Business Associate Management Tips Key Steps Can Help Prevent Breaches
Business associate agreements should set clear expectations for breach notification to help ensure compliance with the HITECH Act, says regulatory expert Christopher Hourihan.

"There definitely needs to be some explicit definition around when a notification from a BA is required and who they need to notify," says Hourihan in an interview with HealthcareInfoSecurity's Howard Anderson. "You're also going to want to specify very clearly the timeline in terms of the expectation of the notification."

Healthcare organizations also should ask their business associates to provide a copy of their latest risk assessment as well as their corrective action plan for mitigating risks, says Hourihan, manager of development and programs at Health Information Trust Alliance.

"Organizations should be asking their business associates about how they secure protected health information," he says. That includes asking specific questions about security controls for mobile devices and media.

In the interview, Hourihan also:

  • Outlines other details to include in business associate agreements as well as important questions to ask vendors.
  • Advises working with business associates to confirm they are properly using audit logs so that they can provide a record of who has accessed protected health information. A proposed federal Accounting of Disclosures rule would give patients the right to an access report that encompasses business associates as well as covered entities. Hourihan also advises covered entities to look for ways to reduce the amount of patient information they provide to their business associates to help minimize risk.
  • Encourages healthcare organizations to create a formal vendor management program that clearly establishes the policies and procedures for engaging with vendors.

At HITRUST, Hourihan leads the ongoing development of the Common Security Framework and CSF Assurance Program. The framework helps organizations demonstrate security and comply with various regulations, including the HITECH Act and HIPAA. Hourihan is the featured speaker in a webinar on how to conduct a risk assessment.

HOWARD ANDERSON: For starters, why don't you tell us briefly about HITRUST?

CHRISTOPHER HOURIHAN: The Health Information Trust Alliance is an industry group that was established in late 2008, early 2009. HITRUST developed a common security framework for the healthcare industry ... a comprehensive set of security controls and requirements for organizations with respect to information security and compliance. Since then, HITRUST has developed a CSF assurance program which sets forth a methodology, set of tools and resources for organizations wishing to conduct an assessment against the CSF and also against general risks to the industry.

Questioning Business Associates

ANDERSON: Working closely with business associates is a critical component of a health information breach prevention strategy. Based on your experience, what are the most important questions to ask business associates regarding their policies and strategies for keeping protected health information secure?

HOURIHAN: First it's important to note that organizations should be asking their business associates about how they secure protected health information in the first place. Many organizations do no inquiry and rely solely on business associate agreements to manage security. This strategy may be appropriate for small healthcare organizations or business associates providing limited services. But if you're talking about a hosting provider or a key service provider that houses a lot of PHI [protected health information] or provides really fundamental core services for the organization, then it's absolutely important that some sort of due diligence be conducted against the business associate's security program.

If you're going to be asking questions, first and foremost I would ask my business associate if they've had a risk assessment performed in the last year, and if they can provide a copy of the results of that risk assessment. I would ask if they have a corrective action plan associated with that risk assessment just to validate that not only do they understand where their risks are, they are actively doing something to remediate those risks. If there's no assessment or no corrective action plan, then some red flags need to be raised and some more in-depth analysis of the organization's program needs to be performed, based on the organization's own security requirements or against some set of requirements like HITRUST provides.

Then, depending on the adequacy of the assessment, the scope of the assessment and the results of that assessment, I would also look into some of the high risk areas for the healthcare organization and healthcare industry, as well as the business associate, depending on the type of services provided or the nature of the business associate and that relationship. These may include, as you mentioned, an information security policy review and the adequacy of those policies, and also procedures supporting the policies - for example, how the organization actually implements those security policies. It also includes other high risk areas like mobile media security, laptop security, core areas that the healthcare industry has been dealing with that have been resulting in large breaches or a high number of breaches, and then the ... technical controls that they have in place to address those areas such as encryption or DLP [data loss prevention] solutions.

And the areas you are going to look at also depend on the nature of the relationships. If you have a business associate who is hosting or serving information, and providing infrastructure, then you definitely want to look at how they manage that infrastructure. Do they patch regularly? Do they have standard configurations based on industry guidance? And do they monitor for vulnerabilities on a regular basis? HITRUST provides a full list of high-risk areas, things that you want to evaluate. ...

You would also want to make sure that you are evaluating your business associate's management of their own business associates. In many cases, a business associate will subcontract to another vendor ... and you would want to understand if they were doing that and what their programs look like. What do their policies look like and what are their procedures for managing their own BAs? Are they doing something similar to you as a healthcare organization in your inquiry, or are they relying solely on contracts, or are they not doing anything? ...

Business Associate Agreements

ANDERSON: Can you give us a few examples of details that should be included in business associate agreements regarding the prevention of breaches as well as breach notification responsibilities?

HOURIHAN: Business associate agreements have traditionally, from a security perspective, focused on requiring that BAs adhere to and implement the administrative, technical and physical safeguards of the HIPAA security rule. Traditionally that was okay, but today it really isn't particularly useful, given that BAs are now directly responsible for implementing those safeguards and complying with the HIPAA security rule. ...

When you require an organization in the business associate agreement to implement administrative, technical and physical safeguards, that's a pretty ambiguous set of requirements, and your expectations may not really align with the business associate's expectations. That can cause issues and it can also result in non-compliance, violations and breaches of PHI.

Business associate agreements, to be truly valuable, need to specify a greater level of detail than what is required of just pointing to the HIPAA security rule. The organization should specify details in the form of its own information security policies and requirements, or, again, reference out to something like HITRUST or another standard baseline and say, "Meet these requirements, business associate, and you'll satisfy my own requirements." In either case, you should probably reference out to what those requirements are, reference out to your own security policy and then, in an addendum, or through another means, supply the policy and the expectations there. Or reference out to HITRUST and then supply those more specific requirements. ...

With respect to breach notification specifically, there definitely needs to be some explicit definition around when a notification from a BA is required and who they need to notify. Who is the point of contact at your organization that's going to be responsible for receiving the notifications and then escalating it up the internal chain of command? It may just be for known breaches, but it also may be for suspected breaches, and it may be for breaches with the organization's subcontractors. ...

You're also going to want to specify very clearly the timeline in terms of the expectation of the notification. The interim final breach notification rule sets for a 60-day ceiling for covered entities, but without unreasonable delay. Unfortunately, the clock starts ticking when the breach occurs, and that breach may occur with the business associate. If the business associate is not notifying the organization for 60 days, then that really leaves no time for the covered entity to conduct their own analysis and provide the notification to the [affected] individuals, the media or the secretary. To meet that requirement within the business associate agreement, you would want to specify something much shorter, something in the order of, say, five days, for providing that notification. ...

Accounting of Disclosures Rule

ANDERSON: The HHS Office for Civil Rights recently unveiled a proposed Accounting of Disclosures rule that would require organizations to give patients an access report listing everyone who has viewed their records, including those at certain business associates. What steps, if any, should organizations be considering now to ensure their business associates can provide an accounting about records accessed?

HOURIHAN: This really is an issue centered around logging of access and can a system support those particular logging requirements. The first step is to understand the scope of the issue: How many BAs does the organization have, and what access to what patient's records do they have? The Accounting of Disclosures rule is very focused on the designated record set. ... Understand who your BAs are. Do they have access to the designated record set?

The next step there is to understand if that access can be scaled back at all. Can I reduce the number of BAs that I have? Can I reduce the amount of information that the BAs have? Can I encrypt the information or de-identify the information? That really will reduce the burden on both the covered entity and the business associate as well. ...

But once you understand the scope and once you've done everything that you can to potentially reduce that scope ... then it would be a matter of actually engaging each of those BAs to ensure that they're starting the efforts to enable that logging. Or if they already have the logging, confirm that the logging is adequate in terms of when and what is being logged. The covered entity does have the option, in the proposed rulemaking, that they can simply provide [patients] the contact information of the BAs. Then the patient would be responsible for reaching out to that BA and getting that specific set of accounting of disclosures from that BA, or those multiple BAs, depending on the scenario. The covered entity doesn't have to spend any time, resources or dollars to ensure that the BA is compliant. It's up to the BA to do that. But again, I would want to, as a covered entity, ensure that the BAs are aware of their requirements and that they're doing something to actively address those requirements.

Once you understand that, and once you've confirmed that the BAs are doing something ... the first step is to identify what logging is being performed and whether it performed at the appropriate times. Am I able to generate a log when someone accesses a record, when someone prints a record or when someone creates or updates a record? ... Can I capture the appropriate information in the log? When someone reads a record, can I capture who the user was who accessed that record and the patient [involved]? What PHI was accessed and when did the access, update or print occur? And then, why was that access necessary? Does this person have a valid reason for being able to access that record? Does the organization have a valid reason for accessing, creating or updating that record?

Those are the components of the log that need to be captured. ... Because the final rule has not yet been defined, it's going to be a delicate balancing act of doing enough to prepare and meet the deadlines, but not doing more than ultimately what will be required. ... If you focus on whether the logs can be generated at the appropriate points of time, then what needs to be captured will be more clearly defined. You can focus on that, as that will probably be a bigger effort than simply generating the records in the first place.

Vendor Management

ANDERSON: Finally, do you have any other advice on how to better manage business associate relationships to ensure patient information is adequately protected?

HOURIHAN: Beyond what I've already mentioned, I would recommend really defining a formal vendor management program within the organization. So clearly set the policy and the procedures for engaging with vendors. Set the expectations from a security perspective around what the vendor needs to meet. ... And then set up how to actually go about validating that up-front, prior to the contract signing, and then on a continual basis thereafter.

This is going to be a risk-based program ... to provide some flexibility for business associates that are small, not very sophisticated and really have a limited impact on the organization as a whole. They don't need to have a third party review conducted every year. But you would need your large hosting provider to conduct that third-party independent review every year and provide the results. ... So again, clearly define the different classifications of business associate, the expectations of those business associates within each classification and then execute on that program. It will help to bring some definition, consistency and standardization to organizations' approaches to managing business associates.

HITRUST provides some guidance and resources to organizations to make this easier. And other standard best practices out there, like NIST [National Institute of Standards and Technology], provide additional guidance.




Around the Network