HIPAA-covered entities have been advised by the Department of Health and Human Services’ Office for Civil Rights to prepare for business associate data breaches. A recent cyber-awareness bulletin provides useful information on how covered entities can do this.
Research has shown that a large percentage of HIPAA-covered entities do not trust their vendors to alert them to security incidents when they occur. Many also believe it to be virtually impossible to determine whether the policies and procedures put in place by their vendors to respond to breaches are sufficient.
It is much more difficult to ensure that vendors’ breach response plans are adequate than it is to put robust data breach response plan in place for any breaches that your organization suffers; however, steps can be taken to ensure that your organization is notified of business associate data breaches when they occur.
OCR advises covered entities to prepare for business associate data breaches to ensure that a breach response plan can be executed efficiently, and the best place to start is with business associate agreements. All covered entities must ensure a signed HIPAA-compliant business associate agreement (BAA) has been obtained from all vendors prior to providing that organization with electronic protected health information (ePHI).
A BAA is a contract with a vendor that details the responsibilities of the business associate with respect to any ePHI that is provided to it. According to OCR, a HIPAA-compliant business associate agreement must:
Steps to Take to Prepare for Business Associate Data Breaches
Business associate data breaches are likely to occur at some point, so it is essential for covered entities to be prepared. That means they must ensure that all vendors know what to do in the event of a data breach or security incident, and when those incidents must be reported to the covered entity.
OCR recommends that covered entities clearly define the acceptable uses of ePHI in each BAA. These will differ for each business associate. If the allowable uses of ePHI are clearly defined, identifying inappropriate use of ePHI will be easier.
Business associate agreements should also detail the security incidents that must be reported to the covered entity. These are attempted or successful attempts by unauthorized parties to access ePHI, impermissible disclosures of ePHI, impermissible access or use of ePHI, or the modification or destruction of ePHI. OCR also recommends using the US-CERT description of cybersecurity incidents in BAAs to ensure that all inappropriate activities are reported.
In addition to clearly stating what constitutes a reportable security incident, covered entities must stipulate the time frame for reporting. A template for reporting data breaches should also be provided to ensure that all of the required information is supplied.
OCR also recommends that employees of the covered entity and business associates receive training on security and privacy practices to ensure that if a security incident does occur, everyone knows their responsibilities. As well as putting policies and procedures in place for when business associate data breaches occur, those policies and procedures should be tested using security audits and assessments.
It is not always possible to prevent business associate data breaches, but if covered entities prepare for business associate data breaches they can ensure, as far as is possible, that an efficient breach response can be executed in a timely manner.