1

Understanding Your CSP’s BAA

• This webinar is being recorded and an on-demand version will be available at the same URL at the conclusion of the webinar

• Please submit questions via the button on the upper left of the viewer• If we don’t get to your question during the

webinar, we will follow up with you via email• Download related resources via the

“Attachments” button above the viewing panel• On Twitter? Join the conversation:

@HOSTINGdotcom

2

Housekeeping

HOSTING Overview

3

6

400380 Employees

Independent Audits In 2014

US-based Datacenters

SOC 2TYPE IISOC 3CERTIFIED

H I P A AC O M P L I A N T180 Healthcare Customers

1st CHIME Launch PartnerCHIME Technologies CooperativeMember Services Program

HOSTING and CHIME

4

For more info, visit http://www.hosting.com/chime/ in the “Attachments” section.

5

Introduction

6

Learning Objectives

• Discuss three actions to take before signing a BAA

• Identify key terms that every BAA should have

• Describe terms and loopholes to avoid in a BAA

7

HIPAA Basics: Omnibus Rule

• Requires the protection and confidential handling of protected health information (PHI)

• Omnibus Rule (amendment) to HIPAA:• January 2013 passage• Subsequent compliance roll out

• Impact of Omnibus Rule with regard to third party providers:• Requires compliance from an entity that “creates,

receives, maintains, or transmits PHI on behalf of customers that are health care providers, health plans, or health care clearinghouses”

8

HIPAA Basics: CEs and BAs

• “Covered Entities”• Health care providers, health plans, and health care

clearinghouses• Examples: physicians, hospitals, health insurance

companies, healthcare billing services, value-added healthcare networks

• “Business Associates”• Entities that create, receive, maintain, or

transmit PHI on behalf of Covered Entities• Examples: records storage companies, data

analysis companies, hosting providers

9

HIPAA Basics: CEs and BAs

• “Business Associates” Exceptions:• “Janitor Clause” – organizations whose

functions or services do not involve the use or disclosure of protected health information, and where any access to PHI would be incidental, if at all

• “Conduit Clause” – organizations that merely act as a conduit for protected health info

10

HIPAA Basics: PHI

• “PHI”• Information that (1) is created or received by a health care

provider, health plan, or health care clearinghouse; (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (3) identifies or could be used to identify the individual

• Examples: name, address, dates (birthdate, admission date, release date, etc.), phone numbers, fax numbers, email addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers and license plate numbers, URLs, IP address numbers, biometric identifiers, and photographs

11

HIPAA Basics: Compliance

12

HIPAA Basics: Compliance

1. HIPAA Security Rule2. HIPAA Privacy Rule3. HIPAA Data Breach Notification Rule4. Business Associate Agreements

(BAAs)

13

What is a BAA?

• Contract that creates obligations between parties:• Business Associates and Covered Entities• Business Associates and Subcontractors

• Purpose: ensure the parties have obligations to treat PHI in compliance with HIPAA

• Required by HIPAA under certain circumstances

14

Two Kinds of BAAs

1. Between Covered Entities and Business Associates

2. Between Business Associates and Subcontractors

15

Three Things to Do before Signing a BAA

1. Assess your Risk2. Assess your BAA3. Assess your Business Associate

16

Three Things to Do before Signing a BAA: Assess Your Risk1. Internal compliance2. HIPAA compliance3. Legal risk4. Data breach expense

17

Three Things to Do before Signing a BAA: Assess Your BAA1. Use a compliant BAA2. Use the right kind of BAA3. Ensure flow-down

18

Three Things to Do before Signing a BAA: Assess Your Business Associate1. Certification2. Guarantees3. Check the breach list

(https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf)

4. Insurance

19

Key BAA Terms

• Preamble• Section 1: Definitions

• Taken from HIPAA• Section 2: What Business Associate will and will

not do• Ex: use and disclosure restrictions, safeguards, notice

• Section 3: What Covered Entity will and will not do• Ex: compliance with law, notice of changes

• Section 4: Term and Termination• At end, return or destroy PHI; if keep, maintain protections

• Section 5: Miscellaneous

20

BAA Loopholes

• Additional subcontracting• BAAs with extraneous provisions

21

HHS Form of BAA

See: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html

Business Associate ContractsSAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS(Published January 25, 2013)Introduction    A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.  A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.  The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information… 

22

Further Considerations

23

Learning Objectives

• Discuss three actions to take before signing a BAA

• Identify key terms that every BAA should have

• Describe terms and loopholes to avoid in a BAA

24

Q&ASteve Yoost | General Counsel, HOSTING

For more information about services by HOSTING, please contact our team at 888.894.4678.