As a Covered Entity or a Business Associate, you know you need Business Associate Agreements with entities that perform a service or a function for you which requires access to Protected Health Information (“PHI”) to carry out (these are Business Associates or subcontractors). A required element of Business Associate Agreements is that you will not transfer PHI to entities you know are not properly securing the PHI. Therefore, what should be done in instances when you discover a Business Associate or subcontractor that is not adequately securing PHI?
The first step is see if the issue can be resolved, or to ‘cure.’ Send the Business Associate written communication putting them on notice that they have a specific time (i.e. 30 days) to correct the issue and secure the PHI, otherwise, the contract will terminate and the exchange will end. The best case scenario is that they cure the issue within the specified time. If the issue is not corrected in time, then the contract can terminate and the exchange of PHI should end. The only exception would be if termination is not feasible, for instance because there are no other viable options for the service. In which case, you must notify the HHS Office for Civil Rights of the potential breach.
As the exchange of PHI becomes more prevalent and complex, the chain of trust on which the PHI is exchanged becomes increasingly important. If one link within that chain is weak, it must be strengthened or removed.
Transferring PHI without an executed Business Associate Agreement (“BAA”) has become a point of intense focus for federal regulators, and one from which we can expect continued fines. Typically in practice, BAAs are not always easy to get executed, for a plethora of reasons. With all of these things in mind, here are few tips and best practices that will be helpful for organizations looking to get outstanding BAAs executed.
- Get the ball rolling: Whether you are a business associate, covered entity, or subcontractor don’t hesitate to be the first to send a BAA for negotiation and execution. It establishes the parameters of the negotiation, states that this is a serious matter to you, and takes the first step in getting a BAA executed. If you need a place to start, there are plenty of examples readily available, including some provided by U.S. Department of Health and Human Services (HHS).
- Stress the importance: A business associate is determined by the specifics of the business relationship, not by the existence of a BAA. In other words, not executing a BAA does not absolve an organization from HIPAA required safeguards, therefore there is no compelling argument not to execute a BAA. It is a requirement of both the business associate/subcontractor, and the covered entity to have a BAA in place. The requirement is not one-way.
- Cause for termination: Almost all contracts outlining the business relationship will permit (or require) the termination of the agreement if one party does not comply with applicable laws or regulations. Signing a BAA is required by HIPAA, and not signing one will be grounds for termination. While it might be a disconcerting thought, your only protection against an organization that refuses to sign a BAA is to stop the transfer of PHI. This may create an incredibly challenging situation, but in extreme situations it is the only option. Most likely, when threatened with terminating the underlying contract, organizations will agree to execute the BAA.
This topic is one of the more difficult facing the entire healthcare industry at present. It is not that the answer to the situation is an unknown, it is that the best answer is the most challenging solution. However, you must ask yourself one question, “How much can you trust an organization that will not execute a BAA to ensure the privacy and security of PHI?” I am willing to guess an organization that won’t execute a BAA is probably an organization you don’t want to do business with.
Cloud Providers, DYK You Need to Sign a Business Associate Agreement?
How To (Reasonably) Oversee Your Business Associates
A significant number of organizations in the healthcare industry, both covered entities and business associates, are leveraging cloud based solutions to store protected health information (“PHI”). Common examples of cloud storage provides are Dropbox and Amazon AWS, but those are by far not the only ones in the market.
However, there are some important things to keep in mind before storing PHI in the cloud. These include,
A Business Associate Agreement Is Required: A vendor who is managing a cloud environment where you are storing PHI is a Business Associate and you must have a Business Associate Agreement executed. As recent OCR guidance clarified, it does not matter if the PHI is encrypted and the cloud services provider cannot access the PHI, they are still a Business Associate.
Cloud Storage Vendor Responsibilities: In additional to executing a Business Associate Agreement, all cloud vendors with whom you share PHI must meet HIPAArequirements. That means they must do many of the things that you must also do like, training their staff, conducting periodic risk assessments, and implementing policies and procedures.
Know Where Your Responsibilities Begin: Every cloud storage vendor will offer different services. Some will only provide the infrastructure but will not manage any applications. Therefore, you need to know what security safeguards your vendor will provide and what you must do. If you do not focus on the execution of these details things can easily be overlooked.
Overall, storing PHI in the cloud is a safe, and often times, wise business decision. However, just like everything else your organization does, the risks must be analyzed and mitigation steps must be taken.
Cloud Providers, DYK You Need to Sign a Business Associate Agreement?
Did you know if you’re a cloud service provider you are required to sign a business associate agreement (BAA) if the healthcare organization you’re working with is handling protected health info (PHI)? Why is it so important not just to be reliable but also HIPAA compliant cloud?
Last week the U.S. Department of Health and Human Services released useful guidance clarifying that a business associate agreement is required for cloud service providers that could be storing PHI on behalf of healthcare organizations (even if they don’t know it). This includes providers like Amazon Web Services (AWS) or Dropbox, and is true whether a healthcare organization is using these services or they are being utilized by one of the business associates they’re contracting with.
Additionally, the HHS guidance clarified that a BAA is required even if the cloud storage provider has no access to the PHI because it is encrypted by you, and the cloud provider does not have access to the encryption key. There was some debate on this topic before the guidance, but now it is clear a BAA is required even if the cloud provider cannot access the information. As the guidance points out, the cloud provider still has persistent access (as opposed to transient access that allow for the conduit exception to apply), and must maintain various safeguards to ensure the PHI is maintained in its encrypted state.
Many of the major cloud storage provers (most notably AWS) have been willing to execute BAAs for some time. If you’re a healthcare organization and you’re storing PHI in the cloud and do not have a BAA in place with the cloud provider, you must execute one in short order. Most likely you do not have a BAA in place because the cloud provider is unaware you are storing PHI on their systems. Once you make them aware, it is likely they will willingly sign a BAA.
Safely Storing PHI In The HIPAA Compliant Cloud
Large healthcare providers and payers have become increasingly concerned that they won’t be notified of a HIPAA breach by a vendor in a timely manner. And this can lead to fines and penalties for provider/payers even though it was their vendor that was breached. In all breaches, it is the organization with the direct relationship to the patient that bears the brunt of the associated reputational damage, and a delayed notification to the patient only exacerbates this damage.
As the flow of electronic protected health information (ePHI) becomes more complex, those with access to this data become further removed from the patient in question. The transfer of ePHI can bring significant benefit to the patient as well as the entire healthcare industry. However, it poses a challenge to promptly notify patients when their data is mishandled or involved in a security breach. As business arrangements are established among covered entities, business associates, and subcontractors, it is increasingly important to consider how the information about a breach or incident will be communicated to the patient.
To better your communications processes, here are four things you should be including into your business associate agreements or service level contracts to ensure timely and efficient notification:.
Outline and define what ePHI can be disclosed by a business associate or subcontractor to report to a covered entity an unauthorized or unpermitted disclosure of ePHI.
Indicate the time in which business associates or subcontractors have after discovery of a breach or incident to report the activity to a covered entity. States have been active in recent years in compressing the time for notification to the patient. Make sure you’re cognizant of your state requirements when determining how long business associates and subcontractors have to notify covered entities.
Identify what information the business associate or subcontractor must provide to the covered entity when providing notification of a breach or incident. At a minimum, this should include:
Business associate/subcontractor point of contact;
Description of what happened, including the date of the incident and the date of discovery;
Description of the types of ePHI involved in the incident or breach; and
What the business associate/subcontractor is going to investigate, remediate, and prevent future incidents.
Require staff to be trained in specifics on how to communicate and respond to security incidents and breaches involving ePHI.
These terms can be included either in a standalone business associate agreement or as part of a service level agreement. And both satisfy HIPAA requirements. While these are not all required in the specificity detailed here, doing so will serve your organization well. It is much easier to preemptively negotiate and agree on these terms rather than trying to do so in the face of a breach response.
HIPAA Incident vs. HIPAA Breach
Is a Ransomware Attack a HIPAA Breach?
A Plan For The Worst Case Scenario – What To Do If You Have A HIPAA Breach
All healthcare covered entities have concerns that their business associates might not be securing protected health information (PHI). While business associates agreement (BAA) should be in place, there is no guarantee that the safeguards in the contract are actually in place. Business associates will be sensitive to the idea of their covered entity customers having oversight of their HIPAA safeguards. With this necessary balancing in mind, here are a few tips on how to oversee your business associates without upsetting critical vendors.
Plan from the start:
As a covered entity the best practice is to include the right to access certain compliance documentation in the BAAs. Choose a set period (every three, six, or 12 months) in which certain documentation must be provided to you for review. It is even better to address this during negotiations of the BAA so it does not come as a surprise later.
Trust, but verify:
The review of the business associates documentation only needs to be limited, but it should be strategic. Reserve the right to look at a wide range of documents, but only request a segment. Critical documents to review at least annually include, summary of a security risk assessment, role-based access control logs, workforce training logs, and encryption policies.
Know what’s next:
Having this type of oversight in place is an excellent practice, however, you also want to know what you are going to do in the event the oversight identifies a vulnerability or compliance gap. This will likely be included to some degree in the BAA (in the form of curing breaches of the contract), but you should be prepared. How long will the business associate have to remediate the issue, and what verification will you require to confirm the situation has been resolved?
Effective oversight of your business associates requires finesse and creativity. It also requires you to be reasonable. No vendor is going to want to work with you if you require burdensome oversight. However, a balanced approach helps strengthen your entire network, while still being manageable.
What To Do About Your Unexecuted Business Associates Agreement?