In a memo released last month, the U.S. Office for Civil Rights (OCR) raised this question: Is Your Business Associate Prepared for a Security Incident?
Well, how would you answer?
The issue is critical, as OCR audits are in progress under the federal Health Insurance Portability and Accountability Act (HIPAA). The audits extend to business associates, and according to OCR, business associates will need to demonstrate security risk analysis, risk management, and breach reporting procedures.
In its memo, OCR refers to a widespread perception that it is difficult for healthcare providers to know whether their business associates are adequately protecting patient information.
First, let’s make sure you know who your business associates are. In sum, a business associate is any outside person or company with whom you share protected health or personally identifiable information about the people you serve.
They — through you — are obligated to meet all federal privacy and security laws to protect that information. This includes billing companies, technology vendors, temporary staffing companies and anyone else with potential assess to patient information. With all of your business associates, you need an agreement that legally binds you (the HIPAA covered entity) and the business associate with very clear terms for managing and protecting health information emanating from you.
In its new memo, OCR also says you should plan in advance for how you will confront a breach by a business associate, including subcontractors. OCR’s memo recommends the following:
1. Business associate agreements should define how and for what purposes patient information may be used or disclosed. Be clear about what constitutes unauthorized disclosures and incidents that need to be reported back to the HIPAA-covered healthcare provider.
HIPAA defines “security incidents” as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information, or interference with system operations in an information system. This could include:
- Attempts (either failed or successful) to gain unauthorized access to electronic Patient Health Information (ePHI), or a system that contains ePHI;
- Unwanted disruption to systems that contain ePHI;
- Changes to system hardware or software characteristics without the owner’s knowledge or consent.
2. Business associate agreements should specify the time frame for business associates or subcontractors to report a breach, security incident, or cyber-attack. Keep in mind: Reporting should be prompt, and covered entities are liable for untimely HIPAA breach reporting to affected individuals, OCR and, in some cases, the media.
The federal government’s website says that HIPAA-covered providers should file a breach notification by filling out and electronically submitting a breach report form to the U.S. Department of Health and Human Services.
If a breach affects 500 or more individuals, covered entities must file a report promptly, and in no case later than 60 days following a breach. If a breach affects fewer than 500 individuals, the covered entity must submit notification no later than 60 days after the end of the calendar year in which breach is discovered. The government’s website also describes circumstances that require reporting to the media.
3. Business associate agreements should identify the type of information a business associate or subcontractor will need to provide in a breach or security incident report. Such reports should include the business associate’s name and point of contact information, and descriptions of:
- What happened, including the date of the incident and the date of the discovery of the incident, if known.
- The types of protected health information potentially compromised due to the incident.
- How the business associate is investigating the incident, and what measures are being taken to protect against further incidents.
4. Finally, covered entities and business associates should train workforce members on incident reporting. OCR says covered entities may want to conduct security to make sure their business agreements are being enforced.
Questions? Contact Diane Evans, Publisher of MyHIPAA Guide, at 330-990-1470, or by email at [email protected]. This article is for informational purposes and does not constitute legal advice for individual circumstances.