OCR cautions hospitals to prepare for breaches at business associates
With many healthcare organizations questioning their data security arrangements with business partners, the Office of Civil Rights (OCR) of the Department of Health and Human Services, sent out an alert suggesting steps to mitigate damage from breaches resulting from those associations.
The alert OCR sent last week said that following the 2015 hack of U.S. Office of Personnel Management (OPM), many healthcare organizations believe the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have not stopped breaches and have not allayed their fears.
“Not only do a large percentage of HIPAA covered entities believe they will not be notified of security breaches or cyberattacks by their HIPAA business associates, they also think it is difficult to manage security incidents involving business associates, and impossible to determine if data safeguards and security policies and procedures at their business associates are adequate to respond effectively to a data breach,” the alert said.
As a result, HIPAA-covered organizations and their HIPAA business associates should consider how they will confront a breach at their business associates or subcontractors.
The alert recommended they should define in their service-level or business associate agreements how and for what purposes protected health information (PHI) should be used or disclosed. This action would facilitate reporting to the covered entity of any use of disclosure of PHI not provided for by its contract, including breaches of unsecured PHI, as well as any security incidents.
These organizations should also determine in the service-level or business associate agreements the time frame they expect business associates or subcontractors to report a breach, security incident, or cyberattack to the covered entity or business associate.
“Incident-reporting should be done in a timely manner, and covered entities are liable for untimely HIPAA breach reporting to affected individuals, OCR, and the media, as applicable,” OCR said. Quick incident reporting can allow an affected organization to take actions to minimize damages, further loss of electronic patient health information, preserve evidence for forensic analysis, and regain access to and secure information systems.
These organizations should also identify in the service-level or business associate agreements the type of information that would be required by the business associate or subcontractor to provide in a breach or security incident report.
The report should include business associates’ names and contact information, description of what happened, description of the types of unsecured protected health information involved in an incident, and description of what the business associate involved is doing to investigate incident and to protect against any further incidents.
Also, covered entities and business associates should train employees on incident reporting and may wish to conduct security audits and assessments to evaluate the business associates’ or subcontractors’ security and privacy practices. “If not, the alert said, “ePHI (electronic PHI) or the systems that contains ePHI may be at significant risk.”