Meeting in the Middle Q&A_ Clearwater

Q&A From This High-Demand Webinar

Could it cause issues if a CE has a BAA with someone who isn't actually a BA?

Generally, we do not suggest that HIPAA covered entities or business associates enter into business associate agreements with entities that are not, in fact, their business associates, given that such agreements create at least the presumption of both privity of contract, and that the information does not belong to the first HIPAA covered entity or business associate.  In other words, there is a presumption of liability, given the requirements outlined in the agreement.

Do you need a BAA with Software vendors like Visage Imaging or TeraRecon where their software "uses" ePHI?

A vendor is a business associate if you disclose information to it, keeping in mind that "disclosure" under HIPAA includes access to PHI.  As such, any vendor who has or could have access to your PHI is generally considered a business associate.  Obviously, if they also create, receive, maintain, or transmit PHI for or on your behalf, they are also your business associate.

Are there data masking tools?

There are solutions to encrypt data that prevents anyone who does not have the appropriate key from reading it. Under the HIPAA Security Rule an organization should encrypt data whenever possible. This is particularly true for devices such as laptops and thumb drives that are often stolen. There are also tools to anonymize data such that it no longer qualifies as PHI. These tools are often used when wanting to repurpose data for research purposes. A subset of these are data masking tools that replace sensitive data with fictitious data such that relationships between the data are maintained facilitating the use of the data.

Illiana, you have clarified that audits of business associates are not required, would you agree that some due diligence, such as a security questionnaire, are appropriate to manage the CE's risk?  My experience is that many vendors sign the BAA without consideration or capability to comply.

Additional due diligence is always helpful!  And while I don't see any issues with a questionnaire, besides the fact that a potential business associate may just answer "yes" to everything, I have always found that a conversation about the nature of the services, the PHI involved, and the safeguards to such PHI works well!

Can you speak to access by the individual and Psychotherapy notes?

Per the HIPAA Privacy Rule, an individual does not have the right to access his/her psychotherapy notes.  However, note that under the Privacy Rule, for Psychotherapy Notes to be considered such, and to have the increased protections afforded by the HIPAA Privacy Rule, they must be kept separately from the rest of the individual's designated record set.

If CEs do not ask any questions of a BA in regards to their security risks - what would you recommend be the first step in starting?

Additional due diligence is always helpful!  I have always found that a conversation about the nature of the services, the PHI involved, and the safeguards to such PHI works well!

Can you provide some examples of what academic medical centers do with business associates? 

Academic medical centers have the same obligations under HIPAA as any other CE. We have found that the responsibility for obtaining Business Associate Agreements, when required, typically falls on the Privacy and/or Compliance function within these organizations.

When contracting with entities that have operations outside the US, would the BAA suffice? Or do we need extra protections in BAA to bind them to US laws. In the event of Breach, OCR will likely not go after entities outside the US; the onus would be on the CE.

When contracting with entities that have operations outside the US, would the BAA suffice? Or do we need extra protections in BAA to bind them to US laws. In the event of Breach, OCR will likely not go after entities outside the US; the onus would be on the CE.

The question of extra-territorial jurisdiction is a good one!  It may be that you want to perform additional due diligence with regard to business associates located outside the United States, for purposes of determining the risks to the ePHI shared with them for purposes of your risk analysis.  You may also want additional indemnification or insurance for those business associates.

Ms. Peters...do you encounter situations when you are working with CEs or BAs that offer you their "risk analysis" and what you get is more of a "gap analysis" as explained in the Cyber Security bulletin?

Despite OCR's efforts in this area, there is still confusion about the difference between a HIPAA Gap Analysis and a Risk Analysis as required under the Security Rule. Not having an OCR Quality Risk Analysis continues to be one of the leading HIPAA Security Rule violations identified by OCR. 

Why does the OCR go out of its way to confuse people?  It releases the HIPAA Audit Protocol 2.0 which is for a Non-Technical evaluation.   Why not provide people with examples of acceptable Risk Analysis documents?

 OCR has provided guidance on Risk Analysis found here:  https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf  As stated in the guidance, there are different methodologies an organization could use to meet the requirements. Nevertheless, they cite the NIST guidance as an example. Clearwater follows this approach and risk analysis we performed have been accepted by OCR 100% of the time.

Roger Severino at several conferences has shared that the HIPAA Audit program (which last stopped at Phase II) will no longer go forward.  However, he also stated that the use of the audit program and the audit protocol may still be used as part of an enforcement action...have you heard anything similar?

I believe that Roger Severino has stated that the HIPAA Audit program may be used for enforcement in the future, and, as such, may not continue in its current form.  Given that audits are required by the HITECH Act, I assume they will continue.

Do you foresee an increase in scrutiny of the oversight expectations of vendors by state and federal regulators?

I think there's already increased scrutiny into the administrative, physical, and technical safeguards implemented by HIPAA covered entities and their business associates under the HIPAA Security Rule by both state and federal regulators, and I would expect such scrutiny to continue, given the attention all regulators are currently paying to the security of individually-identifiable data.

Guidance on negotiating risk allocation (indemnification, etc.) with vendors / BAs, vis-à-vis security vetting discussed earlier?

Additional due diligence is always helpful!  I have always found that a conversation about the nature of the services, the PHI involved, and the safeguards to such PHI works well!

Did I hear correctly that BAs are NOT required to audit their sub-contractors and, if so, where can I find that in the regs?

 A BA who has BAs has the same requirements as a CE has to its BAs, so no audit requirement but the same requirements around having a BAA in place.

If OCR ever put out a "sample" risk analysis...do you think it would essentially be adopted as "the" format to use?

 The required elements are clearly stated in the guidance. Where the flexibility lies is primarily in the methodology used for determination of risk in particular both qualitative and quantitative approaches are acceptable. We follow the NIST approach which while not required is referenced in the guidance.

I would love thoughts on how to appropriately evaluate and respond to a vendor's request to allow de-identification of the data. We have gone so far as to require a vendor to show us their de-identification policies and procedures. With all the research suggesting that information is never truly de-identified, we wonder if the risk of allowing de-identification is too great.

 There are two ways to achieve acceptable de-identification under HIPAA, the first is by use of an expert typically a statistician and also there is a safe harbor. (https://www.hhs.gov/hipaa/for-professionals/privacy/special-topics/de-identification/index.html#standard ) if you comply with either of these, you should avoid liability. But yes I have never seen it statistically proven that the data is truly de-identified, at least not when there are several data points which is typically the case.

Would IP addresses contained in website logs held by a CE be considered EPHI?

HHS was asked a similar question and this is their response - "Individually identifiable health information (IIHI) is information, including demographic information, which relates to:

- the individual’s past, present, or future physical or mental health or condition,

- the provision of health care to the individual, or

- the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.

Protected Health Information (PHI) is IIHI that is created, received, maintained, or transmitted by a covered entity (e.g. health plan, most health care providers) or business associate (who creates, receives, maintains, or transmits PHI for the covered entity or another business associate).

Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above.

Keep in mind that the information an individual shares through a patient portal with her health plan or covered health care provider for patient care or operations, such as scheduling an appointment or discussing a reimbursement issue, would be PHI protected by the HIPAA Rules, because the Rules apply to such information received by the covered entity and involved in health care functions.

Conversely, health information shared by a consumer or between two consumers, independent of a covered entity or business associate performing a health care function, is not PHI, regardless of its form (electronic, paper) or format." https://hipaaqsportal.hhs.gov/a/pages/answered-questions  There is also some case law that suggests IP address would be considered an identifier, so it depends on the nature of the other information in the log.

 

Would a covered entity be required to obtain a BAA if the vendor receive and process de-identified data sets?

If the vendor creates the de-identified data, then a business associate agreement is required.  However, if the vendor receives only de-identified data (per the safe harbor or statistical expert methods under the HIPAA Privacy Rule), then no BAA is required, because de-identified data is not protected health information under HIPAA.

Can you do a webinar of HIPAA hybrid orgs? Include: how to determine if an agency is a hybrid, if yes - how to 'delare' or document that, what needs to be done to separate the entities, etc...

 We will certainly consider either a separate webinar or including that discussion in one of our upcoming HIPAA webinars.

I have not been able to find 'good' guidance on what is expected on the level of assessment (testing) of security controls / measures that are relied on to reduce risk for either the risk assessment and or risk management requirement. Can you provide additional information/guidance on this?

 OCR has provided guidance on Risk Analysis found here:  https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf  What we have found in our work with OCR in regard to risk management is an expectation that an organization will create a plan to treat any threats above its risk threshold, that they take action on that plan and document same.

Hello, I have heard the term "agent" when discussing business associates. Any insight on this?

 The term agent can come into play in relation to the law of agency. If a covered entity controls how a business associate performs its services the business associate may be determined to be an agent of the covered entity, if so the covered entity can be held responsible for civil money penalties assessed in response to an act or omission in violation of HIPAA by the business associate if it occurs within the scope of the agency relationship.

Does the BA have 60 days to notify CE, then CE has 60 days to report/notification

A business associate must provide notice to the covered entity without unreasonable delay and no later than 60 days from the discovery of the breach.  To the extent possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals.  A covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. So the clock starts ticking for CE when they know of the breach even if that knowledge doesn't come from BA.

Iliana, you have clarified that audits of business associates is not required, would you agree that some due diligence, such as a security questionnaire, are appropriate to manage the CE's risk?  My experience is that many vendors sign the BAA without consideration or capability to comply.

Additional due diligence is always helpful!  And while I don't see any issues with a questionnaire, besides the fact that a potential business associate may just answer "yes" to everything, I have always found that a conversation about the nature of the services, the PHI involved, and the safeguards to such PHI works well!

Your example about CE sharing data with Social Service agency, if SS is not a BA what happens if SS has a breach, how does HIPAA rules fit in?

HIPAA is only applicable to covered entities and business associates.

 

Coming Soon

Sorry, we couldn't find any posts. Please try a different search.