Impact of HIPAA Compliance on Business Associates

Impact of HIPAA Compliance on Business Associates

November 01, 2011 2:00 pm

(Save to cal)


Online Tech's Risk Management and Security Officer, Jason Yaeger shares his experience guiding a company through a HIPAA audit and his recommendations for successfully passing a HIPAA audit.

Yaeger discusses the impact of HIPAA certification on his role, company policies, and day-to-day operations for employees of a HIPAA compliant data center.




View Slides

Mike Klein: Good afternoon everyone. Today we are going to be talking to Jason Yaeger who is Online Tech’s Risk Management and Security Officer. Which is the fancy way of saying he is the Operations Manager and Director who got us through all of our HIPAA compliant processes and HIPAA compliant audit. The topic of today’s webinar is: Impact of HIPAA Compliance on Business Associates.

We will discuss today what Online Tech went through in going through the HIPAA audit, becoming compliant and the things we needed to do and change in our policies and day-to-day operations to support a HIPAA compliant environment.

We hope this is helpful for you as you are looking at HIPAA compliance for your own departments or your own IT requirements. Feel free as we are going through this to get into the chat box and drop your questions in there.

Well why don’t we get started, Jason, welcome.

Jason Yaeger: Thanks for having me.

Mike: Let’s start off with when you were going into this process. I am sure you had a lot of expectations and maybe some misconceptions of what HIPAA meant. What would you say was your biggest misconception as you looked at the different parts of HIPAA at the start of the audit?

Jason: One of the big misconceptions was more about the processes the company had to adopt and take on, rather than the prescription of whether it be IT related or any other financial function. It was more just about developing these processes and then implementing them throughout the company to mitigate your risk of having HHS come back through it and if you had a data breach, find it. So there was a lack of technology prescriptions that I would have felt are best suited to be in there, because they do more than just adopt policies.

Mike: When we went through this process I was thinking we had to implement ‘this’ and ‘that’ technology, but we did not see that.

Jason: No, you did not see that. It was more about these are the best practices, you should do these things and if you do these things you may have less of a fine if you have a data breach. It was more along those lines. It is all about the policies and procedures and proper training throughout.

Mike: I know some companies talk about doing self audits and there is a lot of third party auditors out there. Which way did Online Tech decide to go and why?

Jason: Well we never really considered doing a self audit. Primarily because all of our other audits are done by a third party. We feel that there is a higher degree of accountability with a third party auditor, so our clients feel more comfortable knowing that there is a third party auditing our policies and procedures and making sure we are doing what we say we are doing.

Mike: And so as a result of using a third party auditor, what was the end deliverable that we ended up with?

Jason: We ended up with full compliance. Out of 136 audited areas we had 0 non-compliant processes or procedures on the HHROC, which is the HIPAA HITECH Report on Compliance.

Mike: So as I understand it, there were two parts to the process. The first part was going in and doing an audit or a gap analysis to see what we needed to do and how much we were compliant and what gaps needed to be filled. The second part was a remediation process. Can you share with us how long each of those parts took or how that whole process went? Both calendar wise and just how much work was there to do.

Jason: Estimated, it took us about four months to do this. We started off with the gap analysis to identify what policies and procedures we had to adopt to become HIPAA compliant. And we had a great basis of policies and procedures, because of SOC compliance which we already have, but we did have some gaps we needed to fill.

It took us about a month and a half to go through the gap analysis and know what we needed to do. The remainder of those four months was spent creating these policies, writing them, getting management approval, developing training for existing employees and then developing an ongoing procedure for new employees.

As well as yearly updates to that training for existing employees. So in total it took us about four months. I think if we did not have the basis from the SOC 2 and SOC 3 we would be looking at two to three times that amount of time, so maybe upwards of a year without that basis of SOC 2 and SOC 3 policies and procedures we had already adopted.

Mike: Maybe so the audience knows, talk about SOC 2 and SOC 3. I am sure people have heard of the terms SAS 70 and that SSAE 16 is obviously replacing SAS 70 right now, but SOC 2 and SOC 3 is not very well understood. Could you walk us through that understanding of SAS 70, SSAE 16, SOC 2 and SOC 3? What kind of foundation did that give you going into this?

Jason: Well the SAS 70 we started in 2009. What we did with the SAS 70 was we created a set of items we were audited on. We chose to create a lot of these items. We delivered a higher degree of accountability and transparency to our clients, but we set all of those policies and everything we were audited on.

When that migrated into SSAE 16 and SOC 2 and SOC 3, there was a standard set of items that all managed service providers and organizations are audited on now. We had to adopt a lot of policies as a result of that, because we were put on a level playing field, instead of something each individual organization created themselves.

We adopted a lot of those policies that are needed for HIPAA in SOC 2 and SOC 3, because it deals with service and availability to clients . And that is exactly what HIPAA deals with, service and availability of PHI (Protected Health Information).

Mike: So to go through a HIPAA audit, do you have to go through a SOC 2 and SOC 3 audit?

Jason: You do not. It just helps.

Mike: You mentioned something that is worth exploring a little bit more and that was the ongoing commitment required to make and maintain HIPAA compliance. Maybe share what that means. What kind of ongoing commitments are you looking at as an organization to make sure you can maintain that compliance?

Jason: So there is the incident reporting and the reviewing of the status of your Business Associate Agreement (BAA). Mainly you need to review the status of the ones that are not signed.

 Mike: So, all of our business associates and the partners we brought on and signed? Their BAA’s to us?

Jason: All of our business associates. So the covered entities which would be the health offices or the hospital organizations need to review all of their business associate agreements. We need to do the same thing and make sure we have all of them signed. So that is the review you need to make sure you do on the business associate agreement is to check the status of the signature on there.

You also need to review your ongoing compliance with all of the ongoing security related things that have to do with HIPAA. From the policies and procedures to the ongoing training to the poster boards around your office that promote security awareness and incident reporting. So security incidents that may happen on a day to day basis. Somebody’s laptop being stolen is a security incident that needs to be reported up through management to the entire company.

And then an annual risk assessment that is done on a yearly basis as well. These are some of the things you have to do to maintain compliance, it is not something you just do once, throw in a drawer and walk away from. You have to live and breathe it every day and then get audited on it every year.

Mike: That is helpful. So kind of looking from Online Tech’s perspective and the operational changes, what were the three biggest operational changes that you had to deploy to make sure we were meeting HIPAA compliance?

Jason: Some of the biggest ones were Business Risk Assessments which we talked about. This is done on an annual basis. If there are any gaps you need to identify them and have a remediation plan and check-up on the remediation plan at least every six months.

Data Review was a big change for us. We need to classify PHI data as sensitive client data. You have to classify internal use data and public data . And then you need to not only classify it, you need to review the data security around that. It could be transaction logs, access logs to that data, etc.

Mike: When you say classified data what does that mean?

Jason: Online Tech and its clients have a lot of data. Internally we classify all of the data that is Online Tech data. Whether that is our email, our financial data or employee files it is classified as internal use. Public data is data that may be on our website or blog viewable to the public.

Sensitive client data is the third thing.That is really all of our client data, but most importantly it is the e-PHI and PCI data. We treat that in a class all its own. It is reviewed every six months to make sure we have reviewed the security incidents around that data. We review transaction and access logs around that data. It is really a lot of work to have clients that have that sensitive data.

Also with the Business Associate Agreement we had a full review of all of our policies. Our acceptable use policies, our data center rules of use, our contract language and then we have a generic Business Associate Agreement as well that we will sign with companies that have HIPAA compliance. I think one of the most alarming things we saw with the BAAs that were given to us, was they did not meet the requirements for HITECH. And these were companies that were HIPAA complaint and yet they were providing us BAAs that did not meet the criteria of the HITECH Act. I think that was the most alarming thing.

So not only are we going to be able to use that knowledge that we have now, but we are going to use that knowledge we gained from our HIPAA compliance. It is going to be a benefit for our clients that are HIPAA compliant, because we can go back and say: “Hey, this is not a complete BAA. We need to have this, this and this addressed.” Then they go back to their other business associates and make sure those agreements are updated as well.

Mike: A lot of BAAs were written before the HITECH act and then HITECH came in and rewrote all of the requirements. I know as our lawyer was looking through and designing those, they came across a number of agreements that we were asked to sign, but were no longer compliant.

Jason: That is another thing that is a requirement. We need to make sure we are staying up with the new requirements that come through. Whenever they do we will be reviewing them on a yearly basis as part of our risk assessment making sure we are up to date on those policies.

Mike: So we talked about some of the benefits and what it means for our clients, but now that Online Tech has the HIPAA compliance, some of the folks listening in may be reaching out to other vendors that have HIPAA compliance. What does this mean to our clients or someone else’s who is leveraging a vendor that is HIPAA Compliant?

Jason: If your technology solution is in a data center that is HIPAA compliant it becomes that much easier when that company is going through their HIPAA audit. That way when they ask them where their technology is and what the physical and logical security is around all of that technology, it becomes that much easier because Online Tech can provide many of the things that mitigate risk in the HIPAA audit.

We can provide IT disaster recovery, offsite backup and physical security by default if you have services with us. We have a physical security document that we have had many clients that have a BAA with us ask for a copy of the physical security document (under an NDA), that we can provide and they can use in their HIPAA audit. It just makes it a lot easier. We have had a couple of companies do that not only for HIPAA but PCI related as well.

Blue Cross Blue Shield audited one our clients that is HIPAA compliant. We have had Discover audit one our clients that is PCI compliant. The physical and logical security just becomes so easy for them to check off. These auditors come to our data centers and I have had many of them say: “Well, this is a waste of time. If you had just told me you had all of this I would not have to come all the way out here.” It became that easy in our meeting. They thought they had to schedule three hours to go through all of our policies and procedures. Instead we have it nailed down, because we do it all of the time. They were out the door in less than no time.

Mike: Let’s take a minute and talk about that, because I know when a lot of our clients bring in their clients, like Blue Cross Blue Shield the time moving up to get the audit seems to be a pretty nervous time for our clients. They have a big customer coming in, they are doing the audit and they are pretty worried about that. Just walk us through if you could, what the experience is like and what the auditor is looking for. I see a lot of energy not wasted, but spent preparing for or worrying about the audit and then on the back end it seems like a non-event.

Jason: I think there are a lot of unknowns around audits. When it comes to your data center and services you have with your data center, the auditors are looking at your physical security and your logical security. They are looking at your data classification. They are looking to see if you have policies and procedures in place and if you have those policies and procedures in place it just makes the audit so much easier.

They come to the data center, do their walk through, check doors to make sure they are locked and check all of the things that you claim to do. They check your camera system and how far back your video logs go from the data center. How far back your access logs go from the data center, things like that. If you do not know if your data center is providing that for you, I can see how you would be a little apprehensive.

We take care of all of that. So when they show up they are worried, but they realize very, very quickly that we have done a countless number of audits not only for ourselves, but for clients and we help them through that process.We provide them with all of that data so at the end of it they realize we had all of it taken care of. If they did not, now they do know. So the following year when they come back, they do not always need to come back on site for the audit and if they do come on site, we know it is going to be very quick.

Mike: Answer this for us, because I see it a lot, if one of our clients is using Online Tech for HIPAA purposes or a HIPAA audited data center, are they automatically HIPAA audited or HIPAA certified?

Jason: No, they are not. This just mitigates some of your risk. It mitigates a big portion of it like the security around your IT equipment that may be housing PHI or PCI data. But no, the company itself, the covered entity, also needs to be HIPAA compliant because there are a lot of policies and procedures for human resources and finance so you also need to adopt all of those HIPAA policies and procedures, but you do not need to worry about any of the IT related functions.

Mike: So here is a question we got from the audience about burden of proof. What does burden of proof mean? What does a burden of proof for HIPAA mean?

Jason: It deals with breach notifications. The burden of proof is on the covered entity to prove that they have notified all of the people or their clients that could have been breached or the burden is on the covered entity to actually prove that there was not breach. So really it is the government saying: “Hey, if we feel like there has been a data breach you need to prove to us that you have notified everyone or you need to prove to us this really was not a breach.”

Mike: Guilty until proven innocent.

Jason: Basically.

Mike: So the covered entity has the burden of proof. How does that reach down to the business associate?

Jason: Well, we need to assist them in any way that we can with these breach notifications if the breach happened from data. This is where we get back into your question on whether we cover the covered entities HIPAA compliance. No, we do not. Part of the reason why is, because you could have a data breach on a laptop at your company, Company XYZ, that handles medical data that does not even touch our data center. So say the data breach was on your laptop, the company’s laptop, the burden is on that company. If the data breach was in our data center the burden would be on us to assist covered entities.

Mike: In fact, we have the burden to inform them if we do by chance have a breach. Basically the burden to inform them and mitigate what ever happens.

Jason: The burden of proof also states that covered entities must have written policies regarding breach notifications and if they have their PHI in our data center they can use that in their policies and procedures.

Mike: So, we have a policy to address that?

Jason: Yes, we have a policy. The covered entities need policies and procedures as well.

Mike: How does an audited data center or business associate protect their clients or the covered entity on the back end when Health and Human Services starts doing their do diligence checking adherence to HIPAA and HITECH after a breach?

Jason: A lot of it is mitigation of risks and the amount of the fine. So if you have not done anything and you put your servers in your closet at home and you have no physical security around any of your PHI that is not going to look good to HHS. Now on the other side of that spectrum, if you have your equipment in a managed data center that is not only HIPAA compliant, but SOC 2, SOC 3, SAS 70 and SSAE 16 that is going to prove to them that you have done a lot to mitigate that risk. And they are going to look at that in a better light than if you have not done anything.

Mike: That changes the fines doesn’t it?

Jason: Yes, it absolutely changes the fine amount and it absolutely lowers it.

Mike: We had another question from the audience: How are business associates monitored and audited by covered entities?

Jason: We touched on this a little bit earlier. The covered entity does not have to monitor the business associate. They have to monitor the status of the agreement with the business associate, but that does not mean you should not audit your business associate to make sure that they are staying up with their compliance, because you could sign up with them when they have compliance and then they could just not pay for the report the following year and they are no longer HIPAA compliant.

It is wise to stay up on all of your business associates and make sure they are following through with their HIPAA compliance and their SOC audits. With SOC audits, it is always wise to get those on a yearly basis which we provide to our clients under an NDA.

Mike: I know a lot of these very large organizations do not just take your word for it. Even though they do not have to audit, they are not required to audit, but my impression is that the buck stops with the covered entity right? You cannot just tell Health and Human Services that they were audited, they signed this document. The whole thing is not to just sign an agreement, but to really mitigate risk.

Jason: That is correct. It is to mitigate risk and the further above and beyond you go to mitigate that risk, the better you are going to look to the HHS in the event that you do have a data breach. Obviously the goal here is to never have a data breach, but if that happens what have you done to mitigate the risk of the steps afterwards if that were to happen.

If you have been staying up on all of your business associates and you have proof that they have HIPAA compliance and they are keeping up every year, it is going to lower the fine a lot. In addition, you are going to be better at notifying your clients in the event that there is a breach. So it is almost a win-win.

Mike: So you have a lower probability of a breach and better process.

Jason: Yes, lower probability and better processes in the event of a breach.

Mike: Another participant asked to what extent does staff and employee training need to be put in place to meet the audit requirements?

Jason: Well security awareness is required. It should encompass, most if not all of the adopted policies of the company, especially if it is pertaining to HIPAA. The training should be tailor made to each department respectively. So there may be different training for your IT function than there is for your financial function. That training should be tailor made to those individuals depending on how big you are. Also, make sure you have further training for your Risk Management Officer and that they are staying up to date on the current changes and laws.

Mike: So this may fit right in with your next slide set, can you give more detail on the HROC or HIPAA HITECH Report on Compliance?

Jason: On the slide deck we have a couple of examples. The top part here is some of the requirements in the HROC . This is actually a screen shot from our HROC so it shows the compliance in the attestation bar. Below that, I copied and pasted some of the policies we had to adopt and the reference to our specific policies where that is identified. This is a very, very, very small portion of our HROC. This is an example of what you may find here in the attestation in your gap analysis and what you are not compliant with. Those are some things we had to identify and remediate. This was from our final HROC and we were compliant in all 136 audited areas. Like I said, this is just a small portion of the policies you will have to adopt with training.

Mike: What is the potential liability that any IT vendor faces who handles PHI and how does the audit impact that liability?

Jason: Well mishandling the data is much worse than someone who just handles the data. You need to have policies in place for handling and classifying that data. A couple of slides before this, we talked about how we classify PHI. You need to have those policies and procedures in effect. You need to constantly train and be promoting security awareness and as a byproduct of that, not only are you going to mitigate your risk from actually having a data breach but you are also going to mitigate the fine you may get. And you will have the policies, standards and procedures in place if you do have a data breach.

Mike: But there are some real legal liabilities. Numbers like $1.5 million per incident, right? If you just take the PHI and do not spend any time thinking about it, you could get hit with some pretty significant and sizable fines.

Jason: Ignorance is not an excuse to anything. It does not matter if you are an IT organization that is not HIPAA compliant and you work with clients who are not HIPAA compliant that have PHI on your equipment, you could be fined. There are no ifs, ands or buts about it. You cannot say you did not know to HHS. That is not an excuse, you should have known and you could be fined.

Mike: From an IT management perspective you need to find out from your customers and clients whether they have PHI in whatever you are managing for them.

Jason: Absolutely, you need to know. And if they do, you need to have a Business Associates Agreement.

Mike: That is good to know. We had another question from the audience and this is even a little confusing for me when I hear HROC. Can you go over and define what HROC is so the audience has a handle on that?

Jason: Sure. HROC is the HIPAA HITECH Report on Compliance. It outlines a lot of the safeguards, standards and the implementation of how you are going to address those safeguards and standards. It tells whether it is or is not required. Just because it is not required does not mean you do not want to do it, it just means it is not required.

If you do it and it is not a requirement, they are going to look at that in a better light than if you just ignored it. It is going to give you compliance status with each one of those items. It is also going to document and show what policies you have implemented as a result of this and it will also at the end of it give you what your company’s risk status is.

Our overall risk grading is low. There are zero non-compliant high risk items. It is also going to give your compliance status. It is shown as a pie chart here on the screen and is all green, but if you were to have some non-compliant areas that would be shown in there in red.

Mike: So is the HROC something that if I am a covered entity or business associate reaching out to bring someone else in as a business associate, contractor, or vendor I should ask them for if they have been HIPAA audited?

Jason: Yes, and if they are like us they will do it under an NDA. If they do not under an NDA provide you with this HROC I would definitely question it.

Mike: It is a very detailed report.

Jason: It is a very detailed report, definitely. We do the same thing with our SOC 2, SOC 3 or SSAE 16 or SAS 70 reports. Under an NDA we will provide them to clients where needed. It is something that provides complete transparency and if someone is not willing to provide you that level of transparency, they are probably trying to hide something in my personal opinion.

Mike: So another question came back from the audience on acronyms. We have been throwing around acronyms with out really defining them, what is PHI?

Jason: Protected Health Information.

Mike: So what does that mean?

Jason: That could be your file at a doctor’s office that could list your health information. So the government does not want that getting out into anyone’s hands.

Mike: We talked about this, and I know form a business perspective I certainly share these concerns going into this, the potential liability we had as a data center operator in recognizing that liability or not. You talked a lot about the HROC and the things we did on the audit side, but let’s talk beyond policies and procedures. What are the other kinds of commercial arrangements that Online Tech made to meet the HIPAA requirements?

Jason: I think we touched on the BAA a little bit. We went to a third party law firm and contracted with a lawyer who specialized in HIPAA. We contracted to have a Business Associate Agreement written with that law firm so we knew that we were getting the best out there. They have a lot of knowledge in the HIPAA arena. In addition we had to acquire HIPAA related insurance from Llyods of London who specialize in speciality insurance. They are the one who insured Betty Gable’s legs for $1 million each, Bruce Springstein’s voice for $6 million and now Online Tech’s HIPAA.

Mike: We have a couple of questions here. One of them is what do you feel is the greatest advantage of using a third party to help in the process versus sorting through all of the HIPAA requirements on your own?

Jason: I think that not only do we feel that our clients want us to have a third party, because of the unbiased audit, but I think it is also a benefit for Online Tech’s management. It is backing up what we say we do. To have a third party come in and say yes, everyone is doing exactly what they say they do, provides a level of assurance to the management team that they can sleep a little bit better at night. That is why we do it externally. It not only benefits our clients, but us internally as well.

Mike: There is also the issue of being too close to it, right? The fox guarding the hen house. You may not be able to see everything.

Jason: Exactly. It is human nature to miss something that an unbiased third party will come in and say we need to identify and fix. You almost hit your head and say I should have known that, but it is human nature to do that. That is why you have a third party and why people specialize. It is not necessarily the cheapest way to go.

Mike: Here is one more question, who performed your HROC? I have heard of outside organizations performing HIPAA gap analysis, but I have never heard of it referred to as an HROC. From your experience is this a widely used term in the industry?

Jason: It is a widely used term and ATMP Solutions provided the HROC.

Mike: They did a webinar last week with us, so that webinar is available on our webiste if anyone would like to see it with one of the principles of that organization speaking.

Jason: Yes, that would be Joe Dylewski with ATMP Solutions.

Mike: Next weeks webinar will have our attorney, Tatiana Melnik who is with Dickinson and Wright who has a leading practice in HIPAA and IT Management practices. She is going to be talking about sharing PHI data and the legal implications of BAAs and avoiding HIPAA pitfalls.

Jason: Tatiana actually helped us write our Business Associate Agreement.

Mike: Yes, she was the main author of that Business Associate Agreement. That webinar should be a pretty interesting event.

We will also be attending the national HIMSS conference in Las Vegas, February 20-24. If you are going to be out there, we would love to talk to you.

Thanks very much Jason for sharing your experience.

Jason: You’re welcome, thank you.

Webinars    |    Online

Get started now. Exceptional service awaits.