We had our regular HIPAA training with all of our SOS staff this morning. This is a sometimes unexciting meeting, as we review SOS policies and procedures related to HIPAA and Protected Health Information (PHI). This morning, we noticed that the amount we have learned about HIPAA, our responsibilities as a Business Associate and the responsibilities of our mostly behavioral health customers as Covered Entities has resulted in much more refined discussion of what we should all be thinking about.
One of our regular concerns is that we, as a Business Associate to our customers, have in place and understand how to act on, policies and procedures to protect the PHI of our customers should it ever be in our hands.
This morning we found ourselves talking about the danger to Covered Entities of not having Business Associate Agreements (BAAs) with their computer tech, maintenance and repair consultants, and having no idea what the policies and procedures of those Business Associates are.
The Office of Civil Rights (OCR) sent out this information on May 3, 2016:
Covered Entities Should Consider:
1. Defining in their service-level or business associate agreements how and for what purposes PHI shall be used or disclosed in order to report to the covered entity any use or disclosure of PHI not provided for by its contract, including breaches of unsecured PHI, as well as any security incidents.
HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of security incident at 45 CFR 164.304). HIPAA also identifies breaches as, generally, an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. (See the definition of breach at 45 CFR 164.402).
According to the US-CERT, cybersecurity incidents could include the following types of activity, but are not limited to:
§ Attempts (either failed or successful) to gain unauthorized access to ePHI or a system that contains ePHI.
§ Unwanted disruption or denial of service to systems that contain ePHI.
§ Unauthorized use of a system for the processing or storage of ePHI data.
§ Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent.
2. Indicating in the service-level or business associate agreements the time frame they expect business associates or subcontractors to report a breach, security incident, or cyberattack to the covered entity or business associate, respectively. Keep in mind; incident-reporting should be done in a timely manner, and covered entities are liable for untimely HIPAA breach reporting to affected individuals, OCR, and the media, as applicable. The quicker the incident is reported, the faster a covered entity or business associate can respond, possibly:
§ Minimizing the damages caused by the security incident.
§ Protecting and preventing further loss of electronic patient health information.
§ Preserving evidence for forensic analysis, if necessary.
§ Regaining access to and secure information systems.
3. Identifying in the service-level or business associate agreements the type of information that would be required by the business associate or subcontractor to provide in a breach or security incident report. The report should include:
§ Business associate name and point of contact information.
§ Description of what happened, including the date of the incident and the date of the discovery of the incident, if known.
§ Description of the types of unsecured protected health information that were involved in the incident.
§ Description of what the business associate involved is doing to investigate incident and to protect against any further incidents.
4. Finally, covered entities and business associates should train workforce members on incident reporting and may wish to conduct security audits and assessments to evaluate the business associates’ or subcontractors’ security and privacy practices. If not, ePHI or the systems that contains ePHI may be at significant risk.
I know all of you have BAA’s in place, so the OCR’s advice is just repetitious to you. Or do you? If you do not know what your BAA’s should and do contain, if you do not have BAA’s with everyone who is not your employee and who may see your PHI, if you do not know your responsibilities as a Covered Entity, if you do not regularly train your employees on HIPAA and its requirements…please take a look at OCR’s website where this information is provided.
We worry about you guys! Please make sure you (and your patients) are protected!