MEMORANDUM

TO: Michael R. Shriner

FROM:

DATE:

SUBJECT:

Vice President, Business Operations & Facilities

Carolee A. King, JD Senior Vice President & General Counsel

Tobin R. Boenig, JD Vice President, Chief Compliance Officer

Kimberly K Hagara, CPA, CIA, CISA, C~ .• ,()-,~d~kµ..tL Vice President, Audit Services CJ"~~ · ........,-0 November 30, 2016

Review of Procurement Business Associate Agreement (BAA) Process Engag~ment Number 2017-008

Attached is the final audit report regarding the Review of Procurement BAA Process. This audit will be presented at the next Institutional Audit Committee meeting.

Additionally, please find attached Audit Services audit recommendation follow up policy. Each of the recommendations is classified by type at the end of its identifying number: System Priority (SP), Risk Mitigation (R), or Process Improvement (P). As you will note in the policy, the classification of the recommendation determines the frequency of our follow up. All follow up results are reported quarterly to the Institutional Audit Committee.

Thank you for your cooperation and assistance during the course of this review. If you have any questions or comments regarding the audit or the follow-up process, please feel free to contact me at (409) 747-3277.

Attachments

c: Shelly D. Witter Frank A Reighard Eric R Williams Nathan Andersen

utmb Health

The University of Texas Medical Branch Audit Services

Audit Report

Procurement Business Associates Agreement (BAA) Process Review

Engagement Number 2017-008

November 2016

The University of Texas Medical Branch Audit Services

301 University Boulevard, Suite 4.100 Galveston, Texas 77555-0150

. Health Audit Services

Procurement Business Associates Agreement (BAA) Process Review Engagement Number: 2017-008

Background The U.S. Department of Health and Human Services defines a ''business associate" as a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A business associate can also be a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. Under the Healthcare Insurance Portability and Accountability Act (HIPAA) Rules, a business associate is directly liable and subject to civil and, in some cases, criminal penalties for making unauthorized uses and disclosures of protected health information or for failing to safeguard electronic protected health information in accordance with HIP AA Rules.

As a healthcare provider in possession of protected health information (PHI), the University of Texas Medical Branch (UTMB Health) is considered a "covered entity". HIPAA Rules require covered entities enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information utilized under the contract terms. Primary responsibility for the BAA process resides with the Purchasing division of the Supply Chain Management department. Purchasing works closely with the Department of Legal Affairs and the Office of Institutional Compliance to help ensure compliance with applicable rules and regulations.

Audit Objectives The primary objective of this audit is to assess compliance with applicable laws and regulations and institutional policies and procedures related to managing the BAA process.

Scope of Work and Methodology The scope of work was current operations, and our audit methodology included interviews with key personnel, policy and procedure reviews, and limited testing.

The audit was conducted in accordance with the International Standards for the Professional Practice of Internal Auditing as promulgated by the Institute of Internal Auditors.

Audit Results Supplier Contacts Beginning in 2016, Phase 2 audits conducted by the Office for Civil Rights (OCR) include a request for a secondary point of contact for each BAA, if that information is available. Currently, Purchasing's Vendor Application form requests one contact and the Omnicom contract management software functionality does not allow for the addition of multiple supplier contacts. Purchasing personnel indicated there are plans to replace Omnicom during fiscal year (FY) 2017 with the SciQuest system which will have the functionality to include two contacts.

BAA Tracking/Monitoring Purchasing's Operating Procedure 3.20 Contract Administration Process states "If a BAA is required, Legal Services will be contacted to obtain signatures." The Department of Legal Affairs confirmed that all BAAs are signed and then filed within the department. Audit Services compared the total number of BAAs (134) documented in Purchasing's Omnicom system to the

November 2016 Page i of 5

. Health Audit Services

Procurement Business Associates Agreement (BAA) Process Review Engagement Number: 2017-008

total number of BAAs attributed to Purchasing (130) recorded in the Department of Legal Affairs database. Audit Services noted that no reconciliation is performed between the two databases. Additionally, we found no way, other than using the supplier's name, to potentially tie the information between Purchasing's and the Department of Legal Affairs' databases.

Recommendation 2017-008-01-PM: The Associate Vice President, Supply Chain Management, in conjunction with the Vice President of Legal Affairs, should establish a common data element to allow for concurrent tracking of BAAs within the two contract databases.

Management's Response: Purchasing and Legal Services will work together to establish and document a common data element within our respective systems that will facilitate concurrent tracking of BAAs.

Implementation Date: Implement by 9/1/17

Recommendation 2017-008-02-RM: The Associate Vice President, Supply Chain Management, in conjunction with the Vice President of Legal Affairs, should ensure a reconciliation process is developed and implemented for the BAA databases.

Management's Response: Purchasing and Legal Services will ensure Legal Services and Purchasing databases are reconciled once per year.

Implementation Date: Implement by 9/1/17

BAA Decision Tree Purchasing uses a BAA Decision Tree form to aid in the determination of when the need for a BAA with a vendor is necessary. Audit Services noted however the Department of Legal Affairs does not utilize this form or a similar documented process in its decision making related to contract BAAs. For consistency purposes, Audit Services encourages the Department of Legal Affairs to either adopt the BAA Decision Tree form or otherwise establish a documentation methodology that sufficiently reflects the department's decision making process related to BAAs.

To ascertain whether there may be active contracts that should have a BAA but do not, Audit Services extracted a random sample of 20 contracts from the population of contracts without BAAs. Eight of the selected contracts originated in Purchasing and we were provided the Purchasing Contract Signature Routing form, the BAA Decision Tree, and the agreement without exceptions. The remaining twelve tested contracts originated in the Department of Legal Affairs; 11 were Professional Services contracts not requiring a BAA and one contract from 2008 contained the BAA language within the contract itself.

November 2016 Page 2 of s

. Health Audit Services

Procurement Business Associates Agreement (BAA) Process Review Engagement Number: 2017-008

Additionally, Audit Services noted one contract in Omnicom was incorrectly marked as containing a BAA. The Purchasing Manager indicated before a contract is uploaded in Omnicom, the documentation is reviewed by several individuals and this appears to have been an oversight. The Manager indicated that the development and implementation of database audit process is among Purchasing's process improvement projects for FY 2017.

Training The Director of Purchasing indicated training is conducted annually and new Purchasing employees are trained on the BAA process as part of the Contract Approval Routing form training; however, no documented training records have been maintained since 2013. Additionally, although Purchasing provides BAA training to their direct customers, it does not conduct formal BAA training for other UTMB employees.

Audit Services interviews with individuals involved in the BAA process indicated an apparent lack of consensus regarding who should be responsible for BAA training and/ or the type of training that should be provided. For example, it was articulated that training should be a part of the Purchasing process since Purchasing plays a key role in the contracting process. On the other hand, should the institution want the campus to have a broad-based understanding of BAAs, since not all BAAs originate within Purchasing, training would then likely be the responsibility of the Office of Institutional Compliance as part of general annual training. We noted during a review other UT health institution websites, their Legal Services offices provides such training.

Recommendation 2017-008-03-PM: The Associate Vice President, Supply Chain Management, the Vice President of Legal Affairs, and the Chief Compliance Officer should establish consensus regarding who is responsible for BAA training, and ensure that area develops, documents, and implements a formal training program.

Management's Response: These groups will meet to discuss how a formal training program should be established and who will lead these efforts. Training should encompass not only the Purchasing department, but also the subject matter experts around UTMB. The BAA decision tree will serve as the root of the training, as well as specific situations that have been addressed by federal agency [OCR] about certain relationships not requiring a BAA.

Implementation Date: Implement by 3/1/17

PHI Destruction or Return In 2013, the Federal Register added a directive requiring Business Associates to return or destroy all PHI provided by the Covered Entity upon contract termination. If the Business Associate determines that the return or destruction of PHI is not feasible, the Business Associate shall inform Covered Entity in writing of the reason thereof, and shall agree to extend the protections of the BAA to such PHI and limit further uses and disclosures of the PHI to those

November 2016 Page 3of5

. Health Audit Services

Procurement Business Associates Agreement (BAA) Process Review Engagement Number: 2017-008

purposes that make the return or destruction of the PHI not feasible for so long as Business Associate retains the PHI.

Purchasing personnel indicated training on the new contract closeout process was completed at the end of October for rollout November 1, 2016. The new process includes the requirement for ensuring the destruction or return of PHI from BAAs and the completion of a BAA Disposition Certification form. Audit Services noted the Certification form was not included in the contract file closeout checklist.

Recommendation 2017-008-04-PH: The Associate Vice President, Supply Chain Management, should establish a monitoring process that ensures BAA Disposition Certification form is completed for all expiring BAAs and included in the contract file.

Management's Response: An audit of contracts will take place on an annual basis to make sure all expiring BAAs include the disposition certification form.

Implementation Date: Implement by 9/1/17

Limited Notice to Proceed Purchasing's Operating Procedure 3.20 Contract Administration Process states if a BAA is required and has not been executed, work may proceed using the "BAA limited Notice to Proceed". Audit Services noted there is no reporting field in Omnicom to identify BAAs with a "Limited Notice to Proceed" hindering the ability to ensure that a full BAA is subsequently executed. The Director of Purchasing concurred, noting it would be a manual process of contract file review to determine which BAAs used the limited Notice to Proceed.

Recommendation 2017-008-05-PH: The Associate Vice President, Supply Chain Management, should establish a process that identifying contracts with a Limited Notice to Proceed BAA to ensure a full BAA subsequently executed.

Management's Response: There are plans to replace Omnicom during fiscal year (FY) 2017 with the SciQuest system which will have the functionality to establish a reporting field on the Limited Notice to Proceed BAA This will be set up and reports run to ensure that a full BAA is executed.

Implementation Date: Implement by 9/1/17

November 2016 Page 4 of 5

. Health Audit Services

Procurement Business Associates Agreement (BAA) Process Review Engagement Number: 2017-008

Conclusion Based on the procedures performed, Audit Services notes the processes for obtaining and managing Business Associate Agreements continue to mature.

We greatly appreciate the assistance provided by Business Operations and Facilities, the Department of Legal Affairs, and the Office of Institutional Compliance staff and hope that the information presented in our report is beneficial.

Kimberly K. Hagara, CPA, CIA, CISA, CRMA Vice President, Audit Services

November 2016

Barbara L. Winburn, RHIA, CIA, CRMA Senior Audit Services Manager

Pages of 5