HIPAA Business Associate Guide to Data Breach Notification

Posted: Jun 30, 2015
Share This:

Business Associates, or BAs, have not been covered by the HIPAA Security and Privacy Rule for as long as the healthcare organizations they provide services to, and this means that some BAs may be unsure of what to do when it comes to being able to handle a data breach incident.

No matter the size of the organization, it is highly likely that they will experience a security or privacy incident involving Electronic Protected Health Information (ePHI). Business Associates may have numerous covered entities (CEs) that they provide services to, and so it is crucial that they fully understand HIPAA compliance rules and are able to manage and execute a timely response to a breach, while also ensuring preventative measures to avoid them.

Build a strong foundation

First and foremost, BAs should ensure an internal culture of compliance, integrity, and privacy exists within their organization. This should include routine staff training on policies and procedures, auditing and monitoring to detect possible vulnerabilities, and making sure that if the worst should happen, the contact details of those that need to be notified are easily located. These are the compliance basics, and should form the cornerstone of data security policies and procedures.

Having an appointed individual responsible for developing and maintaining an incident response plan, such as a Security and Privacy Compliance Officer, as well as a core team responsible for responding to an incident, is crucial. The National Institute of Standards and Technology (NIST) provides a four-phase process to assist organizations in handling data breaches successfully and those responsible for devising an incident response plan should familiarize themselves with these guidelines.

Manage your agreements

Having a centralized portal to store all information relating to process and procedures as well as contacts and resources relating to your Business Associate Agreements (BAA) can help save a lot of time in the event of a breach. Although the HIPAA Final Rule states BAs have 60 days to notify CEs, notification should be as fast as possible.  Some states have stricter regulations that overrule these policies. Florida is now 10 days (recently reduced from 14 days) and California at just 5 days. It can be difficult to keep track of notification terms across multiple BAAs, and so a process that automatically notifies covered entities of an incident within the minimum notification time frame specified is recommended. This is especially important if multiple entities are affected.

Build relationships with all covered entities to ensure that they are kept informed of any privacy related updates undertaken by your organization, and inform them of potential incidents and failed security incidents. Make sure that subcontractors and temporary staff are all aware that the HIPAA Privacy Rule applies to them while employed by your organization.

If possible, Business Associates should be able to select their preferred insurer to provide Cyber Liability Insurance. When selecting an insurer, look for those that are able to provide incident response sent in multiple languages and have a 24/7/365 call centre. They should also outline coverage guidelines and use your preferred outside counsel and forensics investigators.  Life has got even more complicated these days because coverage today is needed for both the HIPAA maximum ($1.5m for each violation) and the maximum FTC penalty at $3m.

What if a breach does occur?

With so many covered entities to communicate with following a breach, ensuring that a consistent announcement is conveyed can be difficult. While the covered entity is likely to have the final say on the notification that it sends its patients, it is important to collaborate with each of them to maintain continuity. It is also worth bearing in mind that for incidents involving more than 500 records, a press release will need to be issued. Again, efforts should be made to communicate with the covered entities affected to ensure that the facts of the incident are accurately represented and to discuss the next steps for notifying affected individuals.

What can I do to minimize the risk of a breach occurring?

Data breaches have increased, especially cyberattacks, with the healthcare sector being targeted specifically.

To protect your organization, and your covered entities, ensure that:

  • Encryption is used for data at rest and in transit
  • Unique user IDs and strong passwords are used
  • Role-based access control is set up and regularly reviewed
  • Automatic time out and remote wipe functions are implemented
  • Audits and risk assessments are conducted frequently to identify vulnerabilities
  • Firewalls and Antivirus software should be installed on all devices and should be encrypted along with hard drives
  • Conduct regular HIPAA training sessions
  • Have an incident response plan in place, and practice the process
  • Make sure ePHI can only be accessed through secure services and connections
  • Keep track of BYOD