BAs play a vital role in healthcare organizations as they often provide services to covered entities that require them to access PHI. But, they often don’t fully understand their own HIPAA compliance obligations. OCR recently released a resolution agreement against a BA that proves BAs will be held accountable for their obligations under HIPAA.
In this episode:
BA HHS Enforcement Does Happen – Ep 415
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
HIPAA Briefs
[09:15] HIPAA Privacy, Security and Breach applies to BAs. Most BAs understand that the Security Rule applies to them, but they don’t think that portions of the Privacy Rule does as well. And they don’t think they have to have plans in place for the Breach Notification Rule requirements either. That is wrong.If you don’t understand portions of the Privacy Rule, like uses and disclosures and minimum necessary requirements, that identify what PHI is and what you’re allowed to do with it, then the Security Rule doesn’t know what to protect. BAs also need to understand and have a plan for the Breach Notification under HIPAA too. It’s not only the CEs responsibility to have a plan for that.
HIPAA Say What!?!
[11:40]iHealth Solutions, LLC Resolution Agreement and Corrective Action Plan | HHS.gov
Notes on this one:
- It is a BA not a CE. iHealth Solutions, LLC, dba Advantum Health, is a KY-based BA that provides coding, billing, and onsite IT services to healthcare providers. Often these BAs have ultimately been owned by a CE somewhere along the line. This one does not appear to be one of those.
Advantum was founded in 2013 by veteran revenue cycle management and healthcare technology experts. The company has grown both organically and through the strategic acquisitions of Paradigm Health, DNA Healthcare, All Documents and emPower Docs.
With our increased set of services and dedication to making a meaningful impact in healthcare, we rebranded to Advantum Health in 2017. This new identity more clearly defines our vision and mission for the role we play in healthcare now and into the future.
Today, we offer a one-stop shop for all revenue cycle services to physicians, hospitals and health systems supported by our 650 employees around the globe.
I’m not sure what “onsite IT services” they provide. Maybe they are just talking about some of the EHR optimization services listed on the site. There is not a listing for onsite services such as you would find with an MSP.
- Reminder that BAs should understand both rules. The announcement says specifically the settlement relates to “potential violations” of both the Privacy and Security Rule.
- These investigations and settlements happen even when there are less than 500 patients involved. A breach notification involving 267 patients was the start for this case. It would have been a shock to get the notice of investigation on this one. You expect it when you make the “wall” but not so much when you don’t.
What probably caught their attention is the fact the breach happened when a network server was exposed to the internet without security in place to protect it.
What happened?
[21:48] iHealth solutions filed a breach report that triggered an investigation by OCR beginning in August 2017. The PHI of 267 patients was exfiltrated from a single unsecured server.Based on the timeline mentioned on their website and these dates it could have been something involved with the M&A they were doing around that time. The fact that it was one server and a low number of patients I will wager it has something to do with an app that was never secured because “we only use it internally”. There are some statements in the resolution agreement that make me think that, as well. It specifically mentions making sure they evaluate physical and operational changes to their environment.
The resolution agreement says the potential violations found were the usual suspects. You violated the privacy rule by allowing unauthorized access to PHI AND the security rule when they didn’t do a proper SRA. Shocking – yes as always.
So they pay up the $75,000 plus a 2 year CAP. Here is the thing I was most excited about in the CAP. It lists the “Minimum Content” of the policies and procedures section includes not just the security rule we know will be there but also, the privacy rule and breach notification rule. Mic drop on all of those who have argued with us that BAs don’t need anything other than the security rule. Uses and disclosures, Minimum Necessary, and notification by a BA including all required and addressable specs in §164.410 aka Breach notification rule.
SRA language exactly the same as we have seen recently for CEs:
The Risk Analysis shall incorporate all iHealth’s facilities and must include an evaluation of the risks to the security of ePHI in electronic equipment, information systems, devices and media, and applications controlled, administered or owned by iHealth, that contain, store, transmit, or receive ePHI. The Risk Analysis shall also include an assessment of the risks to ePHI security in the physical environment. Prior to conducting the Risk Analysis, iHealth shall develop a complete inventory of all of their facilities, categories of electronic equipment, information systems, devices and media, and applications that contain or store ePHI, which will then be incorporated into their Risk Analysis.
The security rule minimum provisions includes what you expect with Administrative, Physical, and Technical safeguards but it also adds one more requirement which is policies and procedures and documentation requirements. Again with the mic drop!
THT Targeting Healthcare
[36:41] The Administration for Strategic Preparedness and Response (ASPR), which is the HHS organization that leads the nation’s medical and public health preparedness for, response to, and recovery from disasters and other public health emergencies, released a notification in June about another hacker team specifically targeting healthcare.ASPR Notice – Timișoara HackerTeam
TimisoaraHackerTeam Ransomware Attacks US Cancer Center
“Little is known about the obscure group of hackers, but when its ransomware is deployed, their rarely used and very effective technique of encrypting data in a target environment has paralyzed the health and public health (HPH) sector,” HHS stated in a notification letter produced by the Division of Critical Infrastructure Protection within the Office of the Administration for Strategic Preparedness and Response (ASPR) and the Office of Information Security’s Health Sector Cybersecurity Coordination Center (HC3).
It should be no surprise that cyber threats continue to threaten the healthcare industry. This episode should serve as a wake-up call for BAs to prioritize high-level security measures, remain vigilant against breaches and ransomware attacks, and continually educate themselves on their HIPAA compliance obligations. After all, they play a crucial role in safeguarding PHI that they themselves maintain as well as that of their clients.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
