The increase of ransomware attacks on healthcare entities and their business associates continues to be a significant concern. While covered entities (CE) have their own issues to deal with when the attack is directly against the organization, there are additional considerations if the attack is on a business associate (BA). This issue was recently raised when there was a reported attack against a BA used by several healthcare entities. The attack was made public, which means the CEs that used the business associate were on notice of the attack.
What is the Rule on discovery of a breach for a covered entity?
The HIPAA Breach Notification Rule states “A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.” 45 CFR 164.404(a)(1) (emphasis added) Because notification must occur without undue delay but not more than 60 days from the date of discovery under the rule, establishing the discovery date is critical. The rule continues on to state, “. . .a breach shall be treated as discovered by a covered entity as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity . . .” 45 CFR 164.404(a)(2) (emphasis added)
But what if the incident occurs with a business associate?
Many business associate agreements (BAA) have provisions that the BA must notify the CE within a reasonable time or even a defined period such as 10, 20 or 60 days. However, once the public report has been made and anyone at the CE becomes aware of it the breach has been discovered, the clock starts running for breach notification. This means the CE should be initiating interactions with the BA to learn as much as possible about the nature of the ransomware attack, what data might have been compromised and what the BA is doing to handle the incident. Whether a ransomware attack is a breach was debated by the industry until the Office for Civil Rights (OCR) issued guidance on the topic.
The OCR guidance is that a ransomware attack is very likely a compromise of any PHI on the systems impacted by the attack. The guidance tells us the fact that ePHI was encrypted by the attacker means the attacker acquired the data because they have taken possession or control of the ePHI. This acquisition by the attacker is a disclosure that would not otherwise be permitted by the Privacy Rule. There is some room in the guidance for a determination that the attack was not a breach if the CE or BA can demonstrate the data was not “accessed” or “exfiltrated” by the attacker. But the guidance seems to imply that the evidence of this must be very strong before an organization can say there is a low probability of compromise.
The regulations place the duty to notify on the CE. As the BA responds to the incident it will be critical that the CE be aware of what the BA is doing and carefully review the determinations by the BA. A CE should carefully consider whether it will allow the BA to be the final decision maker regarding whether a breach has occurred. If the BA’s position is that no breach has occurred the CE should assure they are very confident in the evidence the BA has to demonstrate the low probability of compromise.
While the covered entity through the BAA might transfer the activities and/or cost associated with breach notification to the BA when the incident is the result of the BA’s acts or omissions, the legal responsibility to notify remains with the CE. This is why it cannot be emphasized enough that once the CE discovers that it’s BA has been the victim of ransomware attack the communication channels are opened and the discussions begin to assure breach notification is timely, if required. The CE needs to assure the BA is taking prompt action. The CE should question whether appropriate system analysis and forensics have been done. They should also know what steps have been taken to identify the data impacted. Failure of the BA to act promptly can quickly absorb the limited time period for notification.
CEs may wish to reassess and/or update the language of their BA agreements regarding who is responsible for what if a security incident like a ransomware attack occurs. CEs should not just rely on a statement from the BA that notification is unnecessary. This is definitely a trust but verify situation.