GUIDANCE FOR BUSINESS ASSOCIATES This Guidance fr Business Assciates dcument is intended t verview UPMCs expectatins, as well as t prvide additinal resurces and infrmatin, t UPMC s HIPAA business assciates. In general, as a business assciate, it is expected that apprpriate steps are taken in rder t prtect UPMC data frm the risk f unauthrized disclsure. OVERVIEW As a business assciate t UPMC, UPMC expects yu t cmply with UPMC s business assciate terms and cnditins fund at: http://www.upmc.cm/services/supplychainmanagement/pages/hipaa.aspx (the BAA Terms ). BREACH NOTIFICATION Yu shall reprt t UPMC any breach f UPMC s patient infrmatin immediately upn becming aware f such breach. The reprt shall include the name f each individual whse prtected health infrmatin was r is reasnably believed by yur rganizatin t have been inapprpriately accessed, acquired r disclsed, as well as wh UPMC shuld cntact frm yur rganizatin. Yu shall als prvide such assistance and further infrmatin as requested by UPMC. Yu shall immediately reprt any situatin where yu believe that yur rganizatin may have vilated the BAA Terms. The reprt can be emailed t privacyaskus@upmc.edu. SECURITY: APPLICABILITY OF HIPAA SECURITY STANDARDS Generally, UPMC expects that yu will prperly secure all UPMC patient infrmatin. This includes such steps as: Encrypting hard disks, remvable media, remte access and infrmatin sent via the Internet. Securing wrkstatins and servers. Emplying effective passwrds. Maintaining effective antivirus sftware. Patching yur systems. Perfrming backups f yur systems and data. Ensuring that yur data center is physically secure, and that yu have an effective cntingency plan. Limit staff access t systems and infrmatin n a need t knw basis. Destrying data when yu n lnger need t keep it. The fllwing prvisins frm the HIPAA Security Standards (45 CFR Sectin 164) apply directly t yu in yur capacity as a business assciate:
Administrative Safeguards (164.308) Physical Safeguards (164.310) Technical Safeguards (164.312) Plicies & Prcedures and Dcumentatin Requirements (164.316) Mre infrmatin n these requirements is included in Attachment A. BUSINESS ASSOCIATE SUBCONTRACTORS AND AGENTS Any agent r subcntractr that yu utilize and whm yu prvide UPMC s patient infrmatin t must agree t the BAA Terms as well as any ther terms and cnditins yu and UPMC agree t. ACCOUNTING OF DISCLOSURES Under the terms f the American Recvery & Reinvestment Act (ARRA), patients have a right t an accunting f wh electrnically accessed their infrmatin. This includes access by staff f business assciates and their subcntractrs and agents. Accrdingly, yu shall maintain lgs f such access in rder that UPMC can cmply with this prvisin. IDENTITY THEFT Yu may receive r have access t UPMC infrmatin that culd be used t cmmit identity theft, such as names, SSNs, accunt numbers and birth dates. Accrdingly, yu shall implemented apprpriate precautins, as well as plicies and prcedures, t prevent, detect and mitigate identity theft. INAPPROPPRIATE ACCESS BY STAFF Yu shall nly allw yur staff t access UPMC patient infrmatin as is necessary fr them t d their jb. Yu shall als implement apprpriate prcedures t detect if a staff member has inapprpriately accessed UPMC patient infrmatin. Yu will further investigate each case where yu believe that inapprpriate access has ccurred. EDUCATION Yu shall train yur staff and ensure that they understand their bligatins under the BAA Terms. MITIGATION & DSICIPLINE Yu shall implement prcesses and prcedures t prperly address any breach f the BAA Terms that may ccur, including disciplining emplyees, subcntractrs and agents. ADDITIONAL INFORMATION Additinal infrmatin regarding HIPAA and the privacy rule (including the HIPAA regulatins and FAQs) can be fund at http://www.hhs.gv/cr/privacy. Guidance specific t business assciates can be fund at http://www.hhs.gv/cr/privacy/hipaa/understanding/cveredentities/businessassciates.html.
ATTACHMENT A 1. ADMINISTRATIVE SAFEGUARDS a. Security Management Prcess: i. Risk Analysis: Cnduct an accurate and thrugh assessment f the ptential risks and vulnerabilities t the cnfidentiality, integrity, and availability f electrnic prtected health infrmatin held by the cvered entity. ii. Risk Management: Implement security measures sufficient t reduce risks and vulnerabilities t a reasnable and apprpriate level. iii. Sanctin Plicy: Apply apprpriate sanctins against wrkfrce members wh fail t cmply with the security plicies and prcedures f the cvered entity. iv. Infrmatin System Activity Review: Implement prcedures t regularly review recrds f infrmatin system activity, such as audit lgs, access reprts, and security incident tracking reprts. b. Assigned Security Respnsibility: i. Identify the security fficial wh is respnsible fr the develpment and implementatin f the facility's infrmatin security plicies and prcedures c. Wrkfrce Security: i. Wrkfrce Security: Implement prcedures fr the authrizatin and/r supervisin f wrkfrce members wh wrk with electrnic prtected health infrmatin r in lcatins where it might be accessed. ii. Wrkfrce Clearance Prcedure: Implement prcedures t determine that the access f a wrkfrce member t electrnic prtected health infrmatin is apprpriate. iii. Terminatin prcedure: Implement prcedures fr terminating access t electrnic PHI when the emplyment f a wrkfrce member. d. Infrmatin Access Management: Implement plicies and prcedures fr authrizing access t electrnic PHI i. Islating Health Care Clearinghuse Functins: If a health care clearinghuse is part f a larger rganizatin, the clearinghuse must implement plicies and prcedures that prtect the electrnic prtected health infrmatin f the clearinghuse frm unauthrized access by the larger rganizatin. ii. Access Authrizatin: Implement plicies and prcedures fr granting access t electrnic PHI, fr example, thrugh access t a wrkstatin, transactin, prgram, prcess, r ther mechanism. iii. Access Establishment and Mdificatin: Implement plicies and prcedures that, based upn the entity's access authrizatin plicies, establish, dcument, review, and mdify a user's right f access t a wrkstatin, transactin, prgram, r prcess. e. Security Awareness and Training: Implement a security awareness and training prgram fr all members f its wrkfrce (including management). i. Security reminders peridic security updates.
ii. Prtectin frm malicius sftware - Prcedures fr guarding against, detecting, and reprting malicius sftware. iii. Lg in mnitring - Prcedures fr mnitring lg-in attempts and reprting discrepancies. iv. Passwrd Management - Prcedures fr creating, changing, and safeguarding passwrds. f. Security Incident Prcedures i. Respnse and Reprting - Identify and respnd t suspected r knwn security incidents; mitigate, t the extent practical, harmful effects f security incidents that are knwn t the cvered entity; and dcument security incidents and their utcmes. g. Cntingency Plan - Establish (and implement as needed) plicies and prcedures fr respnding t an emergency r ther ccurrence (fr example, fire, vandalism, system failure, and natural disaster) that damages systems that cntain electrnic PHI. i. Data backup plan - Establish and implement prcedures t create and maintain retrievable exact cpies f electrnic PHI. ii. Disaster Recvery Plan - Establish (and implement as needed) prcedures t restre any lss f data. iii. Emergency Mde Operatin Plan - Establish (and implement as needed) prcedures t enable cntinuatin f critical business prcesses fr prtectin f the security f electrnic PHI while perating in emergency mde. iv. Testing and Revisin Prcedures - Implement prcedures fr peridic testing and revisin f cntingency plans. v. Applicatins and Data Criticality Analysis - Assess the relative criticality f specific applicatins and data in supprt f ther cntingency plan cmpnents. h. Evaluatin - Perfrm a peridic self r external evaluatin f the facility's cmpliance with the HIPAA security rule. i. Business Assciate Cntracts and Other Arrangements 2. PHYSICAL SAFEGUARDS a. Facility Access Cntrls - Implement plicies and prcedures t limit physical access t its electrnic infrmatin systems and the facility r facilities in which they are hused, while ensuring that prperly authrized access is allwed. i. Cntingency Operatins - Establish (and implement as needed) prcedures that allw facility access in supprt f restratin f lst data under the disaster recvery plan and emergency mde peratins plan in the event f an emergency. ii. Facility Security Plan - Implement plicies and prcedures t safeguard the facility and the equipment therein frm unauthrized physical access, tampering, and theft. iii. Access Cntrl and Validatin Prcedures - Implement prcedures t cntrl and validate a persn's access t facilities based n their rle r functin,
including visitr cntrl, and cntrl f access t sftware prgrams fr testing and revisin. iv. Maintenance Recrds - Implement plicies and prcedures t dcument repairs and mdificatins t the physical cmpnents f a facility which are related t security (fr example, hardware, walls, drs, and lcks.) b. Wrkstatin Use - Implement prcedures that specify apprpriate usage, including the physical attributes f wrkstatins which can access ephi c. Wrkstatin Security - Implement physical safeguards fr all wrkstatins that access ephi t restrict access t authrized users d. Device and Media Cntrls - Implement plicies and prcedures that gvern the receipt and remval f hardware and electrnic media that cntain electrnic PHI int and ut f a facility, and the mvement f these items within the facility. i. Dispsal - Implement plicies and prcedures t address the final dispsitin f electrnic PHI and/r the hardware r electrnic media n which it is stred. ii. Media Re-use - Implement prcedures fr remval f electrnic PHI frm electrnic media befre the media are made available fr re-use. iii. Accuntability - Maintain a recrd f the mvements f hardware and electrnic media and any persn respnsible therefre. iv. Data Backup and Strage - Create a retrievable, exact cpy f electrnic PHI, when needed, befre mvement f equipment. 3. TECHNICAL SAFEGUARDS a. Access Cntrl i. Unique User Identificatin - Assign a unique name and/r number fr identifying and tracking user identity. ii. Emergency Access Prcedure - Establish (and implement as needed) prcedures fr btaining necessary electrnic prtected health infrmatin during an emergency. iii. Autmatic Lgff - Implement electrnic prcedures that terminate an electrnic sessin after a predetermined time f inactivity. iv. Encryptin and Decryptin - Implement a mechanism t encrypt and decrypt electrnic PHI. b. Audit Cntrls - Implement hardware, sftware, and/r prcedural mechanisms that recrd and examine activity in infrmatin systems that cntain r use electrnic PHI. c. Integrity - Implement electrnic mechanisms t crrbrate that electrnic prtected health infrmatin has nt been altered r destryed in an unauthrized manner. d. Persn r Entity Authenticatin- Implement prcedures t verify that a persn r entity seeking access t ephi is the ne claimed. e. Transmissin Security - Implement technical security measures t guard against unauthrized access t electrnic PHI that is being transmitted ver an electrnic cmmunicatins netwrk.
i. Integrity Cntrls - Implement security measures t ensure that electrnically transmitted electrnic PHI is nt imprperly mdified withut detectin until dispsed f. ii. Encryptin - Implement a mechanism t encrypt electrnic PHI whenever deemed apprpriate.