How Your IT Provider’s Data Breach Puts Your Business Into the HIPAA/HITECH Spotlight
In the wake of the almost-daily onslaught of news revealing yet another ransomware, malware attack or data breach, healthcare organizations are understandably concerned about the security of their data relationships with their industry partners and business associate — especially with respect to activities that involve sensitive electronic patient health information (ePHI).
Many Healthcare Organizations Unsure if Business Associates re Compliant
The Office of Civil Rights (OCR) has seen fit to address the healthcare industry’s concerns by sending out an industry-wide alert with recommended steps that covered entities can take to mitigate damage from incidents and data breaches that occur within the context of their business associate relationship.
The alert that OCR sent to covered entities addresses the fact that after the 2015 hack of the U.S. Office of Personnel Management, many healthcare organizations became concerned that HIPAA is not doing enough to stop cyberattacks and breaches.
The alert goes on to indicate that a large number of HIPAA-covered entities don’t believe that they will be notified in the event of a cyberattack or data breach that involves their HIPAA business associates. Many organizations don’t feel that the safeguards in place are adequate enough to protect ePHI and other sensitive data or to ensure that proper security policies and procedures are being followed by business associates. Healthcare organizations are also concerned that their business associates may not have the resources or procedures in place to adequately respond to a data breach in the first place.
HIPAA-Covered Entities and Business Associates (BA) Should Have an Incident Response Plan in Place for BA and Subcontractors
To deal with all this uncertainty, OCR recommends that healthcare organizations and their business associates or subcontractors determine exactly how they will deal with a breach that occurs on the business associate’s watch — or on their turf.
The recommendations include a business associate or service-level agreement that defines exactly how and when protected health information should be dealt with or disclosed. This determination would implement reporting to the covered entity any time ePHI is used or disclosed and not provided for in the contract, including in the event of an incident or full-blown data breach that results in unsecured ePHI.
The business associate agreement’s incident response provisions should also determine the time frame in which a security incident, breach or other cyberattack must be reported to the covered entity or business associate. The type of information that is required to be reported in an incident or breach disclosure should also be defined in the agreement. The report should include the names and contact information of all pertinent parties, a description of the incident and events, the types of unsecured ePHI involved, and the response actions that the business associate is taking to investigate and prevent further incidents from occurring.
Covered entities and business associates should also conduct regular training sessions for employees on the importance of incident reporting. Every covered entity’s business associate agreement should include periodic security assessments and audits to evaluate whether the business associate’s or subcontractor’s security and privacy procedures are up to snuff.
A Competent Business Associate and Business Associate Agreement Is Not Just Important… It’s Required
If you’re still not convinced that you need to work with a business associate who is well-versed in HIPAA/HITECH compliance regulations, take a look at a few of the settlements, fines and sanctions that OCR has assessed. These penalties resulted from a lack of business associate agreement and non-compliance in the handling of sensitive patient health information:
A $750,000 settlement involving an orthopedic clinic that released ePHI to its business partner without first executing a business associate agreement;
A $1.55 million settlement for a healthcare organization that neglected to execute business associate agreement with a major contractor partner;
A $3.5 million settlement with an insurance company for failing to protect ePHI, including the disclosure of ePHI in excess of the minimum necessary to complete a task and impermissible disclosure of ePHI to a vendor without a business associate agreement.
Clearly, working with a business associate who doesn’t understand the requirements of HIPAA and HITECH compliance can be a costly mistake. Having a properly executed business associate agreement is only half the battle — you need to be confident that the business associate you depend on is as concerned about HIPAA compliance and security as you are.
QualityIP is your local HIPAA/HITECH compliance and managed IT services expert. We specialize in managed IT services for healthcare organizations of all sizes. Contact us at (330) 931-4141 or send us an email at [email protected] for more information.