Health Care SLA’s are critical. Do you have certified BAS partners
Source: Thinkstock
The rise of cloud service providers as business associates
As more healthcare providers start to utilize cloud services, the issue of cloud service providers (CSP) as business associates is becoming more complex. Both covered entities and business associates need to understand how they can take advantage of cloud options while still maintaining HIPAA compliance.
HHS released more detailed guidance on cloud computing, CSPs, and business associates in 2016 to help clarify potential confusion.
“When a covered entity engages the services of a CSP to create, receive, maintain, or transmit ePHI (such as to process and/or store ePHI), on its behalf, the CSP is a business associate under HIPAA,” the guidance states. “Further, when a business associate subcontracts with a CSP to create, receive, maintain, or transmit ePHI on its behalf, the CSP subcontractor itself is a business associate.”
HHS also suggested a service level agreement (SLA) to address more specific business expectations between the CSP and its customer. The provisions could potentially cover the following areas:
- System availability and reliability;
- Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation);
- Manner in which data will be returned to the customer after service use termination;
- Security responsibility; and
- Use, retention and disclosure limitations.
However, HHS noted that a CSP is considered a HIPAA business associate even if it only stores encrypted ePHI and does not have a decryption key. HIPAA regulations still define an entity as a business associate even if that organization cannot actually view the ePHI it is maintaining for a covered entity or other business associate.
Encrypting ePHI reduces the risk of potential exposure, but it cannot on its own “safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule.”
“Encryption does not maintain the integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations,” HHS maintains.
Providers will need to seek out secure and compliant cloud service providers on their own. OCR will also not assist healthcare organizations that are trying to find cloud services that are reportedly HIPAA compliant.
“OCR does not endorse, certify, or recommend specific technology or products,” the guidance says.
While HHS and OCR offer guidance on how covered entities and business associates can utilize cloud computing, those healthcare organizations should still perform their due diligence when seeking out secure options. From there, crafting an applicable business associate contract, BAA, or SLA will be necessary to guarantee that all parties understand what is expected in terms of PHI security.
Dig Deeper:
- Are Third Parties Compromising Healthcare Data Security?
- Utilizing Cloud Computing for Stronger Healthcare Data Security
What happens when BAs violate HIPAA regulations?
Business associates can be held liable for PHI exposure. Whether the partners involved lack a business associate agreement or a business associate simply falls victim to a ransomware attack, these organizations must also ensure they stay HIPAA compliant.
In April 2017, the Center for Children’s Digestive Health (CCDH) agreed to a $31,000 OCR HIPAA settlement after it was found that CCDH did not have a BAA with FileFax, Inc., a patient information storage provider.
An August 2015 compliance review was instigated after FileFax had been investigated.
“While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015,” according to OCR.
Furthermore, OCR found that the PHI of at least 10,728 individuals was disclosed to FileFax “when CCDH transferred the PHI to Filefax without obtaining Filefax’s satisfactory assurance.”
Minnesota-based North Memorial Health Care also learned the hard way why it is essential to properly identify business associates.
The hospital failed to identify Accretive Health, Inc. as a business associate, and agreed to a $1.55 million OCR HIPAA settlement in 2016.
North Memorial filed a breach report in September 2011 when an unencrypted, password-protected laptop was stolen from an Accretive member’s locked vehicle. The report stated that the ePHI of 9,497 individuals was possibly impacted.
OCR also found that North Memorial did not “complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure.”
Not having a BAA also led to an OCR HIPAA settlement for Care New England Health System (CNE).
OCR determined that Woman & Infants Hospital of Rhode Island (WIH) was a CNE covered entity, and had lost unencrypted backup tapes that held the ultrasound studies of approximately 14,000 individuals.
This led to a $400,000 settlement, along with the requirement that CNE adhere to an OCR corrective action plan.
CNE was also allowed “to create, receive, maintain, or transmit PHI on its behalf, without obtaining satisfactory assurances as required under HIPAA.”
“From September 23, 2014, until August 28, 2015, WIH impermissibly disclosed the PHI of at least 14,004 individuals to its business associate when WIH provided CNE with access to PHI without obtaining satisfactory assurances, in the form of a written business associate agreement, that CNE would appropriately safeguard the PHI,” OCR explained.
Both covered entities and business associates will benefit from having a current and comprehensive BAA in place. This way all parties understand how they are expected to store, transfer, and handle PHI and other sensitive information.
Additionally, BAAs will help ensure HIPAA compliance and prove to OCR that necessary steps were taken to keep data secure should an investigation ever need to take place.
Dig Deeper:
- Why Lacking Risk Assessments May Lead to OCR HIPAA Settlements
- Are Business Associates Unprepared in Health Data Protection?
Identifying BAAs and reviewing the business associate relationship
Healthcare providers should not hesitate in reaching out to a third-party knowledgeable on business associate agreements to ensure that a thorough business associate agreement has been established.
For example, a lawyer who practices in the healthcare IT privacy and security space should understand the intricacies of HIPAA and understand what needs to be in place in a proper business associate agreement.
HHS also suggests the following resources for healthcare providers that want to know more about the HIPAA Privacy and Security Rules in general, beyond just business associate agreements:
- ONC’s Guide to Privacy and Security of Electronic Health Information
- State Attorneys General offices
- Medscape members’ Patient Privacy: A Guide for Providers
A thorough knowledge of HIPAA regulations will help providers understand the business associate relationship. Utilizing available tools and resources can also help organizations create applicable business associate agreements that will work toward PHI security.
Time to eliminate scams spoofs etc read on
One of our national vendors offer a FREE Phishing Security Test (PST) which will help organizations uncover the percentage of employees who are phish-prone; apt to opening or clicking on potentially malicious emails or links/attachments. They can enter up to 100 employees for this free test. This test can be set up from the KnowBe4 website, under Free Tools. Results in a few days.
Another valuable tool is their FREE Email Exposure Check Pro . This test will uncover the number (%) of employees which have visited or reside on potentially malicious websites, if their identities are found, which ones are on sites which were breached, when the breach was and more. This will also inform them if the login credentials are also exposed. This is valuable because these sites are where the bad guys troll to find their information to perform CEO Fraud or launch malicious attacks. This check can be run from the KnowBe4 website, under Free Tools. Results in minutes. #acginfo/biz 877 208 0021
winning number for the NRBP Crystal Plaza event
22 is the winner of a $25.00 gift certificate to Nico’s in the Pac Center. Last night was fun, great food and good company. See you next year, be well
the winner of the $25.00 Nico’s gift card is
Brian K. Taylor I enjoyed meeting you all at today’s GNEC event. I hope to see you next year, be well
https://www.cbsnews.com/video/best-friends-always/
If you need a smile copy and paste this from CBS Sunday Morning today https://www.cbsnews.com/video/best-friends-always/
News regarding one of our many vendors: Cisco Names WestUC Service Provider of the Year, Americas
One of our vendors, WestUC, was recognized by Cisco. We are happy to represent them as we do our many other vendors that help us find the right solutions for you. Call us at; 877 208 0021 mailto:prs@auaus.net
Cisco Names WestUC Service Provider of the Year, Americas
West Receives Geographical Region Award as Americas Service Provider of the Year at Cisco Partner Summit 2017
CHICAGO, Americas – November 2, 2017 – West’s Unified Communications Services today announced that it is the recipient of a Cisco® Partner Summit Geographical Region award for Service Provider of the Year, Americas. Cisco unveiled the winners during its annual partner conference taking place this week in Dallas, Texas.
Awarded to channel partners who rise to business challenges, the Cisco Partner Summit Global awards are designed to recognize superior business practices and reward best-in-class methodologies. Areas of consideration include innovative processes, architecture-led successes, strategic business outcome-focused programs, seizing new opportunities, and sales approaches.
“Cisco is proud to work together with leading partners to drive the digital transformation, creating powerful solutions and fresh approaches to meet the needs of our customers,” said Rick Snyder, senior vice president, Americas Partner Organization at Cisco. “It is an honor to recognize West with a Cisco Partner Summit Geo-Region award as Partner of the Year, further underscoring its outstanding accomplishments in the Americas.
“We are honored to be acknowledged by Cisco as Service Provider of the Year for the Americas region,” said Randy McGraw, senior vice president of technology and operational services for West’s Unified Communications Services. “We value our relationship with Cisco and we feel that receiving this recognition is further testament to our ability to provide seamless UCaaS to the enterprise.”
Cisco Partner Summit Geographical Regional awards reflect the top-performing partners within specific technology markets across the geographical region. All award recipients are selected by a group of Cisco Global Partner Organization and regional executives.
Cisco and the Cisco logo are registered trademarks or trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
One of our WI-FI partners made the news not too long ago. Let us help you improve or install wit the same technology they used at Yankee Stadium
New Wi-Fi for Reading Terminal in time for DNC; longer hours in store
Reading Terminal Market has installed a new Wi-Fi system in time for the Democratic National Convention.
By Kenneth Hilario Reporter, Philadelphia Business Journal
The Reading Terminal Market has finally replaced its 10-year-old Wi-Fi system – just in time for the Democratic National Convention, when the market will open an hour earlier as part of a test run of a potential new schedule.
Consumers expect reliable Wi-Fi at establishments like bars, restaurants and destinations like Reading Terminal, which for months had been sifting through proposals from Wi-Fi providers in order to have a new system installed by the time the DNC begins on July 25.
“The difference is this works,” General Manager Anuj Gupta said. “It works, it’s available, and it’s available throughout the market.”
The Wi-Fi service is from Comcast Corp., and the hardware is from manufacturer Ruckus, whose customers include St. Joseph University, Time Warner Arena in Charlotte, North Carolina, the World Cup Stadiums in Brazil and Kimpton Hotels & Restaurants.
West Chester, Pennsylvania-based WiFi Integrators for Innovation Inc. designed, installed, tested and configured the network.
“It’s an important convenience to provide to customers,” Gupta said. “As any great public space, there’s almost an expectation that Wi-Fi is provided.”
About 88 percent of consumers said Wi-Fi should be available everywhere, all of the time, according to a survey by Devicescape, a wireless networking software developer. More than 58 percent of respondents said Wi-Fi should be more readily available in public locations like hotels and the like.
Reading Terminal will continue testing the Wi-Fi service over the next month and garner feedback for any dead spots, Gupta said.
Longer hours
The market — which will host DNC parties almost every night after hours during the week of the convention (including one by the Democratic Governors Association) — will be opening its doors at 7 a.m. during the convention, an hour earlier than it typically opens.
The earlier schedule will only be implemented during the DNC, but there will be plans to extend that after the convention. Plans will be finalized this summer with a slated launch in the fall, either late September or early October.
The goal is twofold: Serve early-bird customers and nearby residents, and to compete with the growing landscape.
info on the common cold
Common implies that there’s a single ordinary pathogen to blame for your runny nose, coughing, and mild fatigue. Actually, there’s a huge array of viruses—more than 200 of them—that induce colds, each with its own means of evading your body’s defenses. For this reason alone, it’s unlikely that a catchall “cure for the common cold” will ever be found. These are crazy cold symptoms you probably never knew about.
When you get sick, your body doesn’t want to do anything other than tackle the virus. If you do ignore the symptoms and go about your normal routine, the cold can have an even more negative impact on your health—and your brain. In a study of nearly 200 people published in Brain, Behavior, and Immunity, researchers found that those with colds reported poor alertness, a negative mood, and psychomotor slowing—their thought processes were muddied, and their reaction times were slower than those of healthy folks. (This is how long a cold lasts.)
Information on one of our vendors.. we only deal with the best
We are a publicly traded $150 million co with approx. 300 employees. (and this is not counting our acquisition of Birch Communications which is closing very soon and they are larger in size that us)We own our network and we own our platform, we are not reselling other co’s platforms.Our Hosted platform is 12+ years old and best news for them is we happen to be local in Fairfield NJ on Rt 46 which is where we roll our own truck with our own people for the installs.We are 24x7x365 and we have 2 NOC’s (one in NJ, not that that really matters) that are also 7x24x365 and our NOC’s are in the US and Fusion manned.
Although most of our base is what I consider small to medium size clients we have amazing large co’s that are our clients who have done their due dillegence before signing up with us. They can see a lot of very impressive names on our Website.
I recently sold the NYS Bridge Authority 200 Hosted phones as well as some circuits.
We do everything for Metro North, we’ve provided all the circuits to the US Census in the past.
They are very welcome to come to our office and we can offer them a demo and I can show them around and I guarantee they will be impressed.
Make sure they spend some time looking at our Website.