HIPAA and Business Associates. Tempest in a Teapot or Perfect Storm?

HIPAA and Business Associates Tempest in a Teapot or Perfect Storm?

Introduction... 3 The Paragraph... 4 The Page... 5 The Detail... 6 The Dawning of the Digital Age... 6 Putting Dollars and Teeth in HIPAA... 8 HITECH Dollars... 9 HITECH Teeth... 10 HIPAA / HITECH Fine Structure... 10 What to Do?... 19 Are you a Covered Entity?... 19 Are You Business Associate?... 20 Storing Protected Health Information... 22 Summary Elements of the Perfect Storm... 23 Page 2 of 23

Introduction The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996 but its Security, Privacy, and Breach Rules saw little enforcement. Several forces have combined in the past few years that will change how HIPAA impacts not only insurance companies, clearinghouses, and healthcare providers (all considered Covered Entities) but Business Associates (those who have access to patient data in performance of their contracted duties). HealthCare Too specializes in HIPAA compliance through its medical- grade HIPAA Cloud Service, technology management, and consulting services. We are pleased to share our insights with you and available to assist with your cloud hosting and HIPAA compliance needs. This white paper is structured as four separate, stand- alone modules: The Paragraph provides an ultra high- level overview of the coming changes. The Page gives a few more insights but avoid details and reference materials. The Details places tomorrow s changes in the context of HIPAA s history through a detailed analysis of various regulations, enforcement actions, technologies, and industry trends. The Summary lists all the points made throughout this white paper in one easy to find location. This work is licensed under the, Attribution- NonCommercial- NoDerivs 3.0 United States (CC BY- NC- ND 3.0 US). http://creativecommons.org/licenses/by- nc- nd/3.0/us/ Page 3 of 23

The Paragraph HIPAA became law in 1996 but there was no mechanism for enforcement of Privacy or Security until 2003 and not much happened even after those rules went into effect. The Health Information Technology for Economic and Clinical Health (HITECH) became law in 2009 and took effect 2010, with a new fine structure of up to $1.5 million per violation per calendar year. There were more enforcement mechanisms for Privacy and Security but Health and Human Services (HHS) used them sparingly with Covered Entities and did not use its HITECH powers with Business Associates. Starting in 2009, HHS worked on a HIPAA Final Rule that would give it appropriate powers to regulate more fully the Covered Entities, Business Associates, and subcontractors who had access to patient data. In January 2013, HHS published this needed (and long- awaited) Final Rule. The Final Rule took effect March 26, 2013. Covered Entities, Business Associates and subcontractors with access to patient data must be in compliance by September 23, 2013. As part of HITECH, HHS now has the ability to perform audits for HIPAA compliance and conducted over 100 randomized audits in 2012 where there were nearly 1,000 audit findings and observations. All the elements for a HIPAA compliance perfect storm for Business Associates are in place. Page 4 of 23

The Page The Health Insurance Portability and Accountability Act of 1996 has five major parts (or titles ) that address many aspects and implications for Americans moving among health insurance plans, such as guidance on: pre- existing conditions, tax implications, group health plans, and many more. In order to reduce fraud, waste, and abuse HIPAA included a section (i.e., Title Two, Subtitle F) called Administrative Simplification. Health and Human Services (HHS) is responsible for Administrative Simplification and from that legislative foundation HHS published a series of five rules to address concerns around patient data and to put in place standards to make healthcare transactions more efficient for electronic systems: Privacy Rule (2000) Security Rule (2003) Transactions and Code Sets (2003) Enforcement Rule (2006) Unique Identifiers (2007) Of these five rules only the Privacy, Security, and Enforcement rules focus on Protected Health Information (PHI), or patient data. However, these rules have been some of the least understood and least enforced parts of HIPAA. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) was passed as part of the American Recovery and Reinvestment Act (ARRA) and went into effect in 2010. Designed to jump start the US economy after the Great Recession, HITECH contained roughly $25 billion for investment and support for electronic health records. HITECH also contained much more aggressive enforcement provisions and much higher fines to protect and secure the health information that would be in those electronic health records. HHS did step up enforcement somewhat on insurers, clearinghouses, pharmacies, and providers; however, HHS purposefully left Business Associates off the enforcement radar until it could properly address Business Associates through a new Final Rule. The HIPAA Final Rule was published January 25, 2013. The Final Rule took effect March 26, 2013 and required compliance by Covered Entities, Business Associates, and subcontractors who have access to protected health information as part of their jobs by September 23, 2013. In addition to this much broader application, the Final Rule is more aggressive in protecting patient data through higher standards and higher fines (up to $1.5 million per violation per calendar year). Business Associates who are not already fully compliant to safeguard Protected Health Information will soon find themselves at the mercy of a perfect storm. Page 5 of 23

The Detail The Dawning of the Digital Age In 1996 the Health Insurance Portability and Accountability Act (HIPAA) became law in order to address a challenge faced by many Americans- - portability of insurance coverage for American workers who changed jobs (e.g., pre- existing conditions, gaps in coverage). President Clinton and the US Congress also wanted to ensure that the growing exchange of electronic health information would benefit the US healthcare system through greater efficiency and patient outcomes but would not violate a patient s right to privacy regarding health matters or give rise to new forms of waste and mismanagement. To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information. (http://www.ama- assn.org/ama/pub/physician- resources/solutions- managing- your- practice/coding- billing- insurance/hipaahealth- insurance- portability- accountability- act.page) To help us keep this in context in terms of the evolution of technology and ecommerce at the turn of the last century, Amazon.com went live as an online bookstore in 1995 and Google was incorporated in 1998. The late 1990 s also saw the rise of on- line stock trading that made it possible for individual investors to participate in trading that had been reserved for commissioned brokers. The US (and world) could see more happening online and the potential benefits that could be applied to healthcare. Fast forward to 2003 Amazon.com is branching out into markets beyond books, Google has practically become its own verb, day trading across the globe has become commonplace. HHS, on the other hand, adopts the Security Rule, Privacy Rule, and Transactions and Code Sets. The Information Superhighway had largely bypassed healthcare while many other industries raced at full speed. Over a year later, the first prosecution under HIPAA came in November of 2004 when Richard W. Gibson was convicted for using his access to Protected Health Information in order to steal patient data and use it to get credit cards. Page 6 of 23

(Source: The Seattle Times, http://seattletimes.com/html/localnews/2002083782_idtheft06m.html) In 2004, Facebook was founded by a group of Harvard students and by October 24, 2007, Microsoft announced that it had purchased a 1.6% share of Facebook for $240 million, giving Facebook a total implied value of around $15 billion. (https://en.wikipedia.org/wiki/facebook). In 2006, HHS announced the Enforcement Rule for HIPAA and in 2007 came Unique Identifiers. Again HIPAA was generating much paper, and some arguably good ideas, but HIPAA and health information technology were moving at analog speed in a Digital World. It was not for another four years, in 2008, that HHS implemented its first Corrective Action Plan when Providence Health & Services agreed to an HHS Corrective Action Plan and to pay $100,000 (note: this was not a civil monetary penalty), stemming from a loss of backup media and laptops in the period 2005 2006. Page 7 of 23

http://www.hhs.gov/news/press/2008pres/07/20080717a.html This was the first time HHS required a Resolution Agreement from a Covered Entity, more than a decade after HIPAA had been enacted and five years after compliance was required. With only a handful of high- profile cases, HIPAA was either an extraordinary success in the annals of compliance and did not require enforcement or simply did not have sufficient resources and mandate to enforce compliance. If our story stopped here, this would be a tempest in a teapot for both Covered Entities and Business Associates. Putting Dollars and Teeth in HIPAA In battling the Great Recession, the Obama Administration worked with Congress to pass the American Recovery and Reinvestment Act of 2009 1 (ARRA). In the ARRA was the Health Information Technology for Economic and Clinical Health (HITECH 2 ) Act that targeted increased spending for the US healthcare system. While many dollars flowed to different parts of healthcare from the ARRA, two parts of the HITECH Act are important here: Roughly $25 billion for investments in and incentives for Health Information Technology, New enforcement for HIPAA. 1 This should not be confused with the Affordable Care Act (or its correct name, the Patient Protection and Affordable Care Act) or Obamacare. 2 We do not come up with the titles we just report them. Page 8 of 23

HITECH Dollars $25 billion for incentives would certainly lead to greater adoption of health information technology (HIT), as the following graphic on adoption of Electronic Medical Records (EMR), or Electronic Health Records (EHR), from the CDC shows: (Source: Hsiao CJ, Hing E. Use and characteristics of electronic health record systems among office- based physician practices: United States, 2001 2012. NCHS data brief, no 111. Hyattsville, MD: National Center for Health Statistics. 2012. http://www.cdc.gov/nchs/data/databriefs/db111.htm) After a decade or more of limited progress for Security and Privacy in health information technology, this is the first element in our perfect storm for HIPAA and Business Associates a substantive incentive from the Federal Government for HIT that spurred not only adoption but Meaningful Use 3 of HIT by providers and hospitals which means greater and easier access to electronic Protected Health Information. There are many (many, many) articles that debate the effectiveness of Meaningful Use (or even HIT) but there is little doubt that more providers and hospitals are using HIT and have received Meaningful Use payments. We should also note here that of the 15 Core Requirements for Stage One of 3 Meaningful Use is the term used by CMS that encapsulates the Core and Menu Requirements that an Eligible Provider or Eligible Hospital must demonstrate in order to collect incentive payments under HITECH. Page 9 of 23

Meaningful Use, compliance with the HIPAA Privacy and Security Rules is explicitly targeted in the criterion Ensure Privacy and Security for Personal Health Information. In other words, an Eligible Provider or Eligible Hospital must demonstrate HIPAA compliance to receive Meaningful Use payments. HITECH Teeth While HITECH offers billions of dollars in the way of financial and other incentives for providers and hospitals to make greater use of electronic health records, a number of teeth have also been added through HITECH to enhance compliance with HIPAA. Fines When HIPAA was introduced in 1996 there were fines associated for non- compliance. However, the civil penalty structure was no more than $100 for each violation and not more than $25,000 for identical violations during a calendar year. Most Covered Entities had until April 2003 (and small providers had until April 2004) to comply. As we saw from the preceding pages, there was very little enforcement activity and no large fines under the 1996 HIPAA. HITECH changed that. Under HITECH the fine structure changed considerably, from arguably a nuisance fine to the potential for millions of dollars. HIPAA / HITECH Fine Structure Violation Category Per Violation Per Calendar Year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect $10,000 - $50,000 $1,500,000 Corrected Will Neglect Not Corrected $50,000 $1,500,000 While this Fine Structure was implemented in HITECH in 2009 and took effect in 2010, the Office for Civil Rights (OCR), charged with enforcing HIPAA / HITECH for Health and Human Services (HHS), has only needed to use it sparingly so far to demonstrate that compliance will be taken more seriously. On February 22, 2011 HHS imposed its first Civil Monetary Penalty (CMP), $4.3 million, on Cignet Health of Prince George s County, MD. The fine stemmed from complaints from 41 patients who had been denied access to their medical records. That denial of access totaled $1.3 million in fines. Cignet received an additional $3 million in fines due to its willful neglect to comply with OCR requests during the investigation. Page 10 of 23

The second element of the perfect storm for Business Associates and HIPAA was in place, a fine structure that was no longer for nuisance amounts but impactful and directly linked to real compliance with OCR demands. Audits HITECH also provided for periodic audits by OCR to ensure Covered Entities and Business Associates complied with HIPAA / HITECH. SEC. 13411. AUDITS. The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements. And OCR actually implemented a fairly robust round of audits in 2012 where OCR developed a 169- point audit protocol 4 that was then used with 115 Covered Entities during 2012. OCR has spent a significant portion of 2013 developing a better understanding of the audit findings and observations. Here are two graphs from a July 13, 2013 OCR / WEDI webinar that show the results: 4 The audit protocol is located at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/protocol.html Page 11 of 23

Page 12 of 23

13 entities of the 115 had no findings, leaving 979 audit findings and observations among 102 entities. Considering that Covered Entities have been aware of HIPAA since 1996 and directly accountable for compliance since at least 2004, this does not portend well for Business Associates who have never been directly subject to HIPAA until this year. This is a third element to the perfect storm for HIPAA and Business Associates: there is a legal mandate for HHS to conduct audits ( shall provide for periodic audits, not may provide for periodic audits ) and OCR has already compiled and executed on a formalized audit program with 115 Covered Entities. BAs Included So finally we get to the Business Associate! For some this may come as a surprise and for others it is common knowledge: the reason for Business Associate Agreements (or Contracts) was that HHS had no jurisdiction over Business Associates 5. OCR simply could not hold Business Associates directly accountable for HIPAA violations. This was (somewhat obliquely) referenced in a posting on the HHS Frequently Asked Questions: Since its passage in 1996, HIPAA had not applied directly to Business Associates. To work around this HHS and OCR did the next best thing ensure that Covered Entities had a contractual arrangement in place with Business Associates, the Business Associate Agreement (BAA). If the Covered Entity did not have a BAA in place then the Covered Entity could be held in violation of HIPAA. HITECH, on the other hand, did directly apply HIPAA provisions to Business Associates when it 5 Kirk J. Nahra of Wiley Rein, LLP has particularly insightful analyses of the business associate and HIPAA http://www.wileyrein.com/publications.cfm?sp=articles&newsletter=4&id=6746 Page 13 of 23

passed in 2009. However, HHS and OCR operated under an Interim Final Rule that did not directly apply to Business Associates until a Final Rule could be published. With the Final Rule (also called Omnibus or Mega Rule) published in January 2013, HIPAA / HITECH (without question or apology) now applies directly to Business Associates. The following is an excerpt from the Omnibus published in January 2013, explaining the change concerning Business Associates (the HealthCare Too translation is located in the box to the right). 2. Modifications to the HIPAA Security Rule in Subpart C a. Business Associates Proposed Rule Before the HITECH Act, the Security Rule did not directly apply to business associates of covered entities. However, section 13401 of the HITECH Act provides that the Security Rule s administrative, physical, and technical safeguards requirements in 164.308, 164.310, and 164.312, as well as the Rule s policies and procedures and documentation requirements in 164.316, apply to business associates in the same manner as these requirements apply to covered entities, and that business associates are civilly and criminally liable for violations of these provisions. To implement section 13401 of the HITECH Act, we proposed to insert references in Subpart C to business associate following references to covered entity, as appropriate, to make clear that these provisions of the Security Rule also apply to business associates. In addition, we proposed additional changes to 164.306, 164.308, 164.312, 164.314, and 164.316 of the Security Rule, as discussed below. HealthCare Too Translation: HHS did not have jurisdiction over business associates to hold them directly accountable for the HIPAA Security Rule, even with HITECH, until the appropriate changes were made via the Final Rule (published January 25, 2013). Those changes have been made and starting September 23, 2013 business associates are directly accountable for implementing and following the entire Security Rule. This, however, should not be a problem since business associates were supposed to implement Security Rule safeguards as part of the Business Associate Agreements they should have been using since 2004. For those few Business Associates who have not implemented the appropriate safeguards, there is guidance on the HHS website and it should not be that difficult. Overview of Public Comments Some commenters argued that the time, implementation expense, transaction cost, and liability cost burdens on business associates and subcontractors to comply with the Security Rule, especially small and midsize entities, would be significant. Other Page 14 of 23

commenters supported the direct application of the Security Rule to business associates and subcontractors. Final Rule We adopt the modifications to the Security Rule as proposed to implement the HITECH Act s provisions extending direct liability for compliance with the Security Rule to business associates. In response to the concerns raised regarding the costs of compliance, we note that the Security Rule currently requires a covered entity to establish a business associate agreement that requires business associates to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that they create, receive, maintain, or transmit on behalf of the covered entity as required by the Security Rule; and to ensure that any agent, including a subcontractor, to whom they provide such information agrees to implement reasonable and appropriate safeguards to protect it. See 164.314(a). Consequently, business associates and subcontractors should already have in place security practices that either comply with the Security Rule, or that require only modest improvements to come into compliance with the Security Rule requirements. Moreover, the requirements of the Security Rule were designed to be technology neutral and scalable to all different sizes of covered entities and business associates. Covered entities and business associates have the flexibility to choose security measures appropriate for their size, resources, and the nature of the security risks they face, enabling them to reasonably implement any given Security Rule standard. In deciding which security measures to use, a covered entity or business associate should take into account its size, capabilities, the costs of the specific security measures, and the operational impact. Thus, the costs of implementing the Security Rule for large, mid- sized, or small business associates will be proportional to their size and resources. Notwithstanding the above, based on the comments, we acknowledge that some business associates, particularly the smaller or less sophisticated business associates that may have access to electronic protected health information for limited purposes, may not have engaged in the formal administrative safeguards such as having performed a risk analysis, established a risk management program, or designated a security official, and may not have written policies and procedures, conducted employee training, or documented compliance as the statute and these regulations would now require. For these business associates, we include an estimate for compliance costs below in the regulatory impact analysis. We also refer these business associates to our educational papers and other guidance on compliance with the HIPAA Security Rule found at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule. These materials provide guidance on conducting risk analyses and implementing the other administrative safeguards required by the Security Rule, which may prove helpful to these business associates and facilitate their compliance efforts. (highlighting added) Page 15 of 23

The fourth element of the perfect storm for Business Associates and HIPAA is now in place: Business Associates are directly liable for compliance with the HIPAA Security Rule. The HIPAA Omnibus assumes that Business Associates are already in compliance or will be in compliance with only modest changes since they were already doing so historically through the requirements of the Business Associate Agreements. Funding One might think the preceding four elements would be enough to make the perfect storm for Business Associates and HIPAA. But wait there is more. According to the Director of the Office for Civil Rights (the enforcement agency for HIPAA / HITECH): We ve been slowly ramping up enforcement. It s worth noting that the HITECH act permitted the Office for Civil Rights to retain the recoveries and utilize them for 2 purposes: Fund more enforcement, which is what we ve done with the proceeds until now, and to make restitution to the victims. We are now developing a formula for restitution. 6 So HITECH allows OCR to use whatever it recovers in order to fund more enforcement. In a time of budget sequestration and cuts, OCR will increasingly be required to fund its own operations and will also need to help the victims of HIPAA breaches. Yet another element for a perfect storm for HIPAA and Business Associates: HITECH provides OCR with the mechanism for independence from sequestration and budget cuts in pursuit of its mission to protect patient data through enforcement of HIPAA. Leon Rodriguez - - Appointed Director September 13, 2011 Leon Rodriguez became the Director of the HHS Office of Civil Rights (OCR) and, thereby, the chief enforcer of HIPAA / HITECH. Before taking over OCR, Mr. Rodriguez was with the Department of Justice in its Civil Right Division. With a background as both a prosecutor and a healthcare litigator, Mr. Rodriguez is known for his phrase that enforcement promotes compliance. HHS Secretary Kathleen Sebelius said of Mr. Rodriguez appointment, He will also spearhead the department s continued work to ensure great consumer confidence through strong and effective enforcement of the privacy and security of protected health information. 6 http://smartdatacollective.com/onlinetech/113486/hipaa- hitech- world- hipaa- violations- rise- according- director- ocr Page 16 of 23

Not two months later, Director Rodriguez testified before the Senate Judiciary Committee s Subcommittee on Privacy, Technology and the Law that I am the first Director of the Office of Civil Rights to come to the Office with experience, extensive experience, both in law enforcement and a healthcare provider lawyer and it s my commitment to ramp up the enforcement of the Office. 7 2012 saw the introduction of an OCR pilot program, an uptick in financial settlements with Covered Entities, and the HIPAA Omnibus release in January 2013 after several years. A sixth element in the perfect storm for Business Associates and HIPAA is the appointment of Leon Rodriguez, a seasoned prosecutor and healthcare attorney, as Director of the Office of Civil Rights who has testified before the Senate of his commitment to ramp up the enforcement. Demand for Stolen Data While much of HIPAA / HITECH has been focused for the past decade on compliance and enforcement among the good guys who run legitimate businesses there has been a growing economic interest among the bad guys in that same protected health data: A thief downloading and stealing data can get $50 on the street for a medical identification number compared to just $1 for a Social Security number. For those 7 At 37:12 of the testimony http://www.senate.gov/fplayers/jw57/commmp4player.cfm?fn=judiciary110911& st=420 Page 17 of 23

receiving the medical ID number and using it to defraud a health care organization, the average payout is more than $20,000, according to Pam Dixon, executive director of the World Privacy Forum. "Compare that to just $2,000 for the average payout for regular ID theft. 8 Though many online businesses that started in the late 1990 s or early 2000 s (the same time as HIPAA and many health information technologies) have developed sophisticated security systems and invested heavily in proper data centers for performance and managed, many Covered Entities and Business Associates still rely on an unprotected server in the storage room of their office, a $7.95/month shared hosting account, a free Internet storage service, a hodgepodge of different cloud services that they have to maintain, and itinerant IT help. In a December 25, 2012 article The Washington Post pointed out how serious this vulnerability has become: As the health- care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews. Security researchers warn that intruders could exploit known gaps to steal patients records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems. A year- long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems. I have never seen an industry with more gaping security holes, said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. If our financial industry regarded security the way the health- care sector does, I would stuff my cash in a mattress under my bed. 9 8 Protected Health Information (PHI): High Value to Hackers: Medical Facilities at Risk, http://www.prweb.com/releases/2013/2/prweb10412883.htm 9 O'Harrow, Robert, Jr. "Health-care Sector Vulnerable to Hackers, Researchers Say." The Washington Post 25 Dec. 2012 www.washingtonpost.com/investigations/health-care-sector-vulnerable-to-hackersresearchers-say/2012/12/25/72933598-3e50-11e2-ae43-cf491b837f7b_print.html: The Washington Post, 25 Dec. 2012. Web. 1 Aug. 2013. <www.washingtonpost.com/investigations/health- care- sector- vulnerable- to- hackers- researchers- say/2012/12/25/72933598-3e50-11e2- ae43- cf491b837f7b_print.html>. Page 18 of 23

This brings us to the seventh, and final, element in the perfect storm for HIPAA and Business Associates: an increasing economic reward to hackers and others for healthcare data against a backdrop of poorly understood practices and vulnerable systems. What to Do? The Final Rule went into effect March 26, 2013 and allowed 180 days for implementation. September 23, 2013 is the date by which Covered Entities and Business Associates (and any subcontractors who have access to Protected health Information as part of their duties) must be in compliance. In the next few pages we will clarify Covered Entity and Business Associate and also highlight a long- neglected function data storage and the Business Associate arrangement. Are you a Covered Entity? Though HIPAA has been around since 1996, HealthCare Too has found there are many Covered Entities who do not know they are Covered Entities or that they believe their HIPAA obligations begin and end with a Notice of Privacy Practices. Under HIPAA, a Covered Entity is: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form 10 in connection with a transaction covered by this subchapter. A health care provider is not limited to the traditional notion of medical doctor. There is a definition of health care provider in the Final Rule (CFR 45 160.103 Definitions) that basically says anyone who furnishes, bills, or is paid for health care in the normal course of business is a health care provider. That may still be a bit vague. Luckily, HIPAA also requires healthcare providers to register for a National Provider Identifier (NPI) to assist with administrative and financial transactions (for more information click here). The Health Care Provider Taxonomy Code Set offers very specific classifications for health care providers, with over 800 codes to give more definitive guidance on who is a health care provider. This taxonomy includes such professions as: Non- emergency Medical Transport - 343900000X, Home Delivered Meals - 332U00000X, Respite Care - 385H00000X, Nursing Facility/Intermediate Care Facility - 313M00000X, Speech- Language Pathologist - 235Z00000X, and Massage Therapist - 225700000X. 10 Note: If someone conducts an electronic transaction on behalf of the provider, the provider is a Covered Entity. In this day and age, most providers will be Covered Entities. Page 19 of 23

Many Covered Entities who attend HealthCare Too presentations ask for a checklist to help them understand what needs to be done beyond a Notice of Privacy. The Maryland Department of Health and Mental Hygiene has published a nice checklist on its website to which we often refer people: http://mhcc.dhmh.maryland.gov/hit/hiepolicyboard/documents/hie_pb/resource s/privacy_security_checklist.pdf HealthCare Too associates have referred Covered Entities to this checklist because it addresses is some detail not only the various Security Rule safeguards (i.e., Administrative, Physical, and Technical) like many checklists but also the Privacy Rule and updates from HITECH. With the changes in the Final Rule, this checklist may also be useful to Business Associates. Are You Business Associate? Given that the perfect storm has arrived for Business Associates and HIPAA compliance, it is imperative for both Covered Entities and Business Associates to understand who is a Business Associate. While Business Associates have not been directly covered by HIPAA until now, subcontractors have always been off the radar until now. The Omnibus defines subcontractor and requires a Business Associate Agreement between the Business Associate and the subcontractor. Of course, this now means the subcontractor is now also a Business Associate and so on if there are more subcontractors in the Protect Health Information trust chain. WEDI has produced a very useful decision tree to help identify a Business Associate. HealthCare Too has simplified it on the following page but the original is located here http://www.wedi.org/forms/uploadfiles/35fe7000000dc.filename.7.26_ba- Decision- Tree_V2.pdf. Page 20 of 23

Creative Commons 3.0 HealthCare Too, LLC Page 21 of 23

Storing Protected Health Information Question 7 in the Business Associate decision tree seems be the one that causes the most confusion among Covered Entities as well as potential Business Associates. Included in Question 7 is one very important activity that has long been unaddressed as a Business Associate relationship- - data storage and processing. This following statement comes directly from the HIPAA Omnibus in the Federal Register (Vol. 78, No. 17 January 25, 2013): For example, a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis. Thus, document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold. To help clarify this point, we have modified the definition of business associate to generally provide that a business associate includes a person who creates, receives, maintains, or transmits (emphasis added) protected health information on behalf of a covered entity. There is much in HIPAA that is vague and subject to interpretation... this is not such an item. If an entity "maintains" Protected Health Information, that entity is a Business Associate and the HIPAA Security Rule applies explicitly. Hosting companies, because they "maintain" Protected Health Information on their servers, are now explicitly considered Business Associates in the regulations. However, the vast majority of hosting companies specifically state they are not HIPAA compliant. If a Covered Entity or a Business Associate stores Protected Health Information (PHI) in the cloud or with a hosting company there must be a Business Associate Agreement (BAA) with that cloud or hosting provider, thereby making the cloud or hosting provider (and any subcontractors working with PHI) a Business Associate and subject to HIPAA. Here are some concrete examples to help clarify: For those who use a medical transcription service, where does that service store PHI? Is the data storage HIPAA compliant? Is there a BAA in place? As the healthcare industry prepares for ICD- 9 to ICD- 10 conversion, does the conversion service have a BAA in place? Is their data storage / processing HIPAA compliant? If a Covered Entity uses a cloud EHR provider, is that provider HIPAA compliant? Is there a BAA in place? Page 22 of 23

Summary Elements of the Perfect Storm 1. Substantive incentive from the Federal Government for HIT that spurred not only adoption but Meaningful Use of HIT by providers and hospitals which means greater and easier access to electronic Protected Health Information. 2. A fine structure that was no longer for nuisance amounts but impactful and directly linked to real compliance with OCR demands. 3. A legal mandate for HHS to conduct audits ( shall provide for periodic audits, not may provide for periodic audits ) and OCR has already compiled and executed on a formalized audit program with 115 Covered Entities. 4. Business Associates are directly liable for compliance with the HIPAA Security Rule. The HIPAA Omnibus assumes that Business Associates are already in compliance or will be in compliance with only modest changes since they were already doing so historically through the requirements of the Business Associate Agreements. 5. HITECH provides OCR with the mechanism for independence from sequestration and budget cuts in pursuit of its mission to protect patient data through enforcement of HIPAA. 6. The appointment of Leon Rodriguez, a seasoned prosecutor and healthcare attorney, as Director of the Office of Civil Rights who has testified before the Senate of his commitment to ramp up the enforcement. 7. An increasing economic reward to hackers and others for healthcare data against a backdrop of poorly understood practices and vulnerable systems. For help in preparing for these coming changes in HIPAA and to take full advantage of the benefits of our HIPAA expertise as well as medical- grade Health Information Technology infrastructure, HealthCare Too is your partner! Call 866-596- 4325 Email Page 23 of 23