorney occasionally defending a malpractice suit)? ¾ Will the records involved include a large amount of information about a given patient or just a limited number of data fields? ¾ Will the business associate maintain the only instance of the patient information (aside from back-ups) or will the business associate receive a copy of data maintained in some other primary system? ¾ Will the business associate maintain (or have access to) PHI for a long time or will it be relatively brief? ¾ Will the business associate need to disclose PHI to a subcontractor and if so, will the subcontractor have possession or mere access to the data? ¾ Will the patient data involve especially sensitive clinical information, such as HIV status or mental health (which may implicate other regulatory requirements)? ¾ Will the data include sensitive non-health information, such as credit card information subject to the Payment Card Industry Data Security Standards or financial information (such as for collection purposes) subject to the Federal Trade Commission’s Red Flags Rule?

Compliance Beyond the Covered Entity 13 ¾ Are there state laws regarding personally identifiable data that need to be addressed? Whether a particular one of these considerations is relevant to a given BAA depends on the circumstances and in many cases, the covered entity and the business associate may disagree on the assessment. For instance, the covered entity may seek to include in the BAA a requirement for the business associate to pay for notices required under state breach notification laws, while the business associate may object, arguing that the BAA should only address matters mandated under HIPAA regulations. While right or wrong answers may not exist in such cases, in this example, the covered entity will justify its position on the basis that it ultimately would be responsible for state law notification even if a data breach did not give rise to a HIPAA notification requirement (because of one of the exceptions under HIPAA), so the business associate should cover that cost if the business associate caused the data breach. The business associate, on the other hand, is likely to respond that not enough revenue is generated from the service contract to warrant taking on such a large potential liability. In the end, of course, the resolution of all of these points will depend upon the parties’ relative bargaining power and it may require concessions to reach agreement. The HIPAA landscape has changed dramatically under the HITECH Act and BAAs that once were afterthoughts now command a high degree of care and scrutiny on the parts of both covered entities and business associates. Covered entities and business associates need to review existing BAAs, replace them where necessary, put them in place where missing, and closely monitor compliance.

Compliance Beyond the Covered Entity 14

The Role of the IT Function When HIPAA legislation was passed, some organizations initially turned to IT directors and information security officers to lead their compliance efforts. On the other hand, some organizations included IT and chief information security personnel as an after-thought. As organizations gained a better understanding of HIPAA requirements, they realized that, while IT is an important component and must be involved;; they should not be solely responsible for the compliance program. As this paper demonstrates, compliance with HIPAA and HITECH requires a collaborative effort that extends well beyond the IT department. With that said, IT staff and information security personnel are critical to the implementation of a successful compliance program. Regardless of size, HIPAA compliance has a significant impact on the IT function and systems, and must be addressed in many areas including:

x x x x x x x x x x x

Infrastructure management and security;; Application development, implementation, and administration;; End user access and system security;; Data management, storage, back up, and recovery;; Equipment procurement, deployment, upgrades, and replacements;; Use of employee owned devices in the work place;; Data center operations and tech support;; Data integration and encryption;; Vendor management and access;; IT standards, policies, and procedures;; and Staff screening and training.

Due to its complexity, IT traditionally requires numerous product and service agreements. Each of these agreements must be compliant when HIPAA requirements apply. Finally, since compliance is an on-going process, IT staff and information security personnel must continue to be involved in the compliance program.

“We can build the best internal security program in the world and still suffer and be held accountable for a breach at the hands of one of our business partners. Kyle Duke, CIO, HealthSpring

Compliance Beyond the Covered Entity 15

The Bottom Line Patients depend on health care organizations to address their health care needs and to protect their health information. Meeting these expectations and the legal requirements surrounding them are challenging for small and large organizations alike. Compliance begins with acceptance and acknowledgment of HIPAA requirements, an honest self-assessment, willingness to devote resources, and an understanding that technology is only one component of the program. It continues by gaining support from top management, designating someone to be responsible for the program, and assembling a team of professionals with expertise in this area. It is operationalized through agreements, policies, procedures, and training. Finally, it is sustained through monitoring and enforcement. If organizations do not willingly undertake these actions in an earnest manner, the resulting consequences will force them to do so.

A Great Place To Live and Work x Population of over 1.5 million people x Cost of living almost 10 percentage points below the U.S. average x One of the top centers in the world for the creative class x Strong, diverse economy including headquarters of Community Health Systems, Country Music Television, Dollar General, Gibson Guitars, Griffin Technology, HealthStream, Healthways, Hospital Corporation of America, & Nissan North America x Over 100,000 college students in the region's 21 accredited 4-year and post graduate institutions, 6 community colleges, and 11 vocational and technical schools x Well-educated population where over 50% of adults 25 years and older have one or more years of college education x Recent rankings include: R 10 Under Rated Hotbeds of American Innovation - Fast Company R Top 10 Best Cities for Tech Jobs – Forbes R Top Start Up Paradise - Young Entrepreneurs Council R Cities That Are Getting Smarter the Fastest – Forbes R #1 City for Job Growth – Kiplinger R Top 10 Best Place for Business & Careers – Forbes Information from Nashville Area Chamber of Commerce

Acknowledgements This paper would not be possible without the contributions of Nashville’s health care and technology communities. It is the result of a collaborative effort that showcases the depth and breadth of expertise that resides in Middle Tennessee. First, the NTC would like to thank Andy Flatt and Kyle Duke of HealthSpring for suggesting a white paper and helping develop the idea. We also thank former KPMG employee, Connie McGee, for her assistance in obtaining financial support from KPMG. Work on the paper began in earnest at a Health Care Privacy and Security Summit in Nashville that brought together over 100 practitioners, experts in the field, and leaders in health care information privacy and security including: x Keynote speaker Adam Greene, Partner, Davis Wright Tremaine and former regulator, U.S. Department of Health and Human Services;; x Panel Moderator Greg Bell, KPMG;; x Panelist Bob Chaput, CEO, Clearwater Compliance;; x Panelist Bill Dieringer, CISO, Ardent Health Services;; and x Panelist Kyle Duke, CISO, HealthSpring. The Summit was made possible through supporting sponsorships from Clearwater Compliance, Dell, Intel, and Peak 10. Additionally, Core BTS, Entegrity Solutions, HealthSpring, IBM, The Kelso Group, and The Tennessee Chapter of HIMSS supported small group discussions at the Summit. We are grateful to our speakers and sponsors, as well as the Summit attendees (listed later in this paper), for their contributions.

Compliance Beyond the Covered Entity 16 The NTC also thanks Ashley Miller, a graduate student of Lipscomb University’s Master of Health Care Informatics program. She worked tirelessly to research and assemble a significant portion of this white paper. The NTC appreciates her contributions. Research for this paper included conducting numerous interviews and small group discussions. Specifically, the following people offered helpful insights, information, and feedback. We appreciate their willingness to share their knowledge and expertise to make this paper better. x Scott E. Augenbaum, Federal Bureau of Investigation;; x Dr. Elizabeth Breeden, Lipscomb University;; x Bob Chaput, Clearwater Compliance;; x Kyle Duke, HealthSpring;; x Anthony Mannarino, HealthSpring;; x Anelisa Martin, Medi-Copy Services;; x Jon Neiditz, Nelson Mullins;; x Jerry Powers, JV Powers & Company;; x Anne Sumpter-Arney, Bone McAllester Norton, PLLC;; x Bryan Thornton, Net Reaction;; x Lance Wolrab, Dell;; and x Steve Wood, Baker Donelson. While many people made this paper better through their reviews and comments, the NTC especially thanks Steve Wood, Baker Donelson, for his thorough review, and Stacy Daniel, Executive Assistant to the CIO, HealthSpring, for proofreading it. Finally, the NTC thanks the Tennessee Chapter of HIMSS for allowing the first edition of this white paper to be released at the 2012 Summit of the Southeast. We are grateful to be part of a community that is so willing to work together for the greater good.

Compliance Beyond the Covered Entity 17

Health Care Privacy & Security Summit Attendees Christel Alvarez Iron Mountain Carrie Arkle LetterLogic, Inc. Anne Arney Bone McAllester Norton Jacob Arthur FDH Consulting

Tim Barker Vanguard Health Systems Greg Bell KPMG James Berkowicz Sprint Margaret Bond IASIS Healthcare Nicole Bond Arbor Healthcare Andy Borchers Lipscomb University Howard Bright Passport Health Comm Juaquin Brown Lipscomb University Mark Burnette LBMC Michael Caskey Anthem Healthcare Intelligence Mary Chaput Clearwater Compliance Bob Chaput Clearwater Compliance Will Cook RCG Stephanie Crabb CynergisTek

Andy Flatt HealthSpring

Andrew Mains Iron Mountain

Justin Scalise Corizon Health

Mark Fulford LBMC

Anthony Mannarino HealthSpring

Frederick Scholl Monarch Info Networks

Adam Greene Davis Wright Tremaine

Cheryl Maplesden Aegis Sciences Corp

Pat Sheridan InStream

Daniel Guinaugh Systems Solutions Technologies Ray Guzman WPC Kevin Hagan Willis Roy Hall The Kelso Group Rodney Hamilton, M.D., HIMSS Tim Harris Systems Solutions Tech Crista Harwood Passport Health Comm Mark Hinson InStream Robert Hoisington Sirius Greg Huddleston IBM Bryan Huddleston Microsoft

Peter Martin C3 Consulting

Gaye Smith Vanderbilt University Medical Center

Anelisa Martin Medi-‐Copy Services

Van Steel KPMG

James Mathis Clearwater Compliance

Paul Sternberg Look-‐Listen

Steve Mayeur IBM

David Stevens LetterLogic, Inc.

Jessica McDougal teknetex, inc.

Jill Stockmaster Beacon Technologies

Connie McGee NTC Board of Directors

Jon Stone Clearwater Compliance

Robert Morris Ion IT Group

Ron Styers Healthbox Tech

Emily Moth

Tom Surface, Passport Health Communications

Brian Moyer TN HIMSS

Kristi Syling Vanguard Health Systems

Eric Mueller WPC

Michael Taylor Lipscomb University

Peter O'Donnell IBM

Ed Terry IBM

Jay Perry Core BTS

Ryun Vail Sprint

Rick Pineda InfoWorks, Inc.

Mark Van Atta Unico Technology

Heath Pitts Core BTS

Patricia Vinson Letterlogic

Frank Platt Entegrity Solutions

Will Weaver RoundingWell

Mark Johnson KPMG Derek Johnson Peak 10 Brian Johnson SVMIC Angela Jones Core BTS

Stacy Daniel HealthSpring

Compliance Beyond the Covered Entity 18

Kris Kelso The Kelso Group John Kepley teknetex, inc.

Jason Poteet TN HIMSS

Robb Wells TriStar Health System

Jerry Powers JVPowers & Company

Bill Dieringer Ardent Health Services

Janet King Middle TN eHealth Connect

Kyle Duke HealthSpring

Brit Kirby Dell Mike LaLonde ProSys Info Systems Marianne Lamkin Simplex Healthcare Helen Lane C3 Consulting Lawrence Lin Liaison Technologies Bill MacDonald Symantec

Robert Preininger Business Survival Partners Terry Raney Intel

Monroe Wesley Vanderbilt University Medical Center Michael Whitlatch Fair Warning

Chris Davenport IBM

Loretta Duncan SVMIC Michael Duncan Core BTS Kathy Ebbert Clearwater Compliance Matthew Edman HCA Richard Eller Iris Networks Drew Fassett Peak 10

Corey Wilson Cogent HMG

Ashley Robertson TN Medical Association

Lance Wolrab Dell

Art Robinson Absolute Software

Steve Wood Baker Donelson

Tony Rodefer Dell

Blake Wylie Simplex Healthcare

Max Sadler ANS

Prasad Yammanur Anthem Healthcare Intelligence

Bob Wilson Covenant Health

Mike Rice Absolute Software

Compliance Beyond the Covered Entity 19

Additional Resources

Final Rule for HITECH Breach Notificationxxii Guide to Privacy and Security May 2012xxiii HHS Encryption Guidelinesxxiv OCR HIPAA Audit Protocol June 2012xxv Rick Analysis Guidelines July 2010xxvi

Final Rule update/status Guidance from National Coordinator for Health Information Technology HHS overview of how to render PHI unusable, unreadable & indecipherable to unauthorized users Searchable information regarding privacy, security, and breach notification requirements, organized in a modular format Guidance for implementing appropriate administrative, physical, and technical safeguards to secure e-PHI

Compliance Beyond the Covered Entity 20

CFR 160.103 ii ibid iii ibid iv American Recovery and Reinvestment Act (ARRA) of 2009, Pub. L. No. 111-5, 123 Stat. 115, 516 (Feb. 19, 2009) v http://www.hrsa.gov/healthit/toolbox/healthitadoptiontoolbox/privacyandsecurity/compliancereqs.html vi 45 CFR 160.400 et seq vii Data Breaches Cost Hospitals $6B Annually. (2011). Information Management Journal, 45(2), 10. From: http://connection.ebscohost.com/c/articles/60578282/data-breaches-cost-hospitals-6b-annually viii Oatway, David. "Mobile devices contribute to PHI breaches." Long-Term Living May 2011: 20+. http://www.ltlmagazine.com/article/mobile-devices-contribute-phi-breaches ix http://www.healthcareitnews.com/news/alaska-pays-17m-hhs-data-breach x http://hitrustalliance.net/about xi http://www.nist.gov/healthcare/index.cfm xii http://www.iso.org/iso/home.html xiii http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechblurb.html xiv ibid xv http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/confidentialitystatement.html xvi http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf xvii http://www.merriam-webster.com/dictionary/privacy xviii http://www.merriam-webster.com/dictionary/security xix Brodnik, M. S., McCain, M. C., Rinehart-Thompson, L. A., & Reynolds, R. B. (2009). Fundamentals of Law for Health Informatics and Information Managmenet. Chicago: American Health Information Management Association xx Harmnda (ed.). 2006 Ethical Challenges in the Management of Health Information , 2nd ed. Sudbury, MA: Jones and Bartlett xxi Greene, Adam H. and Rebecca L. Williams. “HIPAA Audits Results Released: We Still Have Work to Do.” JD Supra. (June 13, 2012). From: http://www.jdsupra.com/post/documentViewer.aspx?fid=dca67d93-c84d-4331-a327-fc394407d125 xxii http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/finalruleupdate.html xxiii http://healthit.hhs.gov/portal/server.pt?open=512&objID=1147&parentname=CommunityPage&parentid=8&mode=2&in_hi_ userid=11673&cached=true xxiv http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html xxv http://ocrnotifications.hhs.gov/hipaa.html xxvi http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf

Compliance Beyond the Covered Entity 21

With a vision to help Middle Tennessee become known worldwide as a leading technology community, the Nashville Technology Council is devoted to helping the tech community succeed. Membership is open to technology companies, technology employers, service providers, educational institutions, and non-profit companies interested in supporting the growth of technology businesses in Middle Tennessee. To learn more, visit www.technologycouncil.com.