OCR Business Associate Fact Sheet Sets Floor and AMCA Breach Shows Why We Must Do More

June 19, 2019 David Holtzman

Why Having a Vendor Security Management Program is Necessary

News of a cybersecurity incident compromising the personally identifiable information of the American Medical Collections Agency (AMCA), a downstream financial management and collections contractor serving scores of healthcare organizations, has put a spotlight on concerns over the lax approach some in the industry take to assessing vendor information security practices. The breach, the largest healthcare related incident to have been reported since 2017, comes on the heels of the recently released fact sheet produced by the Department of Health and Human Services, Office for Civil Rights (OCR) that provides guidance for HIPAA compliance and direct liability for business associates that many believe to be insufficient in effectively safeguarding health information.

The HIPAA standards require that a covered entity or business associate obtains satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information (PHI) it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, usually taking the form of a contract or “business associate agreement” (BAA) between the covered entity and the business associate. However, the HIPAA standards do not require a covered entity or a business associate to assess or monitor the information security practices or security rule compliance of their business associates.

Have an Effective Vendor Security Management Program

Providers should have an effective vendor management program in place and document greater due diligence through these efforts to better manage their business associates. An effective vendor security management program will evaluate and monitor vendors on a regular and ongoing basis and hold them accountable for requirements your organization identifies or assigns as remediation. Healthcare organizations should perform risk based assessments of vendors’ information security practices and safeguards. The more access an organization has to your information system or the sensitivity of the data, the more comprehensive and thorough the examination.

Just as important is to require a vendor to identify and perform vendor management assessment of the subcontractors or vendors they hire to create or maintain your organization’s personally identifiable data. Ensure that all vendor agreements include provisions for what types of incidents have to be reported your healthcare organization and when that notification must be provided. Equally important is specifying in your vendor contract how information about incidents involving downstream contractors are reported to your organization as well as the right to obtain information or investigate such incidents.

OCR Fact Sheet Summarizes Business Associate Requirements

The OCR fact sheet provides a summary of the responsibilities for business associates to comply with the HIPAA Privacy, Security, and Breach Notification provisions added by the Health Information Technology for Economic and Clinical Health (HITECH) Act and the 2013 final rule implementing those changes. The HIPAA Rules are designed to set the floor of safeguards to prevent unauthorized use or disclosure for protected health information (PHI). The HIPAA Rules only apply to the covered entities and business associates as defined by the HIPAA and HITECH laws. The fact sheet identifies 10 categories of HIPAA violations for which a business associate may be directly liable:

  1. Failure to provide records and compliance reports in cooperation with OCR investigations;
  2. Taking retaliatory actions against individuals for filing a HIPAA complaint;
  3. Failure to comply with HIPAA Security Rule requirements;
  4. Failure to provide a breach notification to a covered entity or another business associate;
  5. Impermissible uses or disclosures of PHI;
  6. Failure to fully comply with HIPAA’s right of access to PHI in a readily available form and format;
  7. Failure to make reasonable efforts to limit access to PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request;
  8. Failure to provide an accounting of disclosures in certain circumstances;
  9. Failure to enter into HIPAA-compliant downstream business associate agreements (BAAs); and
  10. Failure to take reasonable steps to address a breach or violation of a downstream BAA.

The Bottom Line

Business associates are required to conduct thorough, annual risk assessments. Risk assessments are required under the HIPAA Security Rule and can lead to protection from arguments that safeguards in place at the time of an incident or otherwise were inadequate.

Healthcare organizations should go beyond the minimum requirements of the HIPAA standards through an effective vendor management program. Design your vendor security management program to evaluate and monitor vendors on a regular and ongoing basis and hold them accountable for requirements your organization identifies or assigns as remediation. Evaluate each vendor’s level of risk and determine which protections are in place so your organization can make a determination around how to adjust your contracts, service levels, or your overall relationship. Actively monitor each vendor, communicate the security gaps identified, and alert the covered entity on any changes to the vendor’s status over time.

Learn more about CynergisTek’s Vendor Security Management Service.

 

About the Author

David Holtzman

David Holtzman is an executive advisor for CynergisTek. He is considered a subject matter expert in health information privacy policy and compliance issues involving the HIPAA Privacy, Security and Breach Notification Rules. Prior to CynergisTek, Holtzman served on the health information privacy team at the Department of Health & Human Services, Office for Civil Rights (OCR/HHS), where he led many OCR initiatives including the effort to integrate the administration and enforcement of the HIPAA Security Rule, and health information technology policies. David has nearly two-decades of experience in developing, implementing and evaluating health information privacy and security compliance programs from both government and private sector organizations. He is a member of the HHS “CISA 405-d Workgroup”, the Joint Cybersecurity Working Group of the Healthcare Sector Coordinating Council and Co-Chair of the Privacy and Security Workgroup for North Carolina Healthcare Information & Communications Alliance (NCHICA).

Follow on Twitter More Content by David Holtzman
Previous Video
Breach Risk Assessment: When is it a Reportable Breach?
Breach Risk Assessment: When is it a Reportable Breach?

Next Article
Why a Furniture Maker Had to Report a Health Data Breach
Why a Furniture Maker Had to Report a Health Data Breach