Page 1



”‘–‡…–‹‰–Š‡ ‡ƒŽ–Šƒ”‡…‘•›•–‡ǣ ‘’Ž‹ƒ…‡‡›‘†–Š‡‘˜‡”‡†–‹–›

ƒ•Š˜‹ŽŽ‡‡…Š‘Ž‘‰›‘—…‹Ž ™™™Ǥ‡…Š‘Ž‘‰›‘—…‹ŽǤ…‘

Compliance Beyond  the  Covered  Entity      1    


Thought Leadership:  

Kyle Duke,  CISO     Andy  Flatt,  CIO    


Underwritten by:  

Health Care  Privacy  &  Security   Summit  Sponsored  by:  


Compliance Beyond  the  Covered  Entity      2    


Executive Summary   This  white  paper  is  the  result  of  a  collaborative   effort  among  practitioners,  industry  experts,  and   academics.    Its  purpose  is  to  educate  health  care   organizations  and  service  providers  regarding   their  responsibility  to  protect  individually   identifiable  health  information.    The  findings   also  demonstrate  that  compliance  efforts  cannot   be  delegated  solely  to  the  information   technology  (IT)  department  or  chief  information   security  officer.    Technology  is  an  enabler,  not   the  silver  bullet.    While  small  to  medium   organizations  may  benefit  the  most  from  the   information  contained  in  this  paper,  research   suggests  that  even  large  organizations  may  not   have  adequately  addressed  all  of  their  legal   requirements.       The  regulations  around  compliance  are  complex,   their  scope  is  far  reaching,  and  ramifications  are   significant.    Non-­compliance  can  lead  to  fines,   damage  a  company’s  reputation,  and  more   importantly,  result  in  unlawful  disclosure  and   abuse  of  health  information.    In  order  to  comply   with  today’s  requirements,  organizations  must   review  their  compliance  programs  and  make   improvements  where  needed.    Additionally,  they   must  understand  the  chain-­of-­custody  as  they   share  individually  identifiable  health   information  with  other  entities  since  they  are   responsible  for  protection  of  that  information  as   it  travels  through  the  health  care  ecosystem.      

“If compliance  is  hard  for  large   organizations,  it  is  almost   insurmountable  for  small  ones.     Organizations  are  being  told  they   need  to  ‘do  it’  but  they  don’t   always  know  where  to  start.”       Bryan  Thornton,  Net  Reaction  

With the  passage  of  the  Health  Information   Technology  for  Economic  and  Clinical  Health   (HITECH)  Act,  enforcement  of  the  Health   Insurance  Portability  and  Accountability  Act   (HIPAA)  was  expanded  to  include  business   partners  with  whom  the  principal  entity  shares   individually  identifiable  health  information.    In   addition  to  designating  someone  to  oversee   compliance  efforts,  organizations  must   implement  policies  and  procedures,  conduct  risk   assessments,  clean  up  and  classify  data,   implement  an  incident  response  plan,  increase   security  awareness,  improve  physical  security,   and  strengthen  data  access  controls.    These   efforts  are  time  consuming  and  often  require   assistance  from  third  party  experts  such  as  legal   counsel,  health  care  privacy  and  security   consultants,  and  technology  professionals.    The   goal  is  to  go  beyond  just  the  letter  of  the  law,   ensuring  that  patients’  health  information   remains  private  and  secure,  and  protected  from   those  who  should  not  have  access  to  it.       Ensuring  that  service  agreements  between  a   principal  health  care  entity  and  its  business   partners  meet  requirements  for  sharing  health   information  is  not  an  easy  task.    It  requires   reviewing  existing  service  agreements,   determining  whether  regulations  apply  and  if   they  do,  ensuring  adequate  terms  exist  to  address   these  requirements.    The  process  can  be  difficult   when  establishing  new  service  agreements  and   even  more  so  when  addressing  inadequacies  in   existing  ones.      The  areas  to  be  addressed  in   service  agreements  include  clearly  defining   obligations  of  the  principal  entity  and  the   business  partner.       This  white  paper  highlights  today’s  requirements   and  provides  recommendations  for  addressing   them.    It  contains  suggestions  regarding  how  to   begin  and  provides  a  framework  for  moving   forward.    Finally,  it  demonstrates  how   compliance  is  difficult  but  not  impossible.  

Compliance Beyond  the  Covered  Entity      3    


Introduction Securing  health  information  is  a  top  concern  for   every  organization  within  the  health  care   ecosystem.    While  progress  has  been  made,   ensuring  the  privacy  and  security  of  health   related  data  that  flows  between  entities  is   becoming  more  important  as  regulations  evolve   and  the  ecosystem  expands.    The  number  of   entities  involved  in  processing  health   information  is  over  1.2  million  according  to   recent  estimates.    Many  entities  do  not  have   adequate  procedures  in  place  to  ensure  data   leaving  their  organization  remains  protected  as  it   flows  through  the  ecosystem.     Under  HIPAA,  most  health  care  providers  (such   as  physicians  and  hospitals)  and  payors  (such  as   insurance  companies  and  self-­insured  group   health  plans),  as  well  as  the  clearinghouses  that   process  health  care  transactions,  are  called   “covered  entities.”i    Parties  that  provide  services   to  those  covered  entities  involving  access  to  or   possession  of  protected  health  information  (such   as  billing  companies,  software  vendors,  and   lawyers)  are  called  “business  associates.”ii     Protected  health  information  (PHI)  is   individually  identifiable  health  information  held   or  transmitted  by  a  covered  entity  or  its  business   associates,  in  any  form  or  media,  whether   electronic,  paper,  or  oral.iii    If  a  business   associate  (BA)  does  not  maintain  equally  strict   standards  of  protection  for  PHI,  the  covered   entity  (CE)  can  be  held  responsible  as  well.    The   penalties  and  fines,  as  well  as  damage  to  the   organization’s  reputation,  that  result  from   breaches  associated  with  shared  PHI,  are   becoming  more  severe  as  regulations  evolve  and   are  more  rigorously  enforced.     In  addition  to  the  challenge  of  ensuring  that   business  associates  have  adequate  measures  in   place,  the  HITECH  Act,  established  through  the  

American Recovery  Reinvestment  Act  (ARRA)   of  2009,iv  mandates  tighter  security  measures  for   security,  privacy,  and  breach  notification,  among   other  things,  and  increases  the  chances  of   incurring  penalties  for  non-­compliance.v    If  the   CE  or  its  business  associate’s  PHI  is  breached,   the  covered  entity  must  report  the  breach  to   Health  and  Human  Services  (HHS),  risking   significant  damage  to  the  covered  entity’s   reputation  and  costs  far  exceeding  potential   fines.  This  notification  is  covered  under  the   Breach  Notification  Rule  mandated  in  

“HIPAA compliance  isn’t  enough.     Breach  notification  requirements  are  a   game  changer.”     Adam  Greene,  Partner,  Davis  Wright   Tremaine  LLP,  and  former   regulator,  U.S.  Department  HHS  

This white  paper  summarizes  the  risks  and   penalties  of  data  breaches,  describes  how  these   breaches  affect  patients,  and  provides   recommendations  for  improving  security  of  PHI   as  it  flows  through  the  health  care  ecosystem.    It   discusses  challenges  and  recommendations  for   improvement  as  described  by  representatives  of   Nashville’s  health  care  community  as  they  seek   to  continually  improve  security  controls  and   ensure  that  agreements  with  their  business   associates  address  requirements.    The  white   paper  shows  how  compliance  requires  a  team   approach  where  the  IT  department  and  chief   information  security  officer  (CISO)  play  an   important  but  not  solo  role.      It  includes  a  sample   security  checklist  and  considerations  for  a   business  associate  agreement,  as  well  as  links  to   additional  information  to  assist  organizations   navigating  through  the  process  of  securing   protected  health  Information.  

Compliance Beyond  the  Covered  Entity      4    


Why It  Matters   Today’s  health  care  organizations  are  prime   targets  for  professional  hackers  and  cyber   criminals.  PHI  is  highly  valued  on  the  black   market,  yielding  much  higher  payouts  for   hackers  than  other  personal  information.    For   example,  a  cyber  criminal’s  payout  for  stolen   PHI  ranges  from  $28  to  $50  per  record  where   credit  card  information  only  garners  $1  to  $5  per   record.    In  addition  to  a  higher  payout  for  PHI,   cyber  criminals  find  the  process  of  hacking  a   health  care  organization  relatively  easy  to   accomplish  and  difficult  to  get  caught  doing.     Health  records,  regardless  of  format,  can  contain   some  of  the  most  private  information  about  an   individual  and  typically  include  social  security   numbers,  birth  dates,  home  addresses,  family   information,  and  billing  information  such  as   bank  and  credit  card  numbers.      

“Since no  boundaries  exist  in  cyber  space,   health  care  records  are  attractive  targets   for  transnational  organized  criminal   enterprises.  Once  the  cyber  criminals  steal   information,  recovery  by  law  enforcement   is  very  difficult.”     Scott  E.  Augenbaum,     Federal  Bureau  of  Investigation  

Clearly, hackers  have  the  ability  to  do  significant   damage  with  this  information.    Risks  to   individuals  include  identity  theft,  health   insurance  fraud,  significant  financial  loss,  and   exposure  of  a  person’s  health  status,  including   history,  outcomes,  and  diagnosis.    If  any  of  these   areas  is  exploited,  a  person  may  spend  several   years  cleaning  up  the  aftermath  to  regain  what   has  been  lost.    As  such,  organizations  storing   PHI  are  gold  mines  for  hackers.  

According to  a  recent  study  by  Ponemon   Institute  published  in  the  Information   Management  Journal,vii  nearly  $6  billion  per   year  is  spent  on  data  breaches.      The  findings   reveal  that,  while  HITECH  requires  even  tighter   controls,  many  health  care  organizations  are  still   not  taking  adequate  steps  to  ensure  privacy  and   security  of  PHI.    The  study  indicates  that   numerous  breaches  are  going  undetected  and   vulnerabilities  in  most  systems  are  putting   organizations  and,  more  importantly,  patients  at   risk.    One  example  of  this  issue  is  described  in   the  article  “Mobile  Devices  Contribute  to  PHI   Breaches.”viii        The  article  outlines  how  “the   HITECH  Act  has  increased  fines  associated  with   breaches  in  an  effort  to  ensure  health  care   organizations  understand  how  seriously  they  are   taking  these  issues.”    It  goes  on  to  describe  how   Massachusetts  General  Hospital  was  fined  $1   million  after  it  experienced  a  HIPAA  violation.     Even  though  Massachusetts  General  was  able  to   resolve  the  issue  and  put  protections  in  place,   they  were  fined  for  the  violation.         In  more  recent  news,  the  Alaska  Department  of   Health  and  Social  Services  (DHSS)  agreed  to   pay  HHS  $1.7  million  to  settle  a  possible  HIPAA   Security  Rule  violation.  This  settlement  is  the   second  largest  in  history  and  marks  the  first   enforcement  action  against  a  state  agency  by  the   Office  of  Civil  Rights  (OCR),  the  entity  charged   with  auditing  compliance.    The  vulnerability  was   found  after  Alaska’s  DHSS  reported  to  HHS  that   a  stolen  USB  hard  drive  contained  2,000  patient   records.      In  accordance  with  the  HITECH  Act,   since  the  breach  affected  more  than  500   individuals,  it  had  to  be  reported  to  the  HHS  and   the  media  (organizations  are  only  required  to   report  breaches  affecting  less  than  500   individuals  on  an  annual  basis).    The  OCR   moved  forward  with  the  investigation,   uncovering  significant  vulnerabilities  and  a  lack      

of adequate  security  controls.    Information   regarding  the  breach  was  highly  publicized   throughout  various  media  channels,  seriously   damaging  DHSS’s  reputation.ix      For  the   foreseeable  future,  Alaska’s  DHSS  will  be   monitored  closely  by  the  OCR.    

Nashville’s Experts  Weigh  In   At  the  Nashville  Technology  Council’s  (NTC)   Privacy  and  Security  Summit,  held  in  March  of   2012,  representatives  from  Nashville’s  health   care  community  voiced  concerns  regarding   security  of  PHI.    The  purpose  of  the  Summit  was   to  discuss  security  concerns  and  identify  ways  to   address  them.    Several  questions  were  posed  to   Summit  attendees.    A  summary  of  those   discussions  follows.     What  are  the  primary  concerns  your   organization  has  related  to  sharing  PHI?     The  attendees  voiced  concerns  about  the  unclear   chain-­of-­custody  for  health  care  information  as   it  passes  through  the  ecosystem  and  a  lack  of   well-­defined  agreements  between  covered   entities  and  data  trading  partners.    They   expressed  additional  concern  about  the  lack  of   clarity  around  which  party  is  accountable  for   what  data  and  at  what  times.    Many  do  not   believe  that  business  associates  employ   consistent  security  frameworks  or  have  adequate   security  controls  in  place,  especially  related  to   policies  for  employee  owned  devices  being  used   in  the  workplace.  

Compliance Beyond  the  Covered  Entity      5     Considering  the  concerns  identified  above,   what  steps  can  be  taken  or  have  your   organizations  taken  to  address  these  concerns?     A  majority  of  attendees  agreed  that  ensuring   service  agreements  meet  today’s  legal   requirements  is  an  important  and  required  step   toward  improving  privacy  and  security  of  PHI.       However,  they  recommended  cleaning  up  data   (knowing  what  type  of  data  exists  and  where  it   resides)  and  promoting  encryption  should  also   be  top  priorities.    Another  popular  response   among  the  attendees  was  the  need  to  establish  a   training  program  to  educate  employees  and   business  associates  regarding  privacy  and   security  policies  and  procedures.      

“Encryption, properly  done,  cures   many  ills.”       Steve  Wood,  Baker  Donelson

Some attendees  went  further  to  suggest   organizations  hire  a  third-­party  auditing  firm  to   ensure  vulnerabilities  are  identified  and   addressed  from  an  objective  point  of  view.           They  stated  a  belief  that  this  type  of  engagement   would  compel  an  organization  to  strengthen  its   compliance  practices  upfront  and  ensure  that   only  necessary  information  is  captured,  stored,   and  shared.    As  more  organizations  allow   employees  to  “bring  their  own  devices”  to  work,    

Middle Tennessee  has  an  unparalleled  concentration  of  health  care  companies  and  supporting  organizations.       The  area's  leadership  and  innovation  have  a  significant  impact  locally,  nationally,  and  internationally.     x The  health  care  industry  is  Nashville’s  largest  and  fastest  growing  employer   x Locally  -­  nearly  $30  billion  in  revenue  annually  and  more  than  200,000  jobs     x Globally  -­  more  than  $70  billion  in  revenue  annually  and  over  400,000  jobs   x More  than  250  health  care  companies  have  operations  in  Nashville     x 16  publicly  traded  health  care  companies  are  located  in  Nashville     Information  obtained  from  Nashville  Health  Care  Council  

attendees recommended  careful  consideration  of   this  practice  and  deployment  of  modern  controls   such  as  policy  based  mobile  device  security.         Attendees  also  suggested  these  issues  be   specifically  addressed  through  policies  and   procedures,  as  well  as  through  adoption  of  a   security  framework.     Since  many  legal  requirements  leave  gray   areas,  what  are  the  common  practices  and   standards  that  your  organization  is  using?     Most  attendees  expressed  a  strong  movement   toward  adoption  of  a  security  framework  such  as   the  Health  Information  Trust  Alliance   (HITRUST)  Common  Security  Framework,x  the   National  Institute  for  Standards  and  Technology   (NIST)  HIPAA  Security  Rule  Toolkit,xi  or  the   International  Standards  Organization  (ISO)   standard  for  managing  health  information   security.xii           They  also  suggested  that  compliance  programs   are  a  team  effort,  led  by  a  designated  responsible   party,  but  staffed  by  internal  and  external   professionals  with  expertise  in  information   security,  law,  contracting,  HIPAA  compliance,   etc.    Attendees  also  emphasized  stronger   enforcement  of  existing  policies  and  procedures.     Obtaining  breach  insurance  was  also  suggested.    

Enforcement Begins     Included  in  the  HITECH  Act  is  a  mandate  that   HHS  establish  an  audit  program,  which  was   launched  in  2011.  The  audit  program  is  designed   to  review  current  compliance  and  identify   vulnerabilities  that  may  exist  so  they  can  be   corrected.    The  audits,  conducted  by  the  OCR,   impose  penalties  on  organizations  that  are  not   meeting  HITECH  requirements,  which  increase   business  associate  liability  and  impose  

Compliance Beyond  the  Covered  Entity      6     additional  restrictions  on  the  sale,  use,  and   exchange  of  PHI.         Although  the  effective  date  for  many  HITECH   provisions  has  passed  (February  17,  2010),   according  to  HHS,  “the  final  rule  that  will   follow  provides  specific  information  regarding   the  expected  date  of  compliance  and   enforcement  of  these  new  requirements.   However,  interim  final  rules  implementing   HITECH  Act  provisions  in  two  areas  have   already  been  issued  and  are  currently  in  effect:   enforcement  and  breach  notification.”xiii       Among  other  provisions,  covered  entities  and   business  associates  alike  must  now  comply  with   breach  notification  obligations.  The  “OCR  will   enforce  the  Breach  Notification  Interim  Final   Rule,  including  the  possible  imposition  of   sanctions,  as  it  does  with  the  HIPAA  Privacy  and   Security  Rule  requirements.”xiv     As  a  part  of  ARRA,  specifically  section  13411   of  the  HITECH  Act,  HSS  gave  the  OCR   responsibility  for  enforcing  HIPAA  rules  for   privacy,  security,  and  breach  notification  through   periodic  audits  of  covered  entities  and  business   associates.  The  goal  is  to  achieve  optimum   protection  of  the  privacy  and  security  of  PHI.  In   November  of  2011,  the  OCR  began  the  first   round  of  audits  in  conjunction  with  the   professional  public  accounting  firm,  KPMG   LLC  (KPMG),  the  company  tasked  with   administering  the  audits  and  reporting  findings.         The  first  round  of  audits  includes  150  covered   entities  and  business  associates.    Organizations   selected  for  an  audit  receive  a  notification  letter   from  the  OCR  requiring  their  cooperation  with   KPMG  in  providing  documentation  regarding   their  compliance  practices.    According  to   HIPAA,  they  are  expected  to  supply  all   requested  information  at  the  time  of  the  audit.     The  organizations  being  audited  should  prepare  

for an  on-­site  visit  from  KPMG  within  30  to  90   days  after  notice.xv    By  these  actions,  the  HHS  is   clearly  demonstrating  that  they  take  their   responsibility  very  seriously.    Twenty  of  the  150   planned  audits  were  completed  as  of  March   2012.    The  findings  revealed  that  small  covered   entities  (companies  generating  $50  million  or   less  in  yearly  revenue)  have  the  most  security   compliance  issues.    Business  associates,  such  as   clearinghouses  and  health  insurance  plans,  fared   better  than  health  care  providers  in  the  first  20   audits.xvi        

“A retention  policy  is  critical  since  40%   of  breaches  occur  against  data  for   which  the  organization  no  longer  has  a   defined  business  need.”   Bryan  Thornton,  Net  Reaction  

It’s important  to  note  that  although  often  used   interchangeably,  security  and  privacy  are  not  the   same.    Privacy  is  defined  as  freedom  from   unauthorized  intrusion,xvii  while  security  entails   measures  to  protect  against  sabotage,  crime,  or   attack.xviii    Given  the  difference,  two  rules  were   established  to  protect  PHI.    The  goal  of  the   Privacy  Rule  is  to  increase  individuals’  rights   related  to  health  information  and  to  ensure   greater  privacy  protections  for  protected  health   information.xix    The  Security  Rule  pertains  to  the   physical  and  electronic  protection  of  information   that  preserves  confidentiality.xx         Overall,  compliance  with  the  Security  Rule  was   clearly  more  problematic  than  compliance   related  to  privacy.      The  audits  found  that  65%  of   major  findings  were  related  to  the  Security  Rule;;   26%  were  related  to  the  Privacy  Rule;;  and  9%   were  related  to  the  Breach  Notification  Rule.        

Compliance Beyond  the  Covered  Entity      7     The  most  frequent  issues  found  were  related  to:     x User  activity  monitoring,   x Contingency  planning,   x Authentication,   x Media  reuse  and  destruction,   x Conducting  risk  assessments,     x Access,  and   x Managing  third  party  risks.  xxi  

Getting  Started:  Security  Checklist     For  many  organizations,  creating  and   maintaining  an  up-­to-­date  security  and   compliance  program  is  an  overwhelming  and   seemingly  daunting  task.    Despite  its   complexity,  every  organization  can  establish  or   improve  its  security  and  compliance  program.   To  ensure  success,  this  effort  must  be  supported   from  the  top  of  the  organization  and  a   responsible  party  dedicated  to  overseeing  and   maintaining  the  program  must  be  designated  and   given  the  time,  training,  and  support  necessary   to  manage  the  program.    The  person  responsible   for  the  compliance  program  might  be  a  CISO  or   compliance  officer  in  a  large  organization  or  a   doctor  or  office  administrator  in  a  small  one.     Regardless  of  who  is  responsible  for  the   compliance  program,  every  organization  should   create  and  follow  a  checklist  of  controls  and   have  a  plan  to  enforce  and  review  such  controls.   However,  this  effort  is  not  a  static  process.    It   must  be  iterative  to  address  variables  such  as  the   formation  of  new  business  partnerships  and   changes  in  legislation.    The  recent  emphasis  on   enforcement  means  that  covered  entities  and   business  associates  can  no  longer  just  check  off   tasks  on  a  list.    They  must  demonstrate  serious   intent  by  operationalizing  their  security  and   compliance  programs  through  policies  and   procedures,  education  and  training,  assessments,   and  enforcement.        

Compliance Beyond  the  Covered  Entity      8    

  Following  is  a  sample  high-­level  security  checklist  designed  to  aid  organizations  in  establishing  or   improving  their  security  and  compliance  programs.    This  list  does  not  represent  a  full  compliance   program  and  should  not  be  used  as  such.    Each  organization’s  security  checklist  should  be  tailored  to   reflect  its  specific  situation,  responsibilities,  and  requirements.    

ADMINISTRATIVE Controls Risk Assessment Create roadmap from assessment results Classify Data Map PHI data at rest & in motion Categorize PHI data Identify who has access Implement Policies & Procedures Change management Granting/modifying access Access termination Password management Data backup Acceptable use Segregation of duties Data retention Implement an Incident Response Program Document chain of custody for all PHI Security Awareness New hire training Annual review and attestation Adopt a security framework Formalize data trading partnerships Business Associate Agreement for each PHI data trading partner Complete training for business associates Send 3rd party security questionnaire If applicable, perform on-site reviews Mobile Device/BYOD Develop policy & train employees

Responsible Party

Due Date

Date Completed

Compliance Beyond  the  Covered  Entity      9  


Responsible Party

Due Date

Date Completed

Due Date

Date Completed

Perform periodic access reviews Check segregation of duties Ensure access is appropriate Implement process to audit access (audit log) Change privileged account passwords on scheduled basis Monitor data classification Ensure PHI is accessed by appropriate personal Identify and address data leakage Encrypt data (in motion and at rest) Devices (desktops, laptop, mobile, etc.) Writable media Audit Identify how user activity is monitored Conduct annual access reviews Establish a processes to monitor Conduct random audits

PHYSICAL Controls Physical Security Implement badge access at all perimeter doors Ensure data center(s) access has access levels Use visitor Sign In/Out and escort procedures After-hours security process & system Data center(s) environmental controls Fire suppression UPS power backup Air conditioning Elevated floors Fire/smoke/water detection Climate control

Responsible Party

Components of  a  Business   Associate  Agreement     HIPAA  imposes  an  enforcement  scheme  unique   among  Federal  laws.    While  it  provides  for   enforcement  by  the  government  like  any  other   law,  HIPAA  also  requires  enforcement  through   contractual  obligations  between  covered  entities   and  their  business  associates.      

“The government  is  watching  and  the  stakes   are  high.”       Steve  Wood,  Baker  Donelson  

Essentially, the  law  mandates  that  covered   entities  impose  certain  privacy  and  security   obligations  on  their  business  associates  and  in   turn,  business  associates  must  make  promises  to   covered  entities  in  written  contracts  typically   called  “business  associate  agreements,”  or   BAAs.    The  HIPAA  Final  Rule  will  most  likely   extend  this  requirement  downstream  to   subcontractors  of  business  associates  that  handle   PHI  (such  as  vendors  that  host  applications  on   behalf  of  software  companies).     Until  the  HITECH  Act,  only  covered  entities   were  regulated  by  HIPAA,  so  the  BAA  was  the   mechanism  by  which  Congress  sought  to  ensure   that  business  associates  would  be  limited  in  their   rights  to  use  and  disclose  patient  information   obtained  from  covered  entities.  It  also  requires   that  business  associates  implement  appropriate   measures  to  safeguard  PHI.    Now  business   associates  are  directly  regulated  by  HIPAA  and   are  subject  to  most  of  the  same  requirements  as   covered  entities.            


Compliance Beyond  the  Covered  Entity      10   Thus,  a  business  associate  that  fails  to  do  what  is   required  under  HIPAA  faces  the  potential  of   both  government  enforcement  action  and  a   lawsuit  for  breach  of  contract  from  the  customer,   i.e.  the  covered  entity.     If  being  sued  for  potentially  astronomical   damages  is  not  enough,  the  threat  of   enforcement  action  by  the  government  should   strike  fear  in  the  hearts  of  business  associates.     Under  HITECH,  Congress  authorized  state   attorneys  general  to  enforce  HIPAA  in  addition   to  the  OCR,  the  arm  of  HHS  that  historically  had   that  power.    Besides  a  lot  more  cops  on  the  beat,   violations  of  HIPAA  now  bring  much  higher   penalties  and  even  criminal  prosecution.     Organizations  Supporting  Nashville’s     Health  Care  Ecosystem     Tennessee  Chapter  of  HIMSS   Provides  statewide  leadership  for  the   advancement  and  management  of  healthcare   information  and  technology.     Entrepreneur  Center   Connects  entrepreneurs  with  investors,  mentors   and  the  critical  resources  they  need  to   accelerate  the  launch  of  start-­up  businesses,   where  health  care  is  one  of  four  industry   sectors.     Nashville  Health  Care  Council   An  association  of  health  care  industry  leaders   working  together  to  further  establish   Nashville’s  position  as  the  nation’s  health  care   industry  capital     Nashville  Technology  Council   Helps  Middle  Tennessee’s  technology   community  succeed.    

The principal  topics  addressed  under  most   BAAs  include  the  following.  

¾ Permitted  and  prohibited  uses  of  PHI  (in   addition  to  using  PHI  as  necessary  for   provision  of  the  services,  such  as  for  the   proper  business  management  and   administration  of  the  business  associate   and  as  necessary  to  meet  its  legal   requirements).     ¾ Permitted  and  prohibited  disclosures  of   PHI  (again,  addressing  disclosures  in   addition  to  those  necessary  for  provision   of  the  services,  such  as  for  the  proper   business  management  and  administration   of  the  business  associate  and  as  necessary   to  meet  its  legal  requirements).     ¾ Whether  and  under  what  circumstances   the  business  associate  will  de-­identify   data,  who  owns  it,  and  what  can  be  done   with  it.     ¾ Whether  data  from  the  covered  entity  will   be  aggregated  with  data  from  other   covered  entities,  and  for  what  purposes.     ¾ How  to  deal  with  patients’  requests  for   access  to  their  data  or  amendment  of  their   data.     ¾ How  to  deal  with  patients’  requests  for  an   accounting  of  any  disclosures  of  their   data.     ¾ The  Minimum  Use  Rule  (which   essentially  dictates  that  covered  entities   provide  to  business  associates  only  the   minimum  information  necessary  for   whatever  service  is  being  performed,  and   the  business  associate  likewise  is  limited   to  requesting  only  that  minimum  data   from  the  covered  entity).  


Compliance Beyond  the  Covered  Entity      11         ¾ The  conditions  under  which  the  business   associate  may  further  disclose  PHI  to   subcontractors.     ¾ The  safeguards  that  must  be  implemented   and  maintained  by  the  business  associate   to  protect  PHI  in  electronic  format  (i.e.,   the  information  security  requirements).     ¾ The  time  lines  and  procedures  for  the   business  associate  to  notify  the  covered   entity  of  a  data  breach  or  of  a  security   incident  that  does  not  result  in  a  data   breach  (note  that  breach  notification  is  a   critically  important  item  in  the  BAA).     ¾ Who  has  the  responsibility  to  send  data   breach  notifications  to  affected  individuals   and  who  pays  for  the  notices.     ¾ What  happens  if  the  government  decides   to  conduct  a  compliance  audit.     ¾ The  obligations  of  the  covered  entity  to   advise  the  business  associate  of   circumstances  such  as  a  patient’s  request   for  a  restriction  on  the  disclosure  of  his  or   her  PHI.     Additional  matters  often  addressed  under  the   BAA  include  the  following.     ¾ Whether  the  business  associate  is  required   to  comply  with  laws  other  than  HIPAA  (as   a  matter  of  contract  under  the  BAA,   regardless  of  whether  the  BAA  is  required   to  comply  as  a  matter  of  those  laws;;  i.e.,   whether  the  covered  entity  can  sue  the   business  associate  for  not  complying  with   those  laws).    

¾ Whether the  covered  entity  has  rights  to   audit  the  business  associate’s  compliance   with  its  obligations  under  the  BAA  and   whether  the  business  associate  is  obligated   to  complete  and  certify  compliance   questionnaires  from  the  covered  entity.     ¾ That  the  business  associate  may  not  store   or  transmit  PHI  outside  the  United  States.     ¾ The  methods  by  which  the  business   associate  will  securely  destroy  PHI  in   paper  and  electronic  forms.     ¾ If  the  business  associate  will  be   conducting  HIPAA  electronic  transactions,   that  the  business  associate  must  comply   with  each  requirement  for  Standard   Transactions  established  in  HIPAA.     ¾ Whether  the  business  associate  must   encrypt  electronic  PHI,  and  if  so,  to  what   standard.     ¾ Whether  the  business  associate  is  required   to  maintain  a  cyber-­liability  insurance   policy  to  cover  the  costs  of  a  data  breach.     ¾ Whether  the  business  associate  must   indemnify  the  covered  entity  (i.e.,  cover   the  potentially  large  costs  incurred)  for  a   data  breach  in  addition  to  breach   notification  costs,  such  as  forensic   investigation,  legal  fees,  public  relations   expenses,  setting  up  and  operating  a  call   center,  and  providing  credit  monitoring   services  to  affected  persons.  

The  last  bullet  point  above,  regarding   indemnification,  has  become  perhaps  the  most   contentious  item  in  the  negotiation  of  BAAs   recently,  as  both  covered  entities  and  business   associates  have  seen  the  costs  associated  with   data  breaches.    Practically  speaking,  data  breach   is  less  of  a  concern  if  the  business  associate  will  


Compliance Beyond  the  Covered  Entity      12   only  have  access  and  not  actual  possession  of   PHI,  but  when  the  business  associate  is  in   control  of  protecting  the  data,  covered  entities   generally  should  push  hard  for  broad,  unlimited   indemnification.    On  the  other  hand,  business   associates  must  evaluate  how  much  financial   risk  they  are  willing  to  take  and  resist  or  limit   the  scope  of  such  indemnification.    In  any  case,   both  parties  need  to  remember  that  a  BAA   always  accompanies  some  sort  of  services   agreement  and  that  agreement  may  have   provisions  limiting  the  business  associate’s   liability  that,  if  not  carefully  crafted,  could   override  the  indemnification  obligation  in  the   BAA.     Due  to  the  complexity  inherent  in  developing  a   BAA  that  is  appropriate  to  a  given  circumstance   and  the  high  stakes  involved,  seeking  counsel   from  attorneys  well-­versed  in  HIPAA  is  critical   for  both  covered  entities  and  business  associates.     Simply  pulling  a  BAA  off  the  Internet  or  trying   to  prepare  one  based  on  someone  else’s  BAA  is   laden  with  peril.         Likewise,  this  white  paper  is  not  intended  to   explain  every  nuance  and  all  the  variations  that  a   given  BAA  provision  might  take  from  the   opposing  standpoints  of  the  covered  entity  and   the  business  associate.    It  simply  outlines   considerations  that  come  into  play  including  the   following.     ¾ Will  the  business  associate  actually   possess  PHI  or  merely  have  occasional   access  to  it?    If  access,  will  it  be  on  site   (such  as  a  contract  computer  technician)   or  remote  (such  as  a  software  vendor   connecting  to  perform  diagnostics  or   maintenance)?     ¾ Will  the  PHI  be  used  to  make  decisions   about  patients  (i.e.,  will  it  constitute  a   “designated  record  set”  as  defined  under   HIPAA)?  

¾ Will the  volume  of  patient  records  be   substantial  (as  in  the  case  of  a  Software  as   a  Service  vendor  hosting  the  entire   electronic  medical  records  or  electronic   health  records  system)  or  will  the  business   associate  only  handle  a  small  number  of   patient  records  (for  example,  an  attorney   occasionally  defending  a  malpractice   suit)?     ¾ Will  the  records  involved  include  a  large   amount  of  information  about  a  given   patient  or  just  a  limited  number  of  data   fields?     ¾ Will  the  business  associate  maintain  the   only  instance  of  the  patient  information   (aside  from  back-­ups)  or  will  the  business   associate  receive  a  copy  of  data   maintained  in  some  other  primary  system?     ¾ Will  the  business  associate  maintain  (or   have  access  to)  PHI  for  a  long  time  or  will   it  be  relatively  brief?     ¾ Will  the  business  associate  need  to   disclose  PHI  to  a  subcontractor  and  if  so,   will  the  subcontractor  have  possession  or   mere  access  to  the  data?     ¾ Will  the  patient  data  involve  especially   sensitive  clinical  information,  such  as  HIV   status  or  mental  health  (which  may   implicate  other  regulatory  requirements)?     ¾ Will  the  data  include  sensitive  non-­health   information,  such  as  credit  card   information  subject  to  the  Payment  Card   Industry  Data  Security  Standards  or   financial  information  (such  as  for     collection  purposes)  subject  to  the  Federal   Trade  Commission’s  Red  Flags  Rule?      


Compliance Beyond  the  Covered  Entity      13     ¾ Are  there  state  laws  regarding  personally   identifiable  data  that  need  to  be   addressed?         Whether  a  particular  one  of  these  considerations   is  relevant  to  a  given  BAA  depends  on  the   circumstances  and  in  many  cases,  the  covered   entity  and  the  business  associate  may  disagree   on  the  assessment.    For  instance,  the  covered   entity  may  seek  to  include  in  the  BAA  a   requirement  for  the  business  associate  to  pay  for   notices  required  under  state  breach  notification   laws,  while  the  business  associate  may  object,   arguing  that  the  BAA  should  only  address   matters  mandated  under  HIPAA  regulations.         While  right  or  wrong  answers  may  not  exist  in   such  cases,  in  this  example,  the  covered  entity   will  justify  its  position  on  the  basis  that  it   ultimately  would  be  responsible  for  state  law   notification  even  if  a  data  breach  did  not  give   rise  to  a  HIPAA  notification  requirement   (because  of  one  of  the  exceptions  under   HIPAA),  so  the  business  associate  should  cover   that  cost  if  the  business  associate  caused  the  data   breach.    The  business  associate,  on  the  other   hand,  is  likely  to  respond  that  not  enough   revenue  is  generated  from  the  service  contract  to   warrant  taking  on  such  a  large  potential  liability.     In  the  end,  of  course,  the  resolution  of  all  of   these  points  will  depend  upon  the  parties’   relative  bargaining  power  and  it  may  require   concessions  to  reach  agreement.     The  HIPAA  landscape  has  changed  dramatically   under  the  HITECH  Act  and  BAAs  that  once   were  afterthoughts  now  command  a  high  degree   of  care  and  scrutiny  on  the  parts  of  both  covered   entities  and  business  associates.      Covered   entities  and  business  associates  need  to  review   existing  BAAs,  replace  them  where  necessary,   put  them  in  place  where  missing,  and  closely   monitor  compliance.    

Compliance Beyond  the  Covered  Entity      14  

The Role  of  the  IT  Function     When  HIPAA  legislation  was  passed,  some   organizations  initially  turned  to  IT  directors  and   information  security  officers  to  lead  their   compliance  efforts.    On  the  other  hand,  some   organizations  included  IT  and  chief  information   security  personnel  as  an  after-­thought.      As  organizations  gained  a  better  understanding   of  HIPAA  requirements,  they  realized  that,  while   IT  is  an  important  component  and  must  be   involved;;  they  should  not  be  solely  responsible   for  the  compliance  program.    As  this  paper   demonstrates,  compliance  with  HIPAA  and   HITECH  requires  a  collaborative  effort  that   extends  well  beyond  the  IT  department.     With  that  said,  IT  staff  and  information  security   personnel  are  critical  to  the  implementation  of  a   successful  compliance  program.    Regardless  of   size,  HIPAA  compliance  has  a  significant  impact   on  the  IT  function  and  systems,  and  must  be   addressed  in  many  areas  including:              

x x x x x x x x x x x

    Infrastructure  management  and  security;;   Application  development,   implementation,  and  administration;;   End  user  access  and  system  security;;   Data  management,  storage,  back  up,  and   recovery;;   Equipment  procurement,  deployment,   upgrades,  and  replacements;;   Use  of  employee  owned  devices  in  the   work  place;;   Data  center  operations  and  tech  support;;   Data  integration  and  encryption;;   Vendor  management  and  access;;   IT  standards,  policies,  and  procedures;;   and   Staff  screening  and  training.  

Due  to  its  complexity,  IT  traditionally  requires   numerous  product  and  service  agreements.    Each   of  these  agreements  must  be  compliant  when   HIPAA  requirements  apply.    Finally,  since   compliance  is  an  on-­going  process,  IT  staff  and   information  security  personnel  must  continue  to   be  involved  in  the  compliance  program.  

“We can  build  the  best  internal  security  program  in  the  world  and  still     suffer  and  be  held  accountable  for  a  breach  at  the  hands  of  one  of  our   business  partners.   Kyle  Duke,  CIO,  HealthSpring  

Compliance Beyond  the  Covered  Entity      15  

The Bottom  Line     Patients  depend  on  health  care  organizations  to  address  their  health  care  needs  and  to  protect  their  health   information.    Meeting  these  expectations  and  the  legal  requirements  surrounding  them  are  challenging  for   small  and  large  organizations  alike.    Compliance  begins  with  acceptance  and  acknowledgment  of  HIPAA   requirements,  an  honest  self-­assessment,  willingness  to  devote  resources,  and  an  understanding  that   technology  is  only  one  component  of  the  program.    It  continues  by  gaining  support  from  top  management,   designating  someone  to  be  responsible  for  the  program,  and  assembling  a  team  of  professionals  with   expertise  in  this  area.    It  is  operationalized  through  agreements,  policies,  procedures,  and  training.     Finally,  it  is  sustained  through  monitoring  and  enforcement.    If  organizations  do  not  willingly  undertake   these  actions  in  an  earnest  manner,  the  resulting  consequences  will  force  them  to  do  so.          

A Great  Place  To  Live  and  Work     x Population  of  over  1.5  million  people   x Cost  of  living  almost  10  percentage  points  below  the  U.S.  average   x One  of  the  top  centers  in  the  world  for  the  creative  class   x Strong,  diverse  economy  including  headquarters  of  Community  Health  Systems,   Country  Music  Television,    Dollar  General,  Gibson  Guitars,  Griffin  Technology,   HealthStream,  Healthways,  Hospital  Corporation  of  America,  &  Nissan  North   America   x Over  100,000  college  students  in  the  region's  21  accredited  4-­year  and  post  graduate   institutions,  6  community  colleges,  and  11  vocational  and  technical  schools   x Well-­educated  population  where  over  50%  of  adults  25  years  and  older  have  one  or   more  years  of  college  education   x Recent  rankings  include:   R 10  Under  Rated  Hotbeds  of  American  Innovation  -­  Fast  Company   R Top  10  Best  Cities  for  Tech  Jobs  –  Forbes   R Top  Start  Up  Paradise  -­  Young  Entrepreneurs  Council   R Cities  That  Are  Getting  Smarter  the  Fastest  –  Forbes   R #1  City  for  Job  Growth  –  Kiplinger   R Top  10  Best  Place  for  Business  &  Careers  –  Forbes     Information  from  Nashville  Area  Chamber  of  Commerce  

Acknowledgements   This  paper  would  not  be  possible  without  the   contributions  of  Nashville’s  health  care  and   technology  communities.    It  is  the  result  of  a   collaborative  effort  that  showcases  the  depth  and   breadth  of  expertise  that  resides  in  Middle   Tennessee.    First,  the  NTC  would  like  to  thank   Andy  Flatt  and  Kyle  Duke  of  HealthSpring  for   suggesting  a  white  paper  and  helping  develop   the  idea.    We  also  thank  former  KPMG   employee,  Connie  McGee,  for  her  assistance  in   obtaining  financial  support  from  KPMG.         Work  on  the  paper  began  in  earnest  at  a  Health   Care  Privacy  and  Security  Summit  in  Nashville   that  brought  together  over  100  practitioners,   experts  in  the  field,  and  leaders  in  health  care   information  privacy  and  security  including:     x Keynote  speaker  Adam  Greene,  Partner,   Davis  Wright  Tremaine  and  former   regulator,  U.S.  Department  of  Health   and  Human  Services;;   x Panel  Moderator  Greg  Bell,  KPMG;;   x Panelist  Bob  Chaput,  CEO,  Clearwater   Compliance;;   x Panelist  Bill  Dieringer,  CISO,  Ardent   Health  Services;;  and   x Panelist  Kyle  Duke,  CISO,   HealthSpring.     The  Summit  was  made  possible  through   supporting  sponsorships  from  Clearwater   Compliance,  Dell,  Intel,  and  Peak  10.     Additionally,  Core  BTS,  Entegrity  Solutions,   HealthSpring,  IBM,  The  Kelso  Group,  and  The   Tennessee  Chapter  of  HIMSS  supported  small   group  discussions  at  the  Summit.    We  are   grateful  to  our  speakers  and  sponsors,  as  well  as   the  Summit  attendees  (listed  later  in  this  paper),   for  their  contributions.    


Compliance Beyond  the  Covered  Entity      16       The  NTC  also  thanks  Ashley  Miller,  a  graduate   student  of  Lipscomb  University’s  Master  of   Health  Care  Informatics  program.    She  worked   tirelessly  to  research  and  assemble  a  significant   portion  of  this  white  paper.    The  NTC   appreciates  her  contributions.    Research  for  this   paper  included  conducting  numerous  interviews   and  small  group  discussions.    Specifically,  the   following  people  offered  helpful  insights,   information,  and  feedback.    We  appreciate  their   willingness  to  share  their  knowledge  and   expertise  to  make  this  paper  better.     x Scott  E.  Augenbaum,  Federal  Bureau  of   Investigation;;   x Dr.  Elizabeth  Breeden,  Lipscomb   University;;   x Bob  Chaput,  Clearwater  Compliance;;   x Kyle  Duke,  HealthSpring;;   x Anthony  Mannarino,  HealthSpring;;   x Anelisa  Martin,  Medi-­Copy  Services;;   x Jon  Neiditz,  Nelson  Mullins;;   x Jerry  Powers,  JV  Powers  &  Company;;   x Anne  Sumpter-­Arney,  Bone  McAllester   Norton,  PLLC;;   x Bryan  Thornton,  Net  Reaction;;   x Lance  Wolrab,  Dell;;  and   x Steve  Wood,  Baker  Donelson.     While  many  people  made  this  paper  better   through  their  reviews  and  comments,  the  NTC   especially  thanks  Steve  Wood,  Baker  Donelson,   for  his  thorough  review,  and  Stacy  Daniel,   Executive  Assistant  to  the  CIO,  HealthSpring,   for  proofreading  it.    Finally,  the  NTC  thanks  the   Tennessee  Chapter  of  HIMSS  for  allowing  the   first  edition  of  this  white  paper  to  be  released  at   the  2012  Summit  of  the  Southeast.    We  are   grateful  to  be  part  of  a  community  that  is  so   willing  to  work  together  for  the  greater  good.    

Compliance Beyond  the  Covered  Entity      17  

Health Care  Privacy  &  Security  Summit  Attendees     Christel  Alvarez   Iron  Mountain     Carrie  Arkle   LetterLogic,  Inc.     Anne  Arney   Bone  McAllester  Norton       Jacob  Arthur   FDH  Consulting  

Tim Barker   Vanguard  Health  Systems   Greg  Bell   KPMG   James  Berkowicz   Sprint   Margaret  Bond   IASIS  Healthcare   Nicole  Bond   Arbor  Healthcare   Andy  Borchers   Lipscomb  University   Howard  Bright   Passport  Health  Comm     Juaquin  Brown   Lipscomb  University   Mark  Burnette   LBMC   Michael  Caskey   Anthem  Healthcare     Intelligence     Mary  Chaput   Clearwater  Compliance   Bob  Chaput   Clearwater  Compliance   Will  Cook   RCG     Stephanie  Crabb   CynergisTek  

Andy Flatt   HealthSpring  

Andrew Mains   Iron  Mountain  

Justin Scalise   Corizon  Health  

Mark Fulford   LBMC  

Anthony Mannarino     HealthSpring  

Frederick Scholl   Monarch  Info  Networks  

Adam Greene   Davis  Wright  Tremaine  

Cheryl Maplesden   Aegis  Sciences  Corp  

Pat Sheridan   InStream  

Daniel Guinaugh   Systems  Solutions     Technologies     Ray  Guzman   WPC     Kevin  Hagan   Willis     Roy  Hall   The  Kelso  Group     Rodney  Hamilton,  M.D.,   HIMSS     Tim  Harris   Systems  Solutions  Tech     Crista  Harwood   Passport  Health  Comm     Mark  Hinson   InStream     Robert  Hoisington   Sirius     Greg  Huddleston   IBM     Bryan  Huddleston   Microsoft  

Peter Martin   C3  Consulting  

Gaye Smith   Vanderbilt  University   Medical  Center  

Anelisa Martin   Medi-­‐Copy  Services  

Van Steel   KPMG  

James Mathis   Clearwater  Compliance  

Paul Sternberg   Look-­‐Listen  

Steve Mayeur   IBM  

David Stevens   LetterLogic,  Inc.  

Jessica McDougal   teknetex,  inc.  

Jill Stockmaster   Beacon  Technologies  

Connie  McGee   NTC  Board  of  Directors  

Jon Stone   Clearwater  Compliance  

Robert Morris   Ion  IT  Group  

Ron Styers   Healthbox  Tech  

Emily Moth    

Tom Surface,  Passport   Health  Communications  

Brian Moyer   TN  HIMSS  

Kristi Syling   Vanguard  Health  Systems  

Eric Mueller   WPC  

Michael Taylor   Lipscomb  University  

Peter O'Donnell   IBM  

Ed Terry   IBM  

Jay Perry   Core  BTS  

Ryun Vail   Sprint  

Rick Pineda   InfoWorks,  Inc.  

Mark Van  Atta   Unico  Technology  

Heath Pitts   Core  BTS  

Patricia Vinson   Letterlogic  

Frank Platt   Entegrity  Solutions  

Will Weaver   RoundingWell  

Mark Johnson   KPMG     Derek  Johnson   Peak  10     Brian  Johnson   SVMIC     Angela  Jones   Core  BTS    

Stacy Daniel   HealthSpring  

Compliance Beyond  the  Covered  Entity      18  

Kris Kelso   The  Kelso  Group     John  Kepley   teknetex,  inc.  

Jason Poteet   TN  HIMSS  

Robb Wells   TriStar  Health  System  

Jerry Powers   JVPowers  &  Company  

Bill Dieringer   Ardent  Health  Services  

Janet King   Middle  TN  eHealth     Connect  

Kyle Duke   HealthSpring  

Brit Kirby   Dell     Mike  LaLonde   ProSys  Info  Systems     Marianne  Lamkin   Simplex  Healthcare     Helen  Lane   C3  Consulting     Lawrence  Lin   Liaison  Technologies     Bill  MacDonald   Symantec  

Robert Preininger   Business  Survival     Partners     Terry  Raney   Intel  

Monroe Wesley   Vanderbilt  University     Medical  Center     Michael  Whitlatch   Fair  Warning  

Chris Davenport   IBM  

Loretta Duncan   SVMIC   Michael  Duncan   Core  BTS   Kathy  Ebbert   Clearwater  Compliance   Matthew  Edman   HCA   Richard  Eller   Iris  Networks   Drew  Fassett   Peak  10    

Corey Wilson   Cogent  HMG  

Ashley Robertson   TN  Medical  Association  

Lance Wolrab   Dell  

Art Robinson   Absolute  Software  

Steve Wood   Baker  Donelson  

Tony Rodefer   Dell  

Blake Wylie   Simplex  Healthcare  

Max Sadler   ANS  

Prasad Yammanur   Anthem  Healthcare     Intelligence  



Bob Wilson   Covenant  Health  

Mike Rice   Absolute  Software  


Compliance Beyond  the  Covered  Entity      19  

Additional Resources        

Final Rule  for  HITECH  Breach   Notificationxxii   Guide  to  Privacy  and  Security  May  2012xxiii   HHS  Encryption  Guidelinesxxiv   OCR  HIPAA  Audit  Protocol  June  2012xxv   Rick  Analysis  Guidelines  July  2010xxvi      

Final Rule  update/status   Guidance  from  National  Coordinator  for   Health  Information  Technology   HHS  overview  of  how  to  render  PHI   unusable,  unreadable  &  indecipherable  to   unauthorized  users   Searchable  information  regarding  privacy,   security,  and  breach  notification   requirements,  organized  in  a  modular  format   Guidance  for  implementing  appropriate   administrative,  physical,  and  technical   safeguards  to  secure  e-­PHI  

Compliance Beyond  the  Covered  Entity      20  


CFR 160.103     ii ibid     iii ibid     iv American  Recovery  and  Reinvestment  Act  (ARRA)  of  2009,  Pub.  L.  No.  111-­5,  123  Stat.  115,  516  (Feb.  19,  2009)     v         vi 45  CFR  160.400  et  seq     vii  Data  Breaches  Cost  Hospitals  $6B  Annually.  (2011).  Information  Management  Journal,  45(2),  10.  From:         ­breaches-­cost-­hospitals-­6b-­annually         viii  Oatway,  David.  "Mobile  devices  contribute  to  PHI  breaches."  Long-­Term  Living  May  2011:  20+.­devices-­contribute-­phi-­breaches     ix­pays-­17m-­hhs-­data-­breach     x     xi     xii     xiii     xiv  ibid     xv     xvi­2_lsanches_ocr-­audit.pdf     xvii  http://www.merriam-­     xviii  http://www.merriam-­     xix  Brodnik,  M.  S.,  McCain,  M.  C.,  Rinehart-­Thompson,  L.  A.,  &  Reynolds,  R.  B.  (2009).  Fundamentals  of  Law  for  Health   Informatics  and  Information  Managmenet.  Chicago:  American  Health  Information  Management  Association     xx  Harmnda  (ed.).  2006  Ethical  Challenges  in  the  Management  of  Health  Information  ,  2nd  ed.  Sudbury,  MA:  Jones  and  Bartlett     xxi  Greene,  Adam  H.  and  Rebecca  L.  Williams.  “HIPAA  Audits  Results  Released:  We  Still  Have  Work  to  Do.”  JD  Supra.  (June   13,  2012).  From:­c84d-­4331-­a327-­fc394407d125     xxii     xxiii userid=11673&cached=true     xxiv     xxv     xxvi  

Compliance Beyond  the  Covered  Entity      21                                                                                                                                                                                                                                                                                                                                                                                                

With a vision to help Middle Tennessee become known worldwide as a leading technology community, the Nashville Technology Council is devoted to helping the tech community succeed. Membership is open to technology companies, technology employers, service providers, educational institutions, and non-profit companies interested in supporting the growth of technology businesses in Middle Tennessee. To learn more, visit

NTC Health Care Whitepaper  

Health Care Whitepaper

Read more
Read more
Similar to
Popular now
Just for you