Share this article on:
HIPAA-covered entities may be prepared to execute their breach response procedures for a security breach that exposes patients’ Protected Health Information (PHI), but what about business associate data breaches? Have policies and procedures been developed to ensure a rapid breach response can be executed if a business associate suffers a data breach?
The Department of Health and Human Services’ Office for Civil Rights has recently warned HIPAA-covered entities that they must take steps to ensure they can deal with a business associate data breach should one occur.
OCR: HIPAA-Covered Entities Find Business Associate Data Breach Management Difficult
The recent OCR cyber-awareness bulletin confirmed the need for action to be taken by HIPAA-covered entities to prepare for data breaches experienced by their vendors. The bulletin indicates a large percentage of covered entities are concerned that business associate data breaches may not be reported to them.
OCR also suggests that when a business associate data breach does occur, covered entities are often unsure whether their vendors’ policies and procedures are adequate to ensure an effective data breach response is executed. This is not something that can be left to chance Action needs to be taken to ensure that all security incidents are dealt with in accordance with HIPAA Rules.
A number of business associate data breaches have been added to the OCR breach portal in recent months, some of which have impacted a large number of covered entities. A recent security incident at Bizmatics, which resulted in PrognoCIS EHR data being obtained by cybercriminals, affected a number of the company’s clients. How many is not clear, although two HIPAA-covered entities – Pain Treatment Centers of America and Complete Family Foot Clinic – have confirmed that they were affected. Most recently, Bay Area Children’s Association had to notify all of its patients that a security incident suffered by its EHR vendor potentially exposed the PHI of all of its patients.
A failure to prepare for a business associate data breach can seriously hamper the breach recovery process. That is likely to place patients at greater risk of harm or loss.
How Covered Entities Prepare for Vendor Data Breaches?
OCR used last year’s data breach at the Office of Personnel Management (OPM) as an example. Since the 21.5-million record data breach occurred, OPM has been developing new rules for reporting security incident for all contracts with third party vendors. OCR advises HIPAA-covered entities to take similar action, but to do so before a breach is suffered.
OCR recommends defining how PHI will be used by vendors and their subcontractors in business associate agreements. Covered entities can then stipulate that any use of ePHI outside of those detailed in the business associate agreement would therefore be reportable. OCR also recommends defining the types of incidents that are classed as security breaches to avoid confusion.
Under HIPAA, security incidents are defined as:
- Successful or attempted unauthorized accessing of ePHI
- Disclosure, interference, or destruction of PHI
- Interference with system operations in an information system containing PHI
OCR also recommends using the definitions of US-CERT to determine which types of security incidents are reportable. In addition to the above, these include:
- Failed and successful attempts to gain access to a system containing ePHI
- Denial of service to systems containing ePHI
- Unauthorized use of systems for storing or processing ePHI
- Changes made to systems without the knowledge or consent of the system owner, including alterations to firmware, hardware, and software
Covered entities should also define how data breaches must be reported, for example:
NOTICE OF DATA BREACH
NAME OF INSTITUTION
Date of Discovery
Date of Security Incident (If known)
What Information Was Involved?
What We Are Doing
Other Important Information
Not only must business associate agreements detail the types of reportable security incidents, but also the time frame for reporting those incidents. HIPAA requires covered entities to report data breaches to patients, the media, and OCR within 60 days of discovery of a data breach. Prompt issuing of breach notifications can reduce the damage caused. Breach notification should therefore not be delayed unnecessarily.
OCR also suggests that covered entities should ensure staff members are trained on data breach reporting, and assurances should be obtained from vendors that staff training has taken place. Security audits could also be conducted on business associates and their subcontractors to make sure that security and privacy practices have been implemented.
The failure to report data breaches, and the failure to do so in a timely manner, can result in substantial fines being issued by OCR. Those fines can be issued to business associates directly, although covered entities could also face financial penalties if policies and procedures covering business associate data breaches are inadequate.
With the HIPAA compliance audits due to take place later this year, now is the time to ensure that policies and procedures are implemented to ensure an efficient data breach response can be executed for all data breaches and that all business associate agreements are fully compliance with HIPAA regulations.