Imagine one day receiving a letter from your billing company concerning a breach of electronically Protected Health Information (ePHI). They’re writing to tell you that a large number of your patients have had their information compromised when a hacker accessed the billing company’s servers. To make matters worse, the breach was discovered 52 days ago. What should you do?
While it doesn’t take place every day, this scenario has happened. And, it highlights the need for documentation of your HIPAA compliance—as well as that of any of your business associates and their subcontractors, should they interact in any way with ePHI. Many organizations don’t understand their liabilities when it comes to responding to security incidents and breaches of ePHI by one of their third-party vendors. Knowing how to handle these situations is an imperative, when your organization manages ePHI, and it all starts with having the right documentation in place.
In the event of an audit, your records will be an essential part of proving your compliance.
Detailed information showing what you have done, what you still need to do and where you may have problems, will help to demonstrate the level of commitment you have to secure this sensitive data. Your documentation should answer the following types of questions:
- What have we done to secure ePHI?
- How have we made our equipment and environment secure?
- What are the policies and procedures we have put in place to maintain security?
- How do we respond to security incidents?
- What were the results of our last risk assessment?
- What is our organization’s level of physical security?
- How can we prove our Business Associates and subcontractors are HIPAA compliant?
- What training are we providing to our employees and how often is it updated?
- What are our policies toward BYOD and how do those integrate into our overall security strategy?
- Who is in charge or our encryption keys, and where are they stored?
- Who has access to our firewalls and how are those firewalls configured?
But, documentation for HIPAA compliance goes well beyond answering those questions. We encourage you to visit HHS.gov for the complete listing of information required. Your detailed documentation can mean the difference between determining whether a security incident is a non-issue or is one that is “tipping the scale” to become a full-fledged breach. It can help your company demonstrate the minimal impact of a breach – saving you time, money, and countless other negative consequences.
Your Business Associate Agreement and What It Must Include
HIPAA requires that every covered entity (CE) ensures their business associates (BA) sign a Business Associate Agreement (BAA) stating that they will reasonably and appropriately protect ePHI in accordance with HIPAA guidelines.
To ensure fairness for both parties, your Business Associate Agreement with any and all vendors (including developers, IT services providers, or cloud services providers), should include the following:
- Proof that the vendor is providing protection for ePHI in compliance with HIPAA regulations.
- A clause stating that the BA will deliver any and all breach reports to the CE within a reasonable and precisely defined time frame (i.e., ten days). These breach reports should also explain in detail the following:
- What happened;
- How it happened;
- What was accessed;
- Who was affected; and
- Who (if determinable) is the culprit.
It’s also worth noting that this time frame should include an opportunity for the vendor to bring in a forensic IT expert and other professionals, as necessary.
Understanding Notification Protocols
With a Business Associate Agreement in place, if a breach of ePHI does occur, you will have the necessary framework to move forward. After your vendor informs you of the breach, HIPAA has notification protocols that require that you notify all individuals whose private health information was violated. These notifications must be sent by first-class mail (or by e-mail if the individuals agreed to receive electronic notifications) within 60 days of the date of notification of the breach. They must be provided adequate information regarding the breach, as well as what steps they can take next, and also (and equally as important) what the CE is doing to protect them from potential harm and further breaches.
Also, the CE must provide a toll-free phone number that remains active for 90 days following the breach notification, so individuals can call to find out if their information was part of the breach.
Timing is critical. In the scenario above, in which the billing agency waited 52 days to inform the CE that their systems had been compromised, a considerable amount of time had already been wasted. The Breach Notification Rule states that if more than 500 individuals are affected by a breach, a report to the Secretary of Breaches must be filed “without unreasonable delay and in no case later than 60 days following a breach.” If the billing agency waits 52 days to notify of an instance of a breach, that only gives you, the CE, eight days to file your entire report, which may not be enough time to ensure your details are complete and accurate. Notifications must also be sent to the media and the Secretary of the OCR within 60 days.
Providing the OCR Documentation
The bad news for covered entities is that a data breach, even if it originates with one of your vendors, and regardless of whether you have a legally binding BAA in place, can cause a tremendous amount of stress within an organization. You face not only the possibility of financial and legal penalties but also damage to your organization’s reputation. The good news is that you should have ample time (as long as it’s stated in the BAA) to clear your name in the eyes of the Office of Civil Rights. Because the burden falls on CEs and BAs to prove their systems were not responsible for a breach, it is imperative that both entities keep all proper documentation on hand, including the BAA. Without documentation showing intent to be in compliance, both you and your BA can be found liable.
Regardless of whether a breach has recently occurred, you’re still on the hook. In recent weeks, in particular, providing documentation to demonstrate compliance has become increasingly imperative, what with OCR’s Phase 2 HIPAA Audits right around the corner. Related to this, according to the Law Offices of King and Spaulding, writing for the JDSupra.com Legal News, “Covered entities and business associate should not underestimate the challenge of responding to a desk audit in 10 business days and should not expect to have access to OCR staff to ask questions about the audit request.” King and Spaulding recommend all HIPAA-regulated entities work to get compliance documentation in order immediately, to facilitate quick response to an audit request. “Key documentation includes at minimum policies and procedures, risk assessments and related remediation, potential breach analysis, business associate contracts and workforce training and awareness,” they state. Their recommendations also include developing a list of business associates, which will be requested as part of the pre-audit screening procedures.
Should your company be among the lucky group of businesses to participate in OCR’s Phase 2 Audits, you will be sent a 15-question audit by the OCR to fill out within those short ten days. In it, they request evidence of the following:
- That the covered entity (CE) performed a Risk Assessment before to the incident, and that a Risk Management plan is in place. Note that just completing a Risk Assessment and not implementing additional safeguards is not acceptable.
- HIPAA policies and procedures on safeguarding PHI.
- Indicators that employee training is ongoing and regularly updated.
- Evidence of breach procedures, including a breach risk assessment and breach notification procedures.
- Network vulnerability and penetration scans, along with the requisite anti-virus/anti-malware software.
- A system activity review, including the who, what, and when related to the PHI access.
Always Be Prepared
With the information and best practices outlined above, you’ll be able to respond to an OCR inquiry quickly and accurately. Alternatively, without proper documentation, a CE may still receive fines for non-compliance at a rate of $50,000 per incident, up to $1.5 million.
The moral of the story is to be prepared—always. Don’t end up scrambling to hit documentation deadlines. You also have to realize that even if the BA ends up solely at fault, a breach can still cost your reputation and damage relationships with your clients, leading to lost revenue. For the complete description of HIPAA and Business Associate regulations visit the HIPAA for Professionals page.
Additional Resources on This Topic: