1. HIPPA/HITECH Act Requirements Under the Business Associate Agreement Between CNI and Military Health Services

2. Learning Objectives: Understand Purpose of HIPAA
Define Covered Entity / Business Associate / Business Associate Agreement
Define PHI
Understand Obligations to Protect PHI
Understand PHI Permitted Uses and Disclosures
Understanding Breach Response Requirements
Gain Awareness of Penalties for Non-Adherence

3. HIPPA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT
Purpose:
Establish guidelines for how Protected Health Information (PHI) should be safeguarded and appropriately shared.
HIPAA Privacy Rule - Protects PHI held or transmitted by a covered entity or its business associate, whether electronic, paper, or oral
HIPAA Security Rule - protects PHI that a covered entity or its business associate creates, receives, maintains or transmits in electronic form

4. What is phi?
Protected Health Information - Health information that can be used to identify an individual. PHI includes:
Past, present, or future physical or mental condition of an individual
Provision of health care to an individual
Past, present or future payment for the provision of health care to an individual
PHI Identifiers include (but are not limited to):
Beneficiary / Member Name; Dates of Service; Dates of Incident; Diagnosis Codes; Claim Information; Insurance Information

5. Definitions
Covered Entities (CE) are healthcare organizations that handle and transmit PHI. Covered entities include:
DoD Military Health System (for our purposes: DEMCOM)
Business Associates (BA) create, receive, maintain, or transmit PHI on behalf of a covered entity or provide services to or for the covered entity involving the use or disclosure of PHI.
This includes all DENCOM contract employees.
The Business Associate Agreement (BAA) is for the purpose of defining requirements applicable to business associates in accordance with the DoD Health Information Privacy Regulation.
Designated Record Set (DRS) means a group of records maintained by or for a health plan or health care provider
Breach means the actual or possible loss of control, unauthorized disclosure of, or unauthorized access to PHI, where persons other than authorized users gain access or potential access to PHI for any purposes other than those authorized, and where one or more individuals will be negatively affected.

6. BUSINESS ASSOCIATE Obligations FOR PHI
The BA shall not use or disclose PHI other than as permitted or required by the BAA or the law.
The BA shall use appropriate safeguards, and comply with DoD HIPPA Rules with respect to electronic PHI, to prevent unauthorized use or disclosure.
The BA shall make PHI in a DRS available to the CE or to an individual as directed by the CE to satisfy their obligations under the Code of Federal Regulations.
The BA shall make any amendment(s) to PHI in a DRS as directed or agreed to by the CE as necessary to satisfy their obligations under the Code of Federal Regulations.
The BA shall maintain and make available the information required to provide an accounting of disclosures to the CE or an individual as necessary to satisfy the CE’s obligations under the Code of Federal Regulations.
The BA shall make its internal practices, books, and records available to the Secretary for the purpose of determining HIPPA Rules compliance.
If a BA is to carry out obligation(s)of the CE under the Code of Federal Regulations, the BA must comply with HIPPA Privacy Rules Requirements as they pertain to the CE.

7. Business Associate Permitted Uses and Disclosures of PHI
The BA may only use or disclose PHI as necessary to perform the services set forth in the contract or as required by law.
De-identification (or the removal of identifying information) of PHI is not permitted, nor is it permitted to use or disclose de-identified PHI except as provided by the agreement or directed by the CE.
The BA agrees to use, disclose, and request PHI only in accordance with the HIPPA Privacy Rule: “minimum necessary” standard.
The BA may use PHI to provide Data Aggregation services relating to the CE’s health care operations, except as otherwise limited in the BAA.

8. Breach Response In the event of a Breach the BA will:
Report the breach to the CE
Assess the breach incident
Notify affected individuals
Take mitigation actions as applicable
Note: because the definition of a breach includes possible (suspected) as well as actual (confirmed) breach, the BA will implement these response requirements immediately upon discovery of a possible breach.
Note: A breach is not the same as a security incident, which may or may not involve a breach of PHI/PII. In the event a breach does not involve PHI/PII, the BA shall follow applicable DoD Information Assurance requirements under it’s agreement.

9. Breach Response Breakdown: Reporting
A breach shall be reported, within one hour of discovery, to the CE and to the US Computer Emergency Readiness Team (US-CERT).
A breach is deemed “discovered” at the time a breach becomes known, or which, by exercising reasonable diligence, would have been known to any person (other than the person committing the breach) who is an employee or other agent of the BA.
The BA shall submit the US-CERT report using the online form at . Before submission, a copy of the on-line report shall be saved. After submission, the US-CERT Reporting Number shall be recorded.
Even if only limited information about the breach is known at the time the report is completed, it must be submitted by the one hour deadline. Additional information shall be ed as it is obtained following the instructions at .
A copy of the initial or updated report will be provided to the CE and applicable service level Privacy Officer, if requested by either.
If the initial report is incomplete or incorrect due to unavailable information or if significant developments require an update, the BA shall submit a revised form(s), stating the updated status, previous report date, and showing any revisions or additions in red.
Questions about US-CERT reporting should be directed to the CE or the Privacy Officer, not the US-CERT office.
In the event that a BA is uncertain on how to apply the above requirements, the BA shall consult with the CE.

10. Breach Response Breakdown: Assessment
An assessment of the breach must be made to determine who is affected by it.
If multiple beneficiaries are affected by a single event or related set of events, a single reportable breach may be deemed to have occurred. The BA shall inform the CE as soon as possible if it believes that a “single event” breach response is appropriate. The CE will determine how the BA shall proceed and if appropriate, consolidate separately reported breaches for purposes of US-CERT report update, beneficiary notification, and mitigation.
If the BA cannot readily identify, or will be unable to reach, some affected individuals within the 10 days notification period, it shall be indicated in the initial or updates Breach Report. Those who can be identified should be contacted within the 10 day period. Others must be notified within 10 days after their identities become known.
The BA shall consult with the DHA Privacy Office to determine the type of media notice which will be most likely to reach the population not otherwise identified or reached.

11. Breach Response Breakdown: individual notification provisions
If the Privacy Office determines that individual notification is required, the BA shall provide written notification to individuals affected by the breach as soon as possible, but no later than 10 working days after the breach is discovered and the individuals’ ID are ascertained.
The 10 day period begins once the BA is able to determine the identity of the individuals whose records were impacted.
The proposed individual notification(s) must be submitted to the same parties as the US-CERT report for their review, and for approval by the DHA Privacy Office. Upon request, a final draft of the notification letter shall be provided to the DHA Privacy Office. (PHI shall not be included in the text of the letters provided.) Further correspondence with the affected individuals need not be provided unless requested.

12. Breach Response Breakdown: individual notification provisions cont.
The BA’s notification to affected individuals will include the following:
The specific data that was involved. (If names, social security numbers, and dates of birth are involved, it is critical to advise the individual that these data elements potentially have been involved.)
The facts and circumstances surrounding the breach, with sufficient detail that the individual clearly understands how the breach occurred.
The contact information for a designated POC to include phone number, address, and postal address.
The protective actions taken by the BA, or those that can be taken by the individual, to mitigate against future harm. It must refer the individual to the current Federal Trade Commission web site and identity theft hotline
Also, any mitigation support services that the BA may offer to affected individuals, the process to follow to obtain those services, the period of time the services will be made available, and the contact information for obtaining more information.
The envelope containing written notifications should be clearly labeled to alert the recipient to the importance of its contents, e.g. “Data Breach Information Enclosed” and with the identity of the BA organization.

13. Non-Compliance
Non-Compliance by the BA (or its staff, agents, or subcontractors) with any requirement in this BAA may subject the BA to termination under any applicable default or termination provision of this agreement.
Effect of termination:
If the agreement has records management requirements, the BA shall handle records in accordance with the requirements.
If the agreement does not have records management requirements, the BA shall, upon termination of the agreement, return or destroy all PHI received from CE or created/ received by the BA on behalf of the CE. This applies to subcontractors or agents of the BA. No copies of the PHI shall be retained by the BA.
If the agreement has provisions for transfer of records and PHI to a successor BA, or if such a transfer is direct by the DHA, the BA shall handle records in accordance with the agreement provisions or DHA direction.
If the agreement does not have records transfer provisions and the BA determines that returning or destroying the PHI is impossible, the BA shall provide to the CE notification of the conditions that make destruction or return of the PHI impossible. If BA and CE agree that return/ destruction is impossible, the BA shall limit further use of the PHI to those purposes that make return/destruction impossible.