It’s one thing to prepare for a HIPAA breach of your own, but do you know what your business associates are doing to plan for breaches and other security incidents?
The Department of Health and Human Services’ Office of Civil Rights (OCR) is betting that you don’t. In fact, in their May Cyber-Awareness Monthly Update, the OCR offers the following suggestions for covered entities (health plans, healthcare clearinghouses, and healthcare providers) and business associates themselves for confronting breaches with business associates or sub-contractors.
Define Approved Uses
First, the OCR recommends clearly defining the approved uses of protected health information (PHI) in business associate agreements (BAAs) so that any uses not defined can be quickly identified as a breach or a security incident. Breaches are defined by HIPAA as “an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information” whereas security incidents are “attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.”
Security incidents include the following:
- Attempts (either failed or successful) to gain unauthorized access to ePHI or a system that contains ePHI.
- Unwanted disruption or denial of service to systems that contain ePHI.
- Unauthorized use of a system for the processing or storage of ePHI data.
- Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent.
Indicate Time Frames for Reporting Breaches
The OCR also recommends including in the BAA a required time frame in which a business associate or subcontractor will report a breach, security incident, or cyberattack to the covered entity or business associate. Timely incident-reporting not only minimizes damage, protects and prevents further loss, and preserves forensic evidence, HIPAA also mandates that covered entities be held liable for untimely reporting of breaches to affected individuals, the OCR, and the media, as applicable. If a breach starts with a business associate or subcontractor, then the sooner they report the incident, the sooner the covered entity can do their own reporting.
Specify What Should Be Reported
BAAs also should include a description of the type of information that should be reported by a business associate or subcontractor in the event of a breach or security incident. The OCR recommends including the following:
- Business associate name and point of contact information.
- Description of what happened, including the date of the incident and the date of the discovery of the incident, if known.
- Description of the types of unsecured protected health information that were involved in the incident.
- Description of what the business associate involved is doing to investigate incident and to protect against any further incidents.
In general, the OCR recommends making sure everyone who has access to PHI is trained on how to report incidents quickly and thoroughly. Covered entities and business associates may even want to routinely audit the security practices and policies of business associates or subcontractors respectively.
For more information about BAAs and other HIPAA provisions, visit the HHS’s HIPAA for Professionals web page.
— All rights reserved. For use or reprint in your blog, website, or publication, please contact us at firstname.lastname@example.org.