Do I Need A Business Associate Agreement (BAA)?

We discussed HIPAA Business Associates in our last post and listed some examples you might have in your Practice.

If you have Business Associates, then HIPAA requires you have Business Associate Agreements (BAA) in place. A Business Associate Agreement is a contract between covered entity (CE) and a business associate (BA) that details the permitted and required use of protected health information (PHI) by the business associate.

A business associate contract is a required implementation in the HIPAA Administrative Safeguards. Some details of a business associate contract are:

  • Establish permitted use and disclosure of PHI by the BA.
  • Provide that the BA will not use or further disclose the information other than as permitted or required by the contract or as required by law.
  • Require the BA to implement appropriate HIPAA safeguards to protect PHI.
  • Require the BA to report any PHI breaches to the covered entity.
  • Require the BA to ensure that any subcontractors it engages that will access PHI agree to the same restrictions apply to the business associate.

Having the right business associate contract in place can potentially protect your organization from breaches caused by a Business Associate.

A business associate agreement is a legal contract between two parties and should be treated as such. The contract should be reviewed by your lawyer to make sure you are protected as much as possible from any Business Associate mishaps.

The department of health and human services (HHS) website has a sample business associate contract you can modify to suit your practice needs.

Who Is A HIPAA Business Associate (BA)?

Healthcare providers work with other companies to perform certain business functions. Some of the contracted companies will access your facility, IT Systems and even your patient data to perform their activities. If the contracting companies have access to your patients’ data, either directly or through your IT systems then HIPAA considers them Business Associates (BA).

HIPAA defines a Business Associate as:
A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Some examples of Business Associates are:

  • Billing Companies that access your patient information to bill patients.
  • IT companies that access your IT systems to provide support.
  • Software/EHR companies that access your EHR for maintenance and updates.
  • Data Backup companies that store your patient data.
  • Electronic Fax company that receives, sends and stores patient data.

The commonality and most important point is access to your patients’ electronic Protect Health Information (ePHI). If they have access to it, they are a Business Associate. Some contracted companies like a Web Design company may not need access to your patients’ ePHI so they are not considered a Business Associate. A member of your workforce is not considered a business associate.

If you are not sure a contracted company is a Business Associate, then its better to assume they are. Under HIPAA Security and Privacy Rules, Business Associates are required to sign Business Associate Agreements/Contacts that protect you and your patients’ ePHI.

As an IT Service provider we sign a Business Associate Agreement with all our healthcare clients for their protection and also ours. Signing a BA agreement with our clients lets them know we take HIPAA compliance seriously.

HIPAA Security Risk Analysis

A risk analysis is the first step towards HIPAA compliance. A Security Risk Analysis basically identifies what is wrong. HIPAA defines a Risk Analysis as:

An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

Risk analysis and risk assessment are sometimes used interchangeably but they are different as defined by HIPAA. A risk analysis is a required step towards HIPAA compliance while a risk assessment is conducted if there is a breach. You conduct a risk assessment after a breach to determine if patients’ protected health information (PHI) has been compromised. This will also determine if you need to implement the HIPAA breach notification.

You don’t need any special tools or qualifications to perform a risk analysis. There are tool available that make the process a lot easier and less time consuming. Any covered entity can choose to perform the risk analysis in-house, if you have the time and expertise to do so.

Regardless of how you conduct your Risk Analysis there are certain elements it must include. Elements of a Risk Analysis are:

Scope Of The Analysis.
Data Collection.
Identify and Document Potential Threats and Vulnerabilities.
Assess Current Security Measures.
Determine the Likelihood of Threat Occurrence.
Determine the Potential Impact of Threat Occurrence.
Determine the Level of Risk.
Finalize Documentation.
Periodic Review and Updates to the Risk Assessment.

No matter how you conduct your Risk Analysis, make sure all the elements above are covered and documented. Conducting a Risk Analysis does not mean you are HIPAA compliant, its only the first step towards compliance.

Getting Started With HIPAA Compliance

As a healthcare practice you cannot ignore your compliance with the HIPAA Security Rule. HIPAA Security and Privacy Rules were created to protect patients’ protected health information (PHI). HIPAA violations can result in penalties of $100 to $50,000 per violations and total fines can be as much as $1.5 million if the violation is due to willful neglect.

A data breach can be financially costly to your practice and may also impact your patients if PHI lands in the wrong hands. A data breach can as simple as a lost laptop containing patient information.

Being HIPAA compliance is not an easy task but shouldn’t be ignored either. I have listed four steps below to get you started with your HIPAA compliance.

Risk Analysis
A Risk Analysis is the first step towards HIPAA compliance. This is used to discover potential risk and vulnerabilities to the confidentiality and availability of electronic protected health information. The risk analysis should be documented and any discovered vulnerabilities should be addressed. If you have already conducted a risk analysis then review and update yearly.

Implement Administrative, Physical and Technical Safeguards
There are certain safeguards that need to be implemented by covered entities to protect PHI. The safeguards are broken down into there types (Administrative, Physical and Technical). Some safeguards are required and some are addressable. All the required safeguards need to be implemented, if you choose not to implement the addressable safeguards then you need document why not.

Employee Training
Most HIPAA violations are caused by employee negligence. HIPAA safeguards require you train your employees, send occasional security reminders and monitor you employees to make sure there are not causing HIPAA violations.

Business Associate Agreement
If you employ any company/contractor that has access to PHI, then they are considered business associates.
You need to have a Business Associate Agreement in place that requires them to comply with HIPAA Security rule. A business associate agreement can potentially protect your practice from HIPAA violation caused by the business associate.

The steps listed above should only be considered as a starting point towards your HIPAA compliance. HIPAA compliance is an ongoing process that needs to be constantly monitored and reviewed to fit your practice.

Computer Security and Protection

I spent the better part of last week removing viruses and spyware from a local business’s computers. Half of the computers in the office were infected with a virus. The only reason the others were not infected was because the users were either on vacation or the computers had not been used recently.

Unlike some businesses I have come across, the business owner had antivirus software installed on the computers but nobody was responsible for keeping the computers secure and protected. You can have the best antivirus software but if you are not monitoring the antivirus software, running regular scans and making sure the virus definitions are updated then new and unknown viruses are bound to infect your computers.

Regular antivirus scans should be done at least twice a week or preferably everyday if you can. This makes sure viruses are removed from your computers before they cause any damage. The most important thing is to make sure the virus definitions of your antivirus software are up to date. If your antivirus software virus definitions are not up to date then your antivirus software does not have any information about the virus and its unable to protect your computers against it. An updated virus definition gives you the maximum protection against computer viruses out there.

The total cost to remove the viruses and save most of his business data  cost more than two year’s worth of our managed security service.

Antivirus and anti-malware software are just one step in protecting your computer network. Employee training is another important aspect. Your employees should be trained not to open emails and/or attachments from email addresses they do not recognize. This is the number one way viruses bypass antivirus software and enter your network.

Our managed security services not only protects your computers but we regularly assess your computer network for security vulnerabilities. We recommend/implement ways that make your network secured and protected.

Contact Us today for a free security assessment and how we can protect your computer network.

Data Backup For Your Business

As a small business owner, your most important asset is your business data. It is literally the life blood of your business especially if you have been in business for a while. Hardware failures and natural disasters happen more often than you realize and you have to be able to recover from them as fast as possible.

Backing up your business data gives you the ability to recover from disaster and keeps you in business. I usually tell my clients to think of data backup like their home or rental insurance. You might never have to use but you will be happy you have it if the situation ever arises. There are different forms of data backup you can implement for your business.

Local Data Backup
This is the simplest and oldest form of data backup. It could be as simple as backing up to an external hard drive or USB stick or implementing a full tape backup system. This is also the fastest form of data backup; you can backup as much data and as often as you want. You are only limited by the size of your backup device. Every business should at least implement something as simple as this. The major downside of a local backup is the safety of the local device in the event of theft, disaster or failure.

Online/Cloud Data Backup
With cloud backup another company handles the transmission and storage of your data. Your data is backed up to the hard drives of the company providing the service. The data is transmitted to the company over the internet and it is encrypted during transmission and at rest. Your data is always secure in the cloud no matter what happens at your place of business. The major disadvantage of cloud backup is the speed of data backup and recovery. This is usually not a problem when you are backing up your data but restoring your data can take days depending on the size of your data and speed of your internet connection.

Hybrid Data Backup
Hybrid data backup gives you the best features of the other two forms of backup and also stores your data in multiple places so you are more protected. It gives you the speed of a local backup and the safety of a cloud backup. You get a storage device that data is constantly backed up locally and later uploaded to the cloud. This is currently the form of backup we recommend to our client. We can even bring up a copy of your server in cloud within minutes so you be back in business in the event of a disaster.

Whatever form of backup you employ, it is only as good as the data recovery. The only way you can guarantee your data recovery is through testing. We schedule monthly data recovery test for our clients. This guarantees we can readily restore the data if needed. The worst thing that can happen is to find out your backup has not been working when you need it.


Why Every Small Business Should Invest In Technology

As a small business one of your main priorities is staying ahead of your competitions or at least keeping up with them.

One of the best ways to do this is by investing in the right technology for your business. I am firm believer that excellent customer service gives you the best competitive advantage in any business. Investing in the right technology is a close second.

Technology Gives You Better ROI.
72% of respondents to the Fifth Annual Brother Small Business Survey indicated new technology is a better return on investment than new employees. When you compare the cost (Training, Salary & Benefits) of new employees against investing in your small business specific software/technology; you realize how much money you save. Your industry specific technology also makes your current employees more efficient and productive. This also cuts your cost which gets passed on to your customers.

Invest In The Right Technology.
You have to make sure you invest in the right technology for your business and market. You might be hesitant to invest in Technology because you don’t know what product to invest in or when to make the investment.
There are three main factors to consider when choosing the right technology for your small business.
1) Will it make my employees more Productive and Efficient?
2) Will it improve my customer service and customer experience?
3) Is it secure, will my business and customer data remain secure?

A simple example is an orthopedic surgeon that does not have an in-house X-Ray machine. He/She sends his patients to other clinics to get the x-ray done. The x-ray images are saved to disc and given to the patient.
Investing in an in-house x-ray machines satisfies the three factors above:
1) Employees no longer have to rely on patients to get the x-ray done and bring it along.
2) Patients’ don’t have to drive to another facility to get the x-ray done.
3) Patients’ information is safe from loss or theft.

It is also very important to have a technology partner that will help in deciding which technology to invest in and when. An ideal partner will help in the decision, integration and support of such technology

Windows XP and HIPAA Compliance.

It is no longer news that Microsoft will be ending support for Windows XP on April 8th 2014. If this is news to you, you can read up on it on my previous blog or at Microsoft.

As noted in my blog post, you are potentially exposing yourself to security and compliance risks if you are still running Windows XP after April 8th. Healthcare providers need to be aware of potential HIPAA/HITECH violation that could result from this.

HIPAA has not explicitly stated Windows XP systems will not be compliant after April 8th. However after April 8th Microsoft will no longer provide security patches and other updates to Windows XP operating system. Any Windows XP systems on your network will be in violation of HIPAA Security Rule Section 164.308(5)(ii)(B)

Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software.”

It is possible to still use a Windows XP system in your practice after April 8th and be HIPAA compliance but I do not recommend this. The Windows XP systems should be stand alone systems and not connected to any network. You also have to make sure patient’s PHI (Protected Health Information) are not stored on the system. This is only recommended if you have an old software/program that will not run on newer operating systems.

HIPAA violations is not the only thing to worry about with Windows XP end of support. You also need to think about potential hackers and viruses that will exploit vulnerabilities in the operating system once support ends. Windows XP has been around for more than 12 years, that’s more than enough time to find all the vulnerabilities in it.

To Do List:

  • Start by performing an IT audit of your organization to find out how many Windows XP systems you have.
  • Perform a software audit on these systems and find out if they are compatible with a newer operating system (Windows 7/8/8.1).
  • Decide on which operating system (Windows 7/8/8.1 or Linux) to upgrade to. Windows 7 has the look and feel of Windows XP and most software/programs are compatible with it.

Contact us to assist in migrating your systems.

Windows XP Support Is Coming to an End.

Support for the second most popular version of windows is coming to an end. Windows XP will no longer be supported by Microsoft after April 8th 2014.

Windows XP is my favorite version of Windows operating systems so much so I still have a couple of old and reliable computers running on it. I did everything I could to stay away from Windows Vista; I actually drove around DFW metroplex back then searching for a windows XP laptop. I completely skipped the Windows Vista upgrade and went directly to Windows 7 when it was released. I don’t think I was the only that felt this way because Microsoft released Windows 7 less than 3 years after Windows Vista release. Considering Windows Vista was released about 6 years after Windows XP, Windows 7 was released pretty early.

All of my clients still have at least one computer running Windows XP and rightfully so. You can’t beat the reliability, compatibility and familiarity it has gained over the last decade. It is estimated about 40% of small business are still running at least one Windows XP computer. Unfortunately Microsoft has decided to end support of Windows XP after 12 glorious years.
What Does Windows XP End of Support Mean?
So what does end of support of Windows XP mean? Well, your Windows XP computer does not stop working on April 9th 2014 but you need to start thinking of migrating to a modern computer with a newer Windows version. The most important thing you need to be aware of is that Microsoft will no longer provide security patches and updates. This exposes you to security and compliance risk, especially with the recent virus attacks and new HIPAA/HITECH compliance requirements. Also your line of business (LOB) software and hardware vendors will likely stop supporting versions of their software on Windows XP systems.

How Do I Migrate Off Windows XP?
As a small business owner, you should at least migrate your critical systems still on Windows XP to either Windows 7 or 8 before support ends on April 8th. If your current Windows XP systems meet the minimum requirements of Windows 7, you can purchase and install Windows 7 professional on them. However, it might impact the performance of systems due to increased resource requirements of Windows 7. If your systems do not meet Windows 7 requirement, you should consider upgrading to a completely new system.

We are available to assist you with the migration while limiting the downtime and impact to your business. Contact us today for a free windows XP migration assessment and readiness check.

Why You Should Outsource Your IT Services

Are you on the fence about outsourcing your technology service to an IT service provider? Businesses small and large are taking this step because of the benefits listed below:

Cost Savings: You pay the IT service company a fraction of the cost of an in-house IT employee or department. The annual salary of a full-time IT employee is between ($50,000 and $65,000), add in the cost of benefits and training,  factor in that the IT employee may not be 100% utilized and the cost of bringing in a contractor when he/she goes on vacation. The cost of an in-house IT employee can easily add up $100,000. You can outsource your IT department for less than 10% of the overall cost of  hiring an IT employee. You eventually pass on this cost savings to your customers which makes you more competitive in your market.

Focus on Core Business: Having someone else focus on your technology service and needs frees you up to focus on your core business and grow your business. You started your business to provide a service to your customers and not to spend time worrying and fixing your technology. The IT service company do what they do best so your can do what you do best.

Enterprise Scale IT: As a small business, you may not have the technological resources of larger companies. The technology of an IT service provider can rival or surpass that of larger organization. This is because they support a variety companies and use the latest and best technology for their clients. This brings your technology to the same level as larger companies and only pass on a fraction of the cost to you.

Experienced and knowledgeable Technology Adviser: Your IT service provider is already aware of the ins and outs of your IT infrastructure. They understand your needs and are aware of the right solutions that will benefit your business. They manage your other technology vendors and speak “geek” to them so you don’t have to. They are always a phone call away and can provide consulting services at a discounted rate when compared to other companies.

Contact us today when you want to outsource your IT service, we look forward to being your business partner.

Latest Tweets

Contact Us

Follow Us