Business Associate Management Methodology

Transcription

1 Methodology auxilioinc.com

2 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates across multiple hospitals 7 Use Case 3: Downstream of s I am a 8 Definition Library for Framework 9 P A G E : 2

3 Methodology Overview The management of business associates (BA) is a critical activity for any healthcare organization. This methodology was designed to enable any healthcare organization the ability to manage business associates in three use cases: 1 I am a healthcare organization that manages business associates 2 I am a health system with multiple related organizations, such as a group of hospitals, which wants to manage business associates across the health system in the most efficient manner possible. 3 I am a business associate This methodology presents the elements that an organization must have to successfully manage all aspect of using or being a business associate.... P A G E : 3

4 USE CASE 1 Upstream of s I manage business associates The table below illustrates every component to managing business associates for a healthcare organization. It illustrates the methodology heading number, the specific task that heading represents, the tangible thing you must create in order to have that element implemented, or artifact, and the foothold. The foothold represents a tip for what you need to do next in your organization to start implementing this item. Component Heading # Task Artifact Foothold Business Process Health CC.1.1 Internal Audit Internal Audit Sub-process Engage Internal Audit function for help CC.2.1 Performance and Metrics BA Program Dashboard Determine the metrics you want to measure before you have data BA Program Dashboard Determine the metrics you want to measure before you have data CC BA Inputs 2. Security and Privacy Requirements in Contracts 3. Agreement (BAA) Accuracy CC.4.1 Documentation of Process and artifacts All artifacts throughout program Ensure documentation element in any future state development Identification of business associates Related Process Triggers Inclusion Clearly identify every related process where a business associate or sub-contractor could live Determination Categorization Sub-Process Review determination tree sample Re-evaluation Re-evaluation Sub-process Understand re-evaluation requirements per BAA s or contracts Security and Privacy Requirement Development Security Requirement Catalog Perform categorization of requirements; measure feasibility of using security policy and standards Contract Routing and Storage Contract Routing Sub-process Engage Legal and review existing process and augment Contract Routing and Storage Contract Repository Review existing repository for quality and establish feasible central location Security and Privacy Requirement Negotiation Negotiation Sub-process Engage Legal and review existing process and augment Agreement Development and Storage BAA Development and Sub-process Engage all related teams as one group on common goal Agreement Development and Storage BAA Repository Review existing repository for quality and establish feasible central location Transition Period Provision Transition Period Sub-process Review existing and augment BAA Routing and Execution BAA Routing Sub-process Engage all related teams as one group on common goal BAA Negotiation BAA Negotiation Sub-process Engage Legal and review existing process and augment Continued P A G E : 4

5 Component Heading # Task Artifact Foothold 4. Data Protection and Access PHI Data Map PHI Data Map Go to the people closest to the data to understand where it lives Breach and Incident Incident Process Begin by categorizing all of the potential incident type as a starting point Internal Safeguard Internal Safeguard Process Triggers Break up controls into preventive and detective BA Safeguard Safeguard Measurement and Remediation Sub-Process Establish what type of access and data they have to your environment Breach Breach Notification Review existing process and augment Remediation Remediation Sub-process and Breach Risk Assessment Review existing process and augment Due Diligence Security and Privacy Audit Audit Review whether your contracts specify if you should do due diligence Due Diligence Security and Privacy Audit Remediation Sub-process Identify how you track remediation with BA s today Internal HIPAA Alignment Internal HIPAA Process Triggers Perform or ensure you have a recent HIPAA risk analysis to guide you Visual Depiction of Upstream of s... System *Enlarged views of each phase on following pages PAGE:5

6 PAGE:6

7 USE CASE 2 Eco System of s I manage business associates across multiple hospitals The table below illustrates every component to managing business associates for a healthcare organization. It illustrates the methodology heading number, the specific task that heading represents, the tangible thing you must create in order to have that element implemented, or artifact, and the foothold. The foothold represents a tip for what you need to do next in your organization to start implementing this item. Heading # Component Task Artifact Foothold Eco System Eco System Establishment Establishment Process Eco System Eco System Communication Structure Determine included parties and establish interest, Define Governance Model, perform gap analysis Eco System Normalizing BA Inputs, Artifacts and Standards Eco System Develop Ecosystem Processes Eco System Define Eco System Governance 6.0 Eco System Eco System Health Defined Sister Organization or Group Member Lateral Communication Structure Understand existing communication Establishment, Up/Downstream structures Communication Perform gap analysis to see Establishment of Normalized current state inputs, Artifacts and Standards Determine Process Suite for Determine scope and Eco System Managing the Eco System Members Eco System Agreements, Ratification of Standards and Review current governance models Artifacts Eco System Dashboard, internal Be mindful as you build Eco System measurement of efficiency Visual Depiction of Eco System... P A G E : 7

8 USE CASE 3 Downstream of s I am a The table below illustrates every component to managing business associates for a healthcare organization. It illustrates the methodology heading number, the specific task that heading represents, the tangible thing you must create in order to have that element implemented, or artifact, and the foothold. The foothold represents a tip for what you need to do next in your organization to start implementing this item. Heading # Component Task Artifact Foothold Upstream Inbound BAA Routing Inbound BAA Routing Process Determine current routing process Aggregated Ecosystem Consolidated Remediation Plans Centralized Remediation Process Determine current remediation existence Visual Depiction of... P A G E : 8

9 Definition Library for Framework Term Definition Source Category Access and Safeguard level Data The adequacy of protection of Protected Health Information (PHI) is often determined based on the level of access to that data, as well as the measures used to ensure that the potential for unauthorized disclosure is limited. Examples of safeguards include encryption while data is at rest or in transit. Understanding the types and levels of access and safeguards both internally and in your business associates is critical to being able to make informed decisions about your organizations HIPAA compliance profile. Breach A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. administrative/ breachnotificationrule/ There are three exceptions to the definition of breach. The first exception applies to the unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate. The second exception applies to the inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate. In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. The final exception to breach applies if the covered entity or business associate has a good faith belief that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information. Breach Notification Rule Interim final breach notification regulations, issued in August 2009, implement section of the Health Information Technology for Economic and Clinical Health (HITECH) Act by requiring HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section of the HITECH Act. administrative/ breachnotificationrule/ HIPAA Privacy Rule The HIPAA Privacy Rule establishes national standards to protect individuals medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. administrative/ privacyrule/index.html The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164. P A G E : 9

10 Term Definition Source Category HIPAA Security Rule The HIPAA Security Rule establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. administrative/ securityrule/index.html Omnibus The U.S. Department of Health and Human Services (HHS) Office for Civil Rights announces a final rule that implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). administrative/omnibus/ System Health Process This process is the workflow for measuring the performance and accuracy of the outputs from your System System Health A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services that make a person or entity a business associate, if the activity or service involves the use or disclosure of protected health information. The types of functions or activities that may make a person or entity a business associate include payment or health care operations activities, as well as other functions or activities regulated by the Administrative Simplification Rules. Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and reprising. Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of business associate at 45 CFR Examples of s. n A third party administrator that assists a health plan with claims processing. n A CPA firm whose accounting services to a health care provider involve access to protected health information. n An attorney whose legal services to a health plan involve access to protected health information. n A consultant that performs utilization reviews for a hospital. n A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer. n An independent medical transcriptionist that provides transcription services to a physician. n A pharmacy benefits manager that manages a health plan s pharmacist network. understanding/ coveredentities/ businessassociates.html Inputs PAGE:10

11 Term Definition Source Category Accuracy Metrics Accuracy metrics supply information about the level of quality and accuracy within artifacts in the System. For example, the accuracy associated within the repository in which you store business associate contracts (agreements). You may have all of the agreements within that repository, but are they current, correct and accurate. This metric looks to measure the completeness and quality of your artifacts. System Health (Contract) Agreement A covered entity s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR (e). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate; Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). understanding/ coveredentities/ businessassociates.html (Contract) Agreement Routing Process This process manages the workflow for transferring business associate agreements to all of the parties that must be involved during their development, updating, authorization, storage and execution. Common parties include legal, information security, privacy, business associate teams, and others. Agreement negotiation process This process manages the workflow for transferring business associate agreements to all of the parties involved during the negotiation process of terms. Common parties include legal, information security, privacy. It is common that these process steps are included within the (Contract) Agreement Routing Process. Agreement Repository This is the location in which your executed business associate agreements are stored once the routing process has been completed. Categorization process This is the workflow process for determining and categorizing whether a vendor or service provider is a business associate. This determination is important to understand whether this vendor or service provider is subject to the processes within your business associate management system. Inputs Procurement negotiation process This process manages the workflow for transferring procurement contracts to all of the parties involved during the negotiation process of terms. Common parties include legal, information security, privacy. It is common that these process steps are included within the Procurement Contract Routing Process. Common types of procurement documentation include Master Service Agreements, Service Orders, etc. Note, these are different than Agreements (Contracts) Procurement Contract routing process This process manages the workflow for transferring procurement contracts to all of the parties that must be involved during their development, updating, authorization, storage and execution. Common parties include legal, information security, privacy, business associate teams, and others. PAGE:11

12 Term Definition Source Category A covered entity s contract or other written arrangement with its business associate must contain the elements specified at 45 CFR (e). For example, the contract must: Describe the permitted and required uses of protected health information by the business associate; Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law; and Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract. Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). and Remediation Process This process manages the workflow for measuring the level of implemented HIPAA security rule safeguards and the associated remediation activities for any identified gaps within business associates and Storage Process This process management the development, storage and retrieval workflow for business associate agreements at your organization System The business associate management system is the structure and relationship in which an organization manages all of the associated processes and workflows for interacting with business associates. Input Performance and Accuracy Dashboard This document presents a point-in time display of the performance and accuracy elements of the System System Health Performance Metrics These metrics provide data points to understand how efficient and effective the various work-flows within the Business Associate System are operating. Common data points include work effort per process, duration per process output, as well as the experience quality of participants in the various processes. System Health Relationship Review Process This process manages the review of business associates on a recurring basis per procurement contract or business associate agreement defined terms. Inputs Relationship The business associate relationship is the sum of all interactions between a covered entity and a business associate within all of the workflows and processes in the Business Associate System. Inputs Safeguard and Remediation Process This process manages the workflow for measuring the level of implemented security and privacy safeguards and the associated remediation activities for any identified gaps within business associates Data Security and Privacy Central Procurement Contract Repository This is the location in which your executed procurement related contracts are stored once the routing process has been completed with business associates. Documentation Documentation is defined as the formal written record of a process or artifact. A process may be performed, perhaps even consistently, but it is not considered documented unless it is applied to a document. Global PAGE:12

13 Term Definition Source Category Due-Diligence Audits Due-diligence audits are the reviews of business associate to verify their level of compliance with procurement or business associate agreement HIPAA compliance terms. HIPAA Breach Risk Assessment This process identifies the workflow for Covered entities and their business associates to conduct a breach risk assessment for every data security incident that involves PHI. This risk assessment determines the probability that PHI has been compromised, based on four factors: 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3.Whether the protected health information was actually acquired or viewed; 4. The extent to which the risk to the protected health information has been mitigated. HIPAA Business Associate Breach Process This risk assessment is the measurement element for every data security incident that involves PHI. This risk assessment determines the probability that PHI has been compromised, based on four factors: 1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; 2. The unauthorized person who used the protected health information or to whom the disclosure was made; 3.Whether the protected health information was actually acquired or viewed; 4. The extent to which the risk to the protected health information has been mitigated. HIPAA Risk Analysis Risk analysis is the assessment of the risks and vulnerabilities that could negatively impact the confidentiality, integrity, and availability of the electronic protected health information (e- PHI) held by a covered entity, and the likelihood of occurrence. The risk analysis may include taking inventory of all systems and applications that are used to access and house data, and classifying them by level of risk. A thorough and accurate risk analysis would consider all relevant losses that would be expected if the security measures were not in place, including loss or damage of data, corrupted data systems, and anticipated ramifications of such losses or damage. faq/ securityrule/2013.html Risk Risk management is the actual implementation of security measures to sufficiently reduce an organization s risk of losing or compromising its e-phi and to meet the general security standards. faq/ securityrule/2013.html HIPAA Business Associate Transition Provision Transition Provisions for Existing Contracts. Covered entities (other than small health plans) that have an existing contract (or other written agreement) with a business associate prior to October 15, 2002, are permitted to continue to operate under that contract for up to one additional year beyond the April 14, 2003 compliance date, provided that the contract is not renewed or modified prior to April 14, This transition period applies only to written contracts or other written arrangements. Oral contracts or other arrangements are not eligible for the transition period. Covered entities with contracts that qualify are permitted to continue to operate under those contracts with their business associates until April 14, 2004, or until the contract is renewed or modified, whichever is sooner, regardless of whether the contract meets the Rule s applicable contract requirements at 45 CFR (e) and (e). A covered entity must otherwise comply with the Privacy Rule, such as making only permissible disclosures to the business associate and permitting individuals to exercise their rights under the Rule. See 45 CFR (d) and (e). understanding/ coveredentities/ businessassociates.html PAGE:13

14 Term Definition Source Category Transition Provision (Omnibus Updated) Process Covered entities (other than small health plans) that have an existing contract (or other written agreement) with a business associate prior to January 25, can continue to enforce business associate agreements entered into prior to January 25, 2013 and which complied with the requirement in effect as of such date. Covered entities, business associates and subcontractors with such grandfathered agreements have until the earlier of September 22, 2014 (an extra one-year transition period) or the date the business associate agreement is modified or renewed after September 23, 2013 to update the grandfathered business associate agreements. Transition Provision Process This process manages the workflow for interaction between a covered entity and business associates in regards to the updated Omnibus transition provision. Incident Process The incident management process is the workflow in which an organization identifies, categorizes, manages, remediates and reports security or privacy related events both internally and to external parties. Inputs Incident Process The incident management process is the workflow in which an organization identifies, categorizes, manages, remediates and reports security or privacy related events both internally and to external parties. Data Security and Privacy Incident Process The incident management process is the workflow in which an organization identifies, categorizes, manages, remediates and reports security or privacy related events both internally and to external parties. Data Security and Privacy Internal Safeguard process Internal safeguard processes are designed to manage safeguards within an organization. Commonly, external third parties, such as business associates, can impact the effectiveness of internal safeguards depending on their level of access or data management. Data Security and Privacy Omnibus Business Associate Agreement Updates The high-level delta between requirements before omnibus and after. The primary changes include: 1. Comply with the HIPAA Security Rule 2. Report to a covered Entity any breach of unsecured PHI 3. Enter into BAA s with subcontractors imposing the same obligations that apply to the business associate 4. Comply with the HIPAA privacy rule to the extent business associate is carrying out a covered entity s privacy rule PHI Data Map A PHI Data Map is a visual representation of where PHI data is located within an organization. Commonly, this visual also illustrates levels of access to this data and preventive and detective measures to protect it within each locale. Data Security and Privacy Process Artifact A process artifact is a tangible element within a process, such as a produced document, technical implementation, etc. It is what you can show to prove you are actually doing something within a process, or perhaps even the process itself. Global Process a systematic series of actions directed to some end: Dictionary.com Global Remediation A series of activities to correct a finding. Data Security and Privacy Safeguard A security measure designed to protect the availability, confidentiality, or integrity of electronic protected health information. Data Security and Privacy Security and privacy requirement catalog This is a categorized organization of common business, functional and technical security and privacy requirements. These requirements generally align to security and privacy standards at an organization. PAGE:14

15 Term Definition Source Category Sub-process Generally a section of a complete process. Global Process Triggers Process triggers are steps within a process that are designed to have specific if/then relationships. For example, if this vendor accesses PHI, then send them over to the business associate management categorization process for processing. These triggers are critical to creating healthy inputs and outputs from the System. Inputs Procurement contracts are documents and agreements common between vendor or service providers and the organizations in which they serve. Common contract documents include Master Service Agreements, Service orders, etc. Protected Health Information (PHI) Health information means any information, whether oral or recorded in any form or medium, that (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and com/2009/09/ hipaa-protected-healthinformation-whatdoes-phi-include/ Global (B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. PAGE:15