Presentation Title. Helping Practices Achieve Success through Shared Knowledge

Presentation Title

Featured Panelists

Michele Madison, Partner at Morris, Manning, and Martin, LLP

Ms. Madison is highly experienced with the HITECH rules and has been helping clients navigate healthcare laws for nearly 14 years. She will discuss legislative changes affecting Business Associates and how it affects the Covered Entities.

Dr. Paige Joyner , CEO at Compliance +, LLC

Dr. Paige Joyner is a known expert on HIPAA Privacy & Security regulations. She walk you through what is required in a Privacy & Security Manual.

Deborah Frazier – Healthcare IT Support Manager at BlueWave Computing

Deborah Frazier developed the Healthcare Compliance Program at BlueWave Computing. As a Business Associate, she will discuss the steps on how ensure your Business

Associates are meeting the requirements and how to identify if they are a threat to your PHI.

The New Rules for

Business Associates

The American Recovery and

Reinvestment Act of 2009:

Stimulus Act Changes to

Business Associates

Presented By:

Michele Madison

[email protected]

www.mmmlaw.com

Polling Question

How familiar are you with the new Business Associate Rules under HITECH?

• Not at all

• Somewhat informed

Expanded Business Associates

Each organization “that provides data transmission of

Protected Health Information to such entity or its Business Associate and that requires access on a routine basis to such Protected Health Information, such as a Health

Information Exchange Organization, Regional Health

Information Organization, E-prescribing, Gateway, or each vendor that contracts with a Covered Entity to allow that Covered Entity to offer a personal health record to patients as part of its electronic health record and it is required to enter into a Business Associate Agreement.”

• Business Associates are now directly subject to specific requirements

• Penalties directly apply to Business Associates

• Increased Penalties

• Enhanced Enforcement Activities

Increased Application and

Enforcement

Application of Privacy Provisions

and Penalties to BA

• Additional requirements that relate to privacy and security are now applicable to Business Associate.

• Include provisions in Business Associate Agreement: – Administrative Safeguards

– Physical Safeguards – Technical Safeguards

Criminal Penalties

• Covered Entities should be aware of the additional Penalties and the Enforcement Activities:

– Enhanced Criminal Penalties • Willful neglect standard

• Additional funding for Enforcement Activities.

• In 3 years, the “individual harmed” may receive a % of the CMP collected from the offense.

Penalty Tiered Increase

Minimal levels of Penalties based on Intent:

• $100 - $25,000 - Person did not know and would not have known

• $1,000 - $100,000 - Reasonable cause and not willful neglect

• $10,000 - $250,000 - Willful neglect

State Attorney General

Permits civil actions on behalf of patients. – May enjoin the actions; and

– Obtain damages not to exceed $25,000 annually.

Polling Question

This Question is for Covered Entities:

How much does this information affect which

vendors you do business with?

– Greatly affects it

– Somewhat affects it

Notification

Notification

• Security provisions of HIPAA now apply to a Business Associate of a Covered Entity in the same manner that such sections apply to the Covered Entity.

• Business associates subject to same penalties as Covered Entities.

• Also applies to vendors of personal health records.

• Covered Entities and Business Associates must track and notify individuals when their unprotected information has been put at risk through a security breach by September 16, 2009.

• Policy of empowering the individual with understanding where individual’s information accessed in unauthorized manner.

• Secretary will consult with stakeholders and issue guidance on the most effective and appropriate technical safeguards.

– Initial guidance to be issued within 60 days after enactment of the HITECH Act (by April 19, 2009).

– These are to be updated annually.

Security and Notice

Requirements

Applies to any Covered Entity or BA/vendor that:

• Accesses, maintains, retains, modifies, records,

stores, destroys or otherwise holds, uses, or discloses unsecured protected health information.

• Applies directly to vendors, regardless of whether a business associated agreement is executed.

Security and Notice

Requirements

• Obligation to notify triggers upon discovery of a breach:

– Discovery determined to be the first day on which such breach is known or should reasonably have been known to such entity or associate to have occurred.

– Knowledge by any person that is an employee, officer or other agent of the entity or associate.

• Following discovery of a breach of unsecured protected health information, Covered Entity and Business Associate must:

• Covered Entity must notify the individual.

Security and Notice

Requirements

• Notice to Individual must include:

• Identification of each individual whose unsecured protected health

information has been, or is reasonably believed to have been accessed, acquired, or disclosed during such breach.

• Brief description of what happened, including the date of the breach and the date of discovery of the breach.

• Description of the types of unsecured protected health information that were involved.

• Steps the individual should take to protect themselves from potential harm resulting from the breach.

• Description of watt the covered entity involved is doing to investigate the breach, to mitigate losses, and to protect against any further

breaches.

• Contact procedures for individuals to ask question or learn additional information.

Security and Notice

Requirements

• Notice to the Secretary by Covered Entities:

• For breaches impacting 500 or more individuals, notify the Secretary immediately.

• For breaches impacting fewer than 500 individuals, maintain a log and notify the Secretary annually submit such log.

Security and Notice Requirements

Notice Process

• Notice Timing:

• Notice must be made without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.

• Delay allowed if a law enforcement official determines that a notification, notice or posting would impede a criminal

investigation or cause damage to national security.

• Methods of Notice:

• Written notification by first class mail to individual.

• Substitute notice process for insufficient or out of date contact information.

Polling Question

Have you reviewed the Administrative,

Technical, & Physical Safeguards and

Next Steps

• Covered Entities should evaluate what entities serve to exchange health information or serve as Personal Health Records

• Covered Entities should evaluate their current business associate agreements and draft revised language

• Business Associates (new BAs) should evaluate current

processes and perform a risk assessment under the Security Regulations

Thank You

Michele Madison Partner, Healthcare

Morris, Manning & Martin, LLP

[email protected]

404-504-7621

This presentation is provided as a general informational service to clients and friends of Morris, Manning & Martin, LLP. It should not be construed as, and does not constitute, legal advice on any specific matter, nor does this message create an attorney-client relationship. These materials may be considered Attorney Advertising in some states. Please note, prior results discussed in the material do not guarantee similar outcomes.

Polling Question

Do you have processes and procedures

in place to address the handling,

What do you need?

•

The following list is from an actual BA of one of my

clients.

•

It illustrates the length that this BA has gone in order

to protect themselves and ultimately their clients’

patients’ PHI.

•

There is value in being a “trusted” BA by

implementing the proper protections for your clients’

patients’ PHI.

Policies & Procedures

Policy Procedure General HIPAA Compliance Policy Policies and Procedures Policy Developing or Changing  Policy or  Procedure) Documentation Policy Documentation Retention Policy Data Destruction Procedure Accountability of Disclosures Procedure Documentation Availability Policy Documentation Updating Policy HHS HIPAA Investigations Policy Escalating and Handling HHS HIPAA  Investigation and other Third Party  Requests Breach Notification Policy Security and Privacy Incident Response  Plan Privacy Officer Policy HIPAA State Law Preemption Policy

Policies & Procedures

Policy Procedure HIPAA Training Policy PHI Uses and Disclosures Policy Access Request Escalation and  Handling Procedures  Patient Rights Policy Privacy Complaints Policy Complaints Escalation and Handling  Procedure Risk Management Process Policy Risk Analysis Policy  Risk Management Implementation Policy Sanction Policy Information Systems Activity Review Policy Assignment of Security Responsibility Policy

Policies & Procedures

Policy Procedure Authorization and Supervision Policy Access Screening Policy Access Termination Policy Access Authorization Policy Access Establishment and Modification Policy Security Reminders Policy Malware Protection Policy Log‐In Monitoring Policy Password Management Policy Security Incident Procedures

Policies & Procedures

Policy Procedure Data Backup Plan Disaster Recovery Plan Emergency Mode Operations Plan Testing & Revision Procedures A&D Criticality Analysis Policy Evaluation Policy Business Associates Policy Contingency Operations Policy Facility Security Plan Access Control & Validation Procedures

Policies & Procedures

Policy Procedure Maintenance Records Policy Workstation Use Policy Workstation Security Policy Media Disposal Policy Media Re‐Use Policy Hardware & Media Accountability Policy Data Backup & Storage Policy Unique User ID Policy Emergency Access Procedures Automatic Log‐Off Policy

Policies & Procedures

Policy Procedure Encryption & Decryption Policy Audit Controls Policy Integrity Controls Policy Person or Entity Authentication Policy Integrity Controls Procedure Postal Communications Containing PHI Policy

Confused?

Where to start?

• Diagram workflows and PHI processing

• Diagram network

• Examine for threats, vulnerabilities, risks

• Document access

• Document all with P&P

Notes

A covered Entity may request copies of your P&P.

A covered entity will require a sign BA Agreement.

–The new BA agreements make you responsible

rather than passing it off to the CE.

Thank you

Paige Joyner

Compliance +, LLC

[email protected]

The IT Support Provider who Informs & Protects

Polling Question

If you are a Business Associate do you:

• Transmit Health Records

• Store Health Records

Why BlueWave Became

HIPAA Compliant

Realized Responsibility

•PHI our engineers can

access through the network (Access)

•Patient Data that rest in our Data Center (Store)

•Patient Data backed up by our Disaster Recovery

program (Transfer)

BlueWave Data Center – Hosted Over 100 server in our data center that hold PHI

BlueWave’s HIPAA To-Do List

• Privacy Manuals (All)

• Security Manuals (Electronic Access)

• Workforce Training (All)

• Administrative, Physical & Technical Safeguards (Electronic Access)

• Vulnerability Test (Electronic Access)

• Network Diagram (Electronic Access)

• Network Asset List (Electronic Access)

• Work Plan (Electronic Access)

• Business Associate Checklist (Share PHI with Subcontractors)

Why?

• 23% of breaches involve a

BA

• 12 of the Largest

Breaches involved a BA

• 8 of the CE’s in the largest breaches, modified or

terminated their

relationship with the BA

• Reputation Loss

• All client’s get fined if the PHI is not secure

• Fines for BlueWave

• Become the Trusted

Resource for IT Support

• BIGGEST REASON –

Protect the Practices & their patients

Facts

• 330 major healthcare breaches affecting 11.8 million individuals. • 23% of those involved BA = over 2.7 million

• Business Associates are the biggest vulnerability to a CE because they are not prepared

• If a breach occurs the CE name is listed along with the BA

Emergency Healthcare Physicians, Ltd.

State: Illinois

Business Associate Involved: Millennium Medical Management Resources, Inc. Approx. # of Individuals Affected: 180,111

Date of Breach: 2/27/10 Type of Breach: Theft

Lessons From Other BA’s

KPMG – Lost an unencrypted flash drive affecting more than 4,500

patient records. Their client – New Jersey Healthcare System.

• Breach affected 2 facilities:

• 3,630 patients at Saint Barnabas Medical Center • 965 patients at Newark Beth Israel Medical Center

• Note: 8 months later KMPG was awarded a $9.3 million contract to do 150 random audits on practices and business associates.

Lessons From Other BA’s

Heritage Health Solutions - An unencrypted laptop belonging to VA

contractor Heritage Health Solutions was stolen from a vehicle, compromising the records of more than 600 veteran.

• Heritage Health Solutions has 69 contracts with VA

• 25 of those don’t have clauses requiring personal data to be encrypted

Booz Allen – The group hired to make a list of all covered entities and

business associates has been the target of a hacking group called “Anonymous”. The information hacked included 90,000 military e-mail addresses and password hashes.

Lessons From Other BA’s

Dentaquest – A laptop was stolen out of the trunk of the

subcontractors vehicle. The computer was password protected, but did not have any other safeguards to prevent unauthorized access to the information.

IBM – 9 servers disappeared out of the data center. The data held

nearly 2 million records. To make matters worse, the CE, Healthnet, waited 2 months to report it.

Archive Data Solutions aka Iron Mountain - South Shore said it

shipped the backup files to the then unnamed contractor but was

Lessons From Other BA’s

Computer Program & Systems, Inc. (CPSI) Someone gained

unauthorized access into the email system. 763 records were compromised.

• Provides IT support to rural hospitals in Texas and has a host of IT services including:

• Hosted/Cloud Services • Disaster Recovery

• Collaboration & Connectivity • Systems Management

Lessons From Other BA’s

Rick Lawson, Professional Computer Services (IC)

• Hacking compromised 2,000 records at his clients site

• Is now listed as the CIO for Professional Consulting & Technical Services where he states his strengths are:

• Advanced network monitoring, auditing, security, and intrusion detection and alerting.

• Custom security solutions for VPN and remote access.

• HIPAA-compliant medical and dental practice management. • Business Continuity planning, disaster prevention and recovery.

What Do These Have in

Common?

All of them positioned

themselves as healthcare

& HIPAA experts on their

website.

Each one of these

breaches compromised

over 500 PHI records.

All breaches could have

been prevented if they had

a HIPAA Program in place.

If you have not verified

your BA’s HIPAA

Compliance – these can

affect you.

Feedback from BA’s I have

called on for my clients

•

80% told me they were compliant – until they got

stuck on some questions.

Others Said:

• This is very Invasive

• It is a huge Expense during hard economic times

• It is Minor in the realm of government regulations

• It is Un-enforced/Un-enforceable

Must Educate BA’s

• They were never informed by the government that they had to do this.

• Most will get defensive/argumentative – must have tough skin.

• You must educate them on the HITECH law & HIPAA rules.

• You must be up-to-date on the legislative changes affecting healthcare.

• Must understand that this is an expense to them – they will probably not change unless they have multiple clients demanding this.

Who are Your BA’s?

Anyone who stores, transmits or

accesses PHI on your network.

HIPAA is Not an Annual

Check-off

Unlike some regulatory compliance programs,

HIPAA is not just a one time or annual check

off list. Business Associates have to change

the way they do business on a daily basis.

Example of What

BlueWave Has Done

Regarding IT Support:

•Web Portal with

Pictures of Engineering Team •Password Vault •Workforce Training •Workforce Clearance •Termination Procedures

ACCESS to PHI

Example of What

BlueWave Has Done

Regarding Cloud Computing • Finger Print Scanning

• Iris Scanning

• 2 layers of Security Personnel

• Encryption at Firewall Level

• Only 3 engineers with physical access to the cage

• Password Vault

• VPN Tunnel

Example of What

BlueWave Has Done

Regarding Disaster Recovery

• Use Same Data Facilities

• Backed up to Encrypted Server

• Backed up online to secure data centers in Atlanta & Phoenix

• Bi-Annual Testing Option

• Server & Desktop DR Capabilities

Example of What

BlueWave Has Done

Consistent Access Logging:

• Client can pull reports on: • Date Accessed • Who Accessed • Type of Issue • What was done

• Clients can pull these reports from this month to up to the entire length of their contract

• Network Diagram

• Asset Inventory

A Business Associate

Agreement is Not Enough

MUST VERIFY

•Get a copy of their Policies and Procedures

•Ask specific questions on how they are going to service your account

•Find out if they store their information elsewhere and if they have had that audited

•Ask specific safeguard questions

•Ask about any subcontractors that have access to your practices PHI

Be Wary of BA’s Who:

• Fight you on this

• Want to do the minimum necessary to get compliant

You Need a BA Who You Can:

• Trust they will protect your patients PHI.

• Trust they are knowledgeable enough to know how to protect the PHI.

• Trust they are serious about protecting PHI.

• Trust they are going to maintain the PHI.

Example of What

BlueWave Has Done

• Packaged the Compliance Program we performed internally to help protect Covered Entities & their Business

Associates.

Form a Team to Protect PHI

As you call your BA’s, you are going to find a lot of kickback. Other

practice managers are going through the same thing. For this reason it is important to:

•Keep a list of those who are compliant.

•Share that list with other practice managers.

Polling Questions

BlueWave is putting together a formal list of Business Associates who meet the compliance requirements.

• If you would like to be informed of who met the qualifications, please check yes here.

• If you would like to add your own business associates who meet the criteria to the list, please check yes here.

Thank you

Deborah Frazier

Bluewave Computing

“Privacy, Security & Disaster

Recovery” Committee

About the Healthcare Solutions Resource Forum (HSRF)

Created by Dr. Paige Joyner of Compliance + and Debora Frazier of

BlueWave Computing, the Healthcare Solutions Resource Forum (HSRF) is a flagship program designed to bring together prominent thinkers from various disciplines with healthcare executives in order to identify the

impact of legislative changes in the areas of technology, operations and finance. The concept of the HSRF was born out of the realization that the healthcare industry is under more pressure than ever before to meet

legislative changes, yet the information is so scattered and unclear. By combining the knowledge of experts in various disciplines, members can assimilate information to form clear solutions and address legislative changes. Together we believe we can have a positive impact on the

healthcare community, whereas on our own we can only impact our small part of the world.

Polling Question

The Healthcare Solutions Resource Forum will be sending out a

survey to all of those who registered for this function. Upon returning the survey you will be entered into a drawing for a $100 AMEX gift certificate.

The purpose of the survey is to find out what other topics you might be interested in. In addition, you will have an opportunity to request a 15 minute consultation with any of the speakers on this call. The

winner will be announced to all participants at the end of the business day.

If you would like to be entered into the drawing, please check if you would like to be contacted by email or phone.

For More Information on the