Healthcare organizations, or covered entities under HIPAA, are legally responsible for the protected health information (PHI) they hold. Because of the HITECH Act, that responsibility now carries downstream to their business associates — claims processing, administration, data analysis, billing, benefits management — and could potentially extend to subcontractors.
The Department of Health and Human Services Office for Civil Rights (OCR) recently has deepened its enforcement to include business associates (BA). And the recent Minnesota Attorney General’s action against Accretive Health is evidence that states are also stepping up their scrutiny of business associates using their authority under the HITECH Act.
That’s not without cause. Business associates are the second top source of data breaches, according to a recent benchmark study on patient privacy and data security by the Ponemon Institute. In fact, Leon Rodriguez, director of the OCR, notes that 63 percent of the people affected by OCR-reported data breaches were the result of security lapses at a business associate.
The OCR’s extended scrutiny is putting pressure on covered entities to more proactively and frequently measure business associates’ HITECH compliance. To keep them in check, covered entities would do well to ask some important questions of, or about, their business associates:
- How critical is the business associate to my organization? Is it operationally critical or tied to my brand? Is there a viable alternative? Using a metric of sorts to weigh the importance versus the risks of a business associate can be helpful. For instance, an electronic health records systems provider may be a higher risk because of the amount of sensitive data it processes, yet replacing the system may not be feasible.
- Do I have an updated agreement in place with each business associate, one that evolves to meet changing privacy and security needs? Some reasons to update may include changes in types of services provided; change in policies and procedures based on annual review or simulations; or data breaches or environmental changes.
- What security standards does the BA comply with? Does the business associate conduct employee training, annual risk assessment and/or risk analysis according to HIPAA privacy, security and breach notification rules? Can it provide you a copy of their most recent assessment, risk mitigation plan, and progress report? Does it have a privacy and compliance official?
- Does the business associate have an incident detection and management process? How does the business associate detect incidents, and what will trigger it to notify the covered entity? How soon must that BA notify you in the event of an incident? Is it enough time to conduct an incident assessment and meet the breach response obligations according to federal and state(s) laws?
- What are the contractual obligations or indemnity provisions if there is an incident? Covered entities are responsible for the breaches caused by their business associates, including notification costs. Given the increased enforcement and expensive notification and remediation procedures, however, business associates should assume some financial liability. More importantly, is the business associate able to bear the indemnity costs, either through their own resources, cyber insurance, or other form of security? If the answer is no, it might pay to look for another vendor or factor this risk into your own risk management investment model.
- What about termination clauses? Do you have a clear set of guidelines under which you will terminate a business associate agreement? Can you monitor for these guidelines, and can the BA provide you necessary information for making this decision?
- Has the business associate had privacy or security incidents with other covered entities? Request to talk to other covered entities services to find out about the BA’s practices regarding the incident and how it was handled. This can be a predictor of future events and any impact on your organization.
- What are the legal and contractual requirements for offshore business associates and sub-contractors? These third-party providers are not subject to HIPAA privacy and security regulations. Covered entities or business associates contracting with foreign third parties should include any requirements for safeguarding PHI within the agreements, and not depend on foreign law.
Covered entities bear an enormous burden for safeguarding the PHI in their care. The further that sensitive data goes downstream, the more difficult it can be to protect it. But with increasing enforcement on the federal and state levels, covered entities have the right and obligation to insist on evidence of compliance from their business associates, and as much as possible, their sub-contractors.
Rick Kam, CIPP, is president and co-founder of ID Experts. Rick is also chairing the “PHI Project,” a seminal research effort to measure financial risk and implications of data breach in healthcare, led by the American National Standards Institute (ANSI), via its Identity Theft Prevention and Identity Management Standards Panel (IDSP), in partnership with the Shared Assessments Program and the Internet Security Alliance (ISA).
Mahmood Sher-Jan is vice president of product management at ID Experts.