1

Managing Risk as a Business Associate

Session #104, February 21, 2017

Rodney Murray, Principal, DHG

Ryan Boggs, Manager, DHG

2

Rodney Murray, CISA,

CRISC

Principal, IT Advisory

More than 30 years of experience in

information technology and business

applications, including providing internal

audit and risk management services

Leads the firm’s IT advisory service

offerings including HIPAA and GLBA

privacy compliance, Sarbanes-Oxley,

and cybersecurity

Ryan Boggs, CISA, CRISC,

HCISPP, CCSFP

Manager, IT Advisory

Serves as a Subject Matter Expert in the

areas of Compliance Consulting, Internal

Audit, and Service Organization Control

(SOC) reports

Extensive experience working with federal

regulations including SOX, GLBA, HIPAA,

HITECH, FFIEC, and NIST

3

Conflict of Interest

Rodney Murray, CISA, CRISC

Has no real or apparent conflicts of interest to report.

Ryan Boggs, CISA, CRISC

Has no real or apparent conflicts of interest to report.

4

Agenda

• Learning Objectives

• Definition and Classification of a Business Associate

• Risk Identification and Management Strategies

• Case Study

5

Learning Objectives

• Discuss contract and business associate agreement management

• Assess and mitigate risk associated with being a business associate

• Analyze compliance reporting requirements and methods

• Identify considerations for staying up-to-date on compliance requirements

and changes

6

STEPS: Electronic Secure Data

Decrease in

Compliance

issues with

Business

Associates

Increase

awareness of

compliance

requirements

for BAs

Establish

reporting

Confusion

on requirements

Risk

of being a Business

Associate

Inefficiencies

reporting to Covered

Entities

Awareness

of compliance

requirements

Efficiencies

in BA compliance and

reporting

7

The Issue at Hand• Compliance efforts have been focused on covered entities

• Increased reliance on third parties and secure electronic data

• Continued development of new service offerings and products for the healthcare industry

• Many business associates have not established functions to evaluate and monitor compliance requirements and the potential impact to the business

8

Who is a Business Associate?

• Performs service(s) on behalf of a covered entity

– Legal

– Accounting

– Billing

– Transcription

– Claims processing

• Receives a combination of protected health information

– Name

– Address

– Social security number

– Diagnosis codes

9

Business Associate Considerations

Exceptions to Business Associates

• Incidental access to protected health information

• Conduit of protected health information

• Participation with an organized health care arrangement

• Disclosure of protected health information for research

• Processing normal financial transactions

10

Business Associate Considerations

Potential Impacts to Business Associates

• Legal action (Breach Costs)

• Office of Civil Rights (OCR) audit

• Business Development – advantage or disadvantage compared to peers

• Reputation risk

11

Why should Business Associates Care?

• Required by Business Associate Agreements

• Regulatory / Industry Fines or Penalties

• Audit and Assessment Costs

• Remediation / Infrastructure Change Costs

12

Entering into a Business Associate Agreement (BAA)

• Confirm requirements to execute a BAA

• Identify contracts that require a business associate agreement

• Establish a process to manage new contracts and enter into new business associate agreements

13

Entering into a Business Associate Agreement (BAA)

• Perform regular evaluations of contracts and business associate agreements

• Identify downstream third parties

• Integrate third party management into the governance risk and compliance program

14

Risk Analysis or Risk Assessment?

• Required for both Covered Entities and Business Associates within the Security Rule.

• Based on general and specific risks and guides and categorizes remediation efforts

• Identifies vulnerabilities and potential risks to the confidentiality, integrity, and availability of a system’s ePHI and determines the likelihood of occurrence and impact to the organization.

15

Why Conduct a Risk Analysis

• Required by HIPAA administrative safeguard 164.308(a)(1)(ii)(A) to assess potential risk and vulnerabilities to the confidentiality, integrity, and availability of ePHI

• Assist organizations prioritize remediation efforts

• Establishes a compliance baseline

• Provides information to decision makers

16

Goals of a Risk Analysis

• Identify what needs to be protected

• Determine who/what are the threats and vulnerabilities

• Consider the implications if they were damaged or lost

• Determine the value to the organization

• Build an action plan to minimize exposure to the loss or damage

17

Risk Analysis Process

• What are our exposures?

– Threats

– Vulnerabilities

• What are our defenses to these exposures?

– Controls

– Technology

– People

• What are our action items?

– Prioritize

– Communicate

• How do we maintain and improve?

– Implement technology

– Train

– Assess

18

Prepare for the Risk Analysis

• Identify purpose

– Regulatory requirements

– Senior Management concerns

• Scope the assessment

– Locations

– Applications and systems

• Data Collection

– Policies and procedures, systems configurations, etc.

19

Performing a Risk Analysis1. Scope and identify inventory

2. Assess threats and vulnerabilities

3. Policy and procedure assessment

4. Staff interviews

5. Physical security inspection

6. Network and system inspection

7. Assess risk and assign rating

Risk Analysis

Identify Scope

Assess Threats and

Vulnerabilities

Policy and Procedure

Assessment

Staff Interviews

Physical Security

Inspection

Network and System

Inspection

Assess Risk and Assign

Rating

20

Risk Analysis Results

• Provides guidance to assist executives and management to make better and more informed decisions

• Recognize the data you maintain, store, or transmit

• Ensure an organizational risk management process and eliminate silos

21

Risk Analysis Results

• Consider risk mitigation, transfer, or elimination

• Ongoing process that requires management collaboration

• Balance the costs and benefits of managing risk

22

Reporting to Covered Entities

• Report compliance efforts

• Respond to covered entity requests for information

• Communicate potential breaches to covered entities

• Market compliance efforts to potential customers

23

Establish baseline from inventory of Business Associate Agreements

• Identify compliance requirement outliers

• Consider negotiations with covered entities

• Do not overcommit and underperform

24

Utilize current compliance reporting methods as potential conduits

• Determine other compliance requirements outside of HIPAA

• Integrate all compliance requirements into one effort

• Challenge duplicate efforts and encourage leverage

25

Scope based on your size and complexity

• Ensure a holistic approach

• Consider time and cost to your organization

• Evaluate recurring impact and repetitiveness

26

Maintaining Compliance

• Identify a key stakeholder to manage and lead efforts

• Segregated functions, if possible

• Segregated budget item(s)

• Independent reporting and communication

27

Establish a recurring communication and review strategy

• Establish a compliance committee

• Ensure timely and meaningful reporting to senior management

• Review and update policies, procedures, and assessments

28

Communicate with covered entities

• Integrate compliance, security, and privacy into sales and marketing

efforts

• Identify key stakeholders within the covered entities environment to

build trust and communication

• Communicate subject matter expert’s name and contact information

29

Covered Entity's Right to Audit• Addressed within the Business Associate Agreement or Contract

• Sample Business Associate Agreement Language:

– The Business Associate shall at any time requested bythe Covered Entity, whether during or after completion ofthis agreement, and at Business Associate’s ownexpense make such records available for inspection andaudit (including copies and extracts of records as required)by the Covered Entity.

30

Covered Entity's Right to Audit• Sample Business Associate Agreement Language:

– Business Associate also agrees to make available toCovered Entity a summary report of the results of any thirdparty’s testing or auditing or its own testing, monitoring, andauditing of such systems and procedures.

31

Business Associate to Covered Entity Reporting Options

• Third party assessments provide covered entities with a window into the interworking of business associates including operations and compliance

• Obtaining one or more of these reports reduces the effort to respond to questionnaires and requests for information

• Options to consider: SOC reports and HITRUST

32

Overview of Service Organization Controls (SOC) Reports• SOC 1 Report: (also known as SSAE 16, formerly SAS 70) – Report

on Controls at a Service Organization Relevant to User Entities’ Internal Control over Financial Reporting

• SOC 2 Report: Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy

• Covers a period of time, typically between 6 to 12 months

33

Overview of HITRUST Reports

• Based on ISO/IEC 27001:2005 and ISO/IEC 27002:2005, HITRUST’s CSF codifies multiple frameworks into a Governance, Risk and Compliance (GRC) tool

• HITRUST CSF is based on maturity levels that assess five levels of implementation

• HITRUST’s MyCSF tool allows organizations to scale assessments relative to their size, complexity and applicable regulatory and compliance standards

34

Other Reporting Options• Responding to Covered Entity’s request for information

• Developing and distributing an information security overview

• Compiling a reporting package including policies, procedures, and an overview of information security controls

• Utilizing Health and Human Services HIPAA Risk Assessment Tool

35

Scope of Information Security Questionnaires

– Organization Security

– Asset Management and Classification

– Human Resources

– Physical and Environmental Security

– Software Development and Maintenance

– Regulatory Compliance

– Business Continuity

– Information Security Incident Management

– Communications and Operations Management

– Access Control

36

Case StudyScenario:

New software company has developed a solution to decrease the days

outstanding for hospitals’ accounts receivables

The company will need to obtain covered entities’ patient information to

analyze the accounts receivables and decrease days outstanding

Organization is limited in staff and has outsourced the hosting of their

IT equipment

37

Case Study Considerations:

• Organization enters into Business Associate Agreements to market

product offerings

• Organization needs to assess organization’s risk

• Organization needs to report on compliance

38

Take Away(s) for Monday Morning:

• Determine if your organization is a Business Associate

• Begin to inventory executed Business Associate Agreements

• Evaluate risk assessment(s) or initiate risk management discussion

• Report compliance to covered entities

39

STEPS: Electronic Secure Data

Decrease in

Compliance

issues with

Business

Associates

Increase

awareness of

compliance

requirements

for BAs

Establish

reporting

Confusion

on requirements

Risk

of being a Business

Associate

Inefficiencies

reporting to Covered

Entities

Awareness

of compliance

requirements

Efficiencies

in BA compliance and

reporting

40

Questions

Contact Information:

Rodney Murray

4350 Congress Street, Suite 900

Charlotte, NC 28209

704.367.7062

rodney.murray@dhgllp.com

Ryan Boggs

11 Brendan Way, Suite 200

Greenville, SC 29615

864.213.4034

ryan.boggs@dhgllp.com