OCR Warns Hospitals to Prepare for Business Associate Data Breaches

The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently issued a warning to HIPAA covered entities saying they should be prepared for business associate data breaches.

Recent surveys have suggested that HIPAA covered entities do not believe that some of their business associates would inform them of a data breach that exposed their patients’ protected health information.

Many covered entities also believe that it is difficult to determine whether adequate protections have been put in place by their business associates to keep PHI secured. If a breach is experienced, many covered entities are unsure whether the data security policies put in place by their business associates would be adequate and would allow them to execute an effective response.

The OCR suggested that covered entities should work closely with their business associates and should address the issue of data breaches. Under HIPAA Rules, healthcare organizations must obtain business associate agreements (BAAs) from all business associates that are provided with patients’ protected health information (PHI) or access to those data.

BAAs should define how PHI should be used, the protections that must be put in place to ensure PHI is secured, and the allowable disclosures of PHI. BAAs must also provide a definition of a data breach and cover the actions that must be taken by the business associate following a breach of PHI (and other security incidents.)

Covered entities must stipulate the time frame for reporting these breaches and security incidents, to whom breach reports must be issued, and the type of information that must be provided. It should be explained that under HIPAA Rules covered entities and their business associates may be liable for delayed breach notifications.

The OCR and state attorneys general can issue stiff financial penalties for violations of the HIPAA Breach Notification Rule, which include delayed breach notifications, the failure to issue a breach notice to the media, and the failure to inform the OCR/state attorneys general of breaches of protected health information. It should also be noted that covered entities can be penalized for failing to ensure that their BAAs are compliant with HIPAA Rules.

The OCR also advised covered entities and their business associates to provide training to employees on incident reporting, and suggested that periodic assessments and internal audits should be conducted to assess privacy and security practices.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news