OCR cautions hospitals to prepare for breaches at business associates

The Office for Civil Rights said that many HIPAA-covered entities do not believe business associates will notify them in the event of a data breach but since providers are on the hook anyway they must be ready should that happen. 
By Jack McCarthy
09:42 AM
HHS data breaches privacy security

With many healthcare organizations questioning their data security arrangements with business partners, the Office of Civil Rights (OCR) of the Department of Health and Human Services, sent out an alert suggesting steps to mitigate damage from breaches resulting from those associations.

The alert OCR sent last week said that following the 2015 hack of U.S. Office of Personnel Management (OPM), many healthcare organizations believe the provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) have not stopped breaches and have not allayed their fears.

“Not only do a large percentage of HIPAA covered entities believe they will not be notified of security breaches or cyberattacks by their HIPAA business associates, they also think it is difficult to manage security incidents involving business associates, and impossible to determine if data safeguards and security policies and procedures at their business associates are adequate to respond effectively to a data breach,” the alert said.

Learn on-demand, earn credit, find products and solutions. Get Started >>

[Also: OCR unleashes second wave of HIPAA audits, will it diminish patients' privacy expectations?]

As a result, HIPAA-covered organizations and their HIPAA business associates should consider how they will confront a breach at their business associates or subcontractors.

The alert recommended they should define in their service-level or business associate agreements how and for what purposes protected health information (PHI) should be used or disclosed. This action would facilitate reporting to the covered entity of any use of disclosure of PHI not provided for by its contract, including breaches of unsecured PHI, as well as any security incidents. 

These organizations should also determine in the service-level or business associate agreements the time frame they expect business associates or subcontractors to report a breach, security incident, or cyberattack to the covered entity or business associate. 

“Incident-reporting should be done in a timely manner, and covered entities are liable for untimely HIPAA breach reporting to affected individuals, OCR, and the media, as applicable,” OCR said. Quick incident reporting can allow an affected organization to take actions to minimize damages, further loss of electronic patient health information, preserve evidence for forensic analysis, and regain access to and secure information systems.

These organizations should also identify in the service-level or business associate agreements the type of information that would be required by the business associate or subcontractor to provide in a breach or security incident report. 

The report should include business associates’ names and contact information, description of what happened, description of the types of unsecured protected health information involved in an incident, and description of what the business associate involved is doing to investigate incident and to protect against any further incidents.

Also, covered entities and business associates should train employees on incident reporting and may wish to conduct security audits and assessments to evaluate the business associates’ or subcontractors’ security and privacy practices.  “If not, the alert said, “ePHI (electronic PHI) or the systems that contains ePHI may be at significant risk.” 

Twitter: @HealthITNews

Like Healthcare IT News on Facebook and LinkedIn

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.