When the HIPAA Omnibus Rule became enforceable almost a year ago, in September 2013, much of the impact was believed to be on healthcare organizations’ business associate agreements (BAAs). Though healthcare providers updating their BAAs has been at the forefront of BAA discussion, how do health information exchanges (HIEs) fit into the picture?
In Part 2 of a HealthITSecurity.com’s Q&A with Michigan Health Information Network (MiHIN) Executive Director Tim Pletcher, Pletcher describes MiHIN’s BAA methodology. He also discusses how patient data flows through MiHIN.
Read Part 1 here: MiHIN Director reviews HIE security protocols, agreements
What is MiHIN in the context of HIPAA regulations?
We have PHI running through us and are typically a business associate (BA) and we sign a business associate agreement (BAA) with all of the qualified organizations. This sets expectations across the board for moving things around. We’re almost like a storing forward infrastructure in that we really don’t create one big virtual health record at the state level.
Michigan is a big enough state where we expect that there will be pockets of significantly sized repositories, but we’re not trying to create that centralized repository here. We’ve positioned ourselves to broker queries back and forth between those repositories and enable that type of push infrastructure as well as the alerting type infrastructure. We do have data stores here, but they’re transient so they could be here for up to a month for replay capabilities, not for analysis.
Can you describe the MiHIN BAA? Does it ever change based on the other participant?
We have a pretty standard template that we use across the board, but there are times where we have to vary that template language for legitimate business reasons. For example, a BAA with the state of Michigan is actually different than a BAA with a health plan, which is different than a BAA with a hospital or health system. They are different kinds of covered entities and a state government has sovereign immunity. But in general, the framework is the same and we try to update things consistently. When the HIPAA Omnibus Rule came into effect, for instance, we had to modify all of the BAAs and that was a big, time-consuming task.
Check out a sample MiHIN BAA here.
You mentioned how MiHIN focuses on the NIST 800 document for cybersecurity. How do you use it?
It takes constant vigilance to stay on top of all of this stuff and obviously requires a lot of organizational energy. But the NIST 800 is not a new phenomenon and has pretty much become the ground floor for pretty much everybody who’s handling security in a professional way. The challenge for a small, independent physician’s practice is keeping up with all of the Centers for Medicare and Medicaid Services (CMS) regulations, security requirements and all of the other regulations in medicine. I can see how that would be pretty overwhelming. But for an organization such as our where information sharing is our bread and butter, [balancing those regulations] is part and parcel of what you need to do.
And we offer security services too. Organizations can hire us to do vulnerability assessments or continuous threat monitoring. And we also do education and awareness in areas such as social engineering. We made a decision early on that, because we have to be so good with cybersecurity, that it would make sense for us to offer it as a service to those organizations. We’re not competing with the big cybersecurity players in the industry, we’re just offering options to the “have-not” organizations.