With OCR Phase 2 audits underway, many covered entities are taking a fresh look at their physical, technical, and administrative safeguards for electronic protected health information (ePHI). A comprehensive data security analysis, however, does not stop at the covered entity’s own threshold. A covered entity must ensure the confidentiality, integrity, and availability of “all” ePHI the CE creates, receives, maintains, or transmits. (45 CFR 164.306(a)(1)). This obligation includes proper management of business associate relationships.
A business associate is a person or entity that performs certain activities or functions that require it to use or disclose PHI on the covered entity’s behalf. Examples of BAs include third party administrators that assist plans with claims processing, and consultants that perform utilization review for hospitals. As the Security Rule makes clear, a CE may not permit a business associate to create, receive, maintain, or transmit ePHI on the CE’s behalf unless the CE obtains “satisfactory assurances” that the BA will appropriately safeguard the information. (45 CFR 164.308(b)(1)). These satisfactory assurances are embodied in a written agreement (“business associate agreement” or BAA) that meets Privacy Rule requirements. This includes the BA’s agreement that it will use appropriate safeguards to prevent uses and disclosures of PHI that violate the BAA. (45 CFR 164.314(a); 45 CFR 164.504(e)).
In a May 3, 2016 listserv mailing, OCR cautioned covered entities to consider how they will address a breach by their business associate. This is an area of insecurity for many CEs. While the Breach Notification Rule requires BAs to notify their CE after discovering a breach of unsecured protected health information, OCR reports that a large percentage of CEs believe their BAs will not, in fact, notify them of breaches or security incidents. OCR also reports that CEs find it “difficult” to manage security incidents involving BAs, and “impossible” to determine whether their BAs security policies and procedures are adequate to effectively respond to a breach.
According to OCR, covered entities should consider:
1. Defining in the Business Associate Agreement when and how the BA may use or disclose PHI, with any other uses, disclosures, breaches, or incidents to be reported to the covered entity. Potential incidents include:
Attempts to gain unauthorized access to ePHI or a system containing ePHI
Unwanted disruption or denial of service to systems containing ePHI
Unauthorized use of a system that processes or stores ePHI
Changes to system hardware, firmware, or software without the owner’s knowledge, instruction, or consent
2. Indicating in the BAA the timeframe in which the BAA must report the breach or incident to the CE. Quick incident/breach reporting can:
Ensure the CE can meet its obligation to timely report any breaches of unsecured ePHI to individuals, OCR, and (sometimes) the media
Minimize damages associated with a breach
Protect, and prevent further loss of, ePHI
Preserve evidence for forensic analysis
Regain access to, and secure, information systems
3. Identify in the BAA the type of information the BA must report to the CE. This should include (but is not limited to):
BA name and contact information
What happened, including dates of incident and discovery
Types of unsecured ePHI involved
What BA is doing to investigate, and protect against further incidents
4. Train workforce members on incident reporting.
5. Consider auditing and assessing the BA’s security and privacy practices.
In its May 2016 report, Hackers, phishers, and disappearing thumb drives: Lessons learned from major health care data breaches, the Brookings Institution highlighted several potential contributors to the increased number and severity of breaches and security incidents affecting health care data. Covered entities should consider whether and how these factors apply to them, and to their business associates:
Too many people have access to health care data. The Brookings Institution reports that health care data are being shared more extensively, and in many cases, “most employees [at the “sharee”] have full access to patients’ medical data.” While the urgency inherent in medical care arguably favors broader access within health care providers, business associates – who do not provide direct patient care – can rely less on this argument.
To limit risk in this area, covered entities should ensure that their BAs comply with the Security Rule requirements for role-based access to ePHI: (1) Implement procedures for the authorization and/or supervision of workforce members who work with ePHI, or in locations where it might be accessed (45 CFR 164.308(a)(3)(ii)(A)); (2) implement procedures to determine that an employee’s access to ePHI is appropriate (45 CFR 164.308(a)(3)(ii)(B)); and (3) implement procedures for terminating access to ePHI when employment terminates or roles change (45 CFR 164.308(a)(3)(ii)(C)).
Medical data are stored in large volumes and for a long time. The Brookings Institution notes that “[t]he probability and consequences of a data breach are directly associated with the storage duration and volume of medical data.” With a security incident or breach a virtual inevitability, CEs should be conscious of “minimum necessary” obligations affecting the BA relationship. CEs should make reasonable efforts to limit disclosures to BAs to the minimum PHI necessary to accomplish the purpose of the disclosure, and should in turn ensure their BAs request – and further disclose – only the minimum PHI necessary to accomplish those purposes. (45 CFR 164.314(a); 164.502(b)). A business associate agreement is not a license for a wholesale information dump. Attending to minimum necessary requirements will limit the amount of PHI at the BA to that which is actually necessary for the BA to do its job, and will leave less data exposed in the event of a security incident or breach.
CEs should likewise take care that their BAs do not retain ePHI longer than necessary to complete the contracted services. A compliant BAA should account for data at the end of the BA engagement, and should provide that the BA will: “At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.” (45 CFR 164.314(a); 164.504(e)(2)(ii)(J)). Limiting the duration of the BA’s access to ePHI will also contain damages in the event of an incident or breach.
While business associates are now directly liable under the Security Rule and many aspects of the Privacy Rule, covered entities remain responsible for selecting their BAs, properly vetting their physical, technical, and administrative safeguards, an embodying the parties’ agreement in a compliant BAA. OCR has provided suggestions on how CEs can help manage risks to ePHI held by business associates to a manageable level. Covered entities should be particularly mindful of their own, and their BAs’, minimum necessary obligations to appropriately limit the amount of PHI that could be exposed by a breach at the BA. CEs should likewise make reasonable efforts to ensure role-based access to PHI at the BA, limiting the opportunity for human error.
For more information about HIPAA compliance and data security, contact Kim Metzger or a member of our Data Security and Privacy Group.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
 45 CFR 164.410(a)(1)
 The HIPAA Rules define a “security incident” as an attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations. (45 CFR 164.304). A “breach” generally means an impermissible acquisition, access, use, or disclosure that compromises the security or privacy of PHI. (45 CFR 164.402).