So far this year, 22 breaches have been reported for 2017. Of course, there are still 2016 breaches being report to the Department of Health and Human Services (HHS) website. While all the 2017 breaches so far are small, the largest one provides some good learnings on effective management of your Business Associates (BA).
The largest breach was also on the small side, affecting just 10,000 records, and was reported by Well Care Health Plans of Florida. Their former reinsurance services provider had a ransomware attack on their server in August of 2016 and did not notify their client until January of 2017. The information was said to be encrypted, but if it was encrypted to HIPAA standards, why would they need to report the breach?
The Breach Notification Rule on the HHS website says: “Covered entities and business associates musty only provide the required notifications if the breach involved unsecured protected health information. Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized person through the use of a technology or methodology specified by the Secretary in guidance.” For more information on the Breach Notification Rule for HIPAA go here.
So if you or your business associate have an incident where your systems are compromised but your data is encrypted and you are confident there was no improper use or disclosure of the PHI, you need to document that in an internal Security Incident Report. However, you do not need to report it to HHS because the data was secured and no improper disclosure occurred.
Another question is raised by this incident: Why let the former BA keep your data after their services are no longer needed? This incident may have occurred within a reasonable period after the relationship ended, which might explain it. Even if it was, though, this reminds us to be sure that our BA Agreements require removal of data in a “reasonable” period of time, say 30-90 days after the relationship ends. Be sure you specify what disposition you want for the data and whether you need to retain it. Ask for confirmation in writing that these steps were actually taken.
Another tip to take from this breach is be sure that you are monitoring your Business Associates. The BA took over five months to tell the Covered Entity about the breach. This seems like a long time, although the “average” time it takes to identity a breach if you analyze the breach data is about seven months. But you would “assume” that if the BA was properly running malware/ransomware detection software and was actively reviewing the data, they would identify this attack much sooner.
As a covered entity, you need to know that the required HIPAA procedures (like Security Monitoring) are in place at the BA and are being actively performed. As the covered entity, YOU are ultimately responsible for what happens to your patients’ PHI. Be sure that your BA Agreement requires the BA to be HIPAA compliant and have all the policies and procedures necessary to keep your data safe. But, most importantly, be sure you have the right to audit the BA to confirm that they really take HIPAA compliance seriously.
A good way to “audit” is to ask for a copy of the most recent HIPAA Security Assessment. This will tell you where the BA sees the gaps between HIPAA requirements and their policies and practices. Remember that a “Gap Analysis” is required by HIPAA every year. If they do not have one done, run for the hills or make them do one. Finally, maintain dialogue with your BAs about HIPAA to keep HIPAA in the forefront for both of you and ensure the safety or your patients’ information.
By taking these measures, you can protect your business and your patients, while maintaining a good relationship with your BA.