Revamping Business Associate Contracts
In an interview, Walsh points out that under the rule, business associates, such as banks, billing firms and software companies, that have access to health information must report breaches to their healthcare partners, such as hospitals and physician groups. He advises healthcare organizations revamping contracts to:
Walsh is president of Tom Walsh Consulting, an Overland Park, Kan.-based firm that advises healthcare organizations on risk management strategies. He is one of the authors of a new book, "Information Security in Healthcare: Managing Risk," published by the Healthcare Information and Management Systems Society.
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. Today we are talking with Tom Walsh, President of Tom Walsh Consulting, an Overland Park, Kansas based firm specializing in healthcare information security issues. Thanks for joining us Tom.
TOM WALSH: Well thank you Howard. I appreciate it.
ANDERSON: For starters, why don't you give us a brief overview of the breach notification requirements for covered entities and business associates?
WALSH: Well obviously the covered entities have a lot to do as far as the breach notification. There is a rule that was issued in September, which specifies what they have to do. For the business associates, they would, at a minimum, have to report the breach to their covered entity. But depending upon how they store the information and what their service is to the covered entity, they may have a greater role in the breach notification process, and that is also explained in the rule.
So, for example, some organizations may outsource some of their clinical information systems management to a business associate, and if a breach occurred there, the business associate would have a better understanding of who the patients were who were affected by it, so they would take the lead in some cases in doing the investigation work, and possibly even reporting it to the Department of Health and Human Services.
So a business associate could have a minor role or it could play a major part; it just depends on what they are doing and the type of breach they are dealing with.
ANDERSON: What specific questions should healthcare organizations ask their business associates about how they are preparing to comply with the breach notification rule?
WALSH: Well Howard I would recommend that covered entities talk to their business associates and find out how they collect data when an incident gets reported. And I say an "incident" because initially everything starts as an event or some incident. As we follow up and go through this investigative process we will determine whether or not it truly is a breach.
If it is a breach and it has to be reported at some point to the Department of Health and Human Services, you want to make sure you are reporting all the necessary data. So at a minimum I would have covered entities check with their business associates and make sure that they have a system in place for collecting information about an incident which could ultimately lead to a breach, and that the fields for the data they are collecting actually matches up with the fields on the Department of Health and Human Services web page where covered entities are supposed to report breaches, either annually or within 60 days if it is over 500 patients. So you really want to make sure they are collecting the right data.
I would also ask business associates if they have insurance that would cover them in the event there was a breach. This whole breach notification process can be very expensive, sending out first class letters, following up, maybe even doing some type of change to the web sites and notifying patients about the breach; somebody has got to pay for that. So I would say that they want to make sure they have got insurance coverage that would also cover the business associate in the event of some kind of data breach.
ANDERSON: Should healthcare organizations rewrite or amend their business associates contracts in light of the breach notification rule? And what details need to be added?
WALSH: Yes, I would say they want to update their business associate agreements. A couple of things I would put in for sure: One is I would define the term "breach" because breach now takes on this special meaning under the HITECH Act under the breach notification process....So we want to make sure everyone is clear on the meaning of the word breach.
I would also, at a minimum, put in the definition of "unsecured protected health information." Again, that is something that is defined in the rule. I would say that they want to make sure data is either encrypted following NIST guidelines, or the Federal Information Processing Standards (FIPS) Publication 140-2, as that is what is called out in the regulation.
Most of the older business associate agreements say that the business associate will put in appropriate safeguards and controls: administrative, physical and technical. I would put in there now that they specifically have to comply with the sections of the HIPAA Security Rule 164308, 164310, 164312 and 164316, so that they understand that they have to comply with all of the HIPAA Security Rule.
The other things I would also put in there is some guidance on what data needs to be collected, as we talked about earlier, if there was an incident or a breach, and how they would communicate that back to the covered entities. Most business associate agreements don't say how to report; they just say to report it. So you sure don't want them to send it in an e-mail. I would want to have a secure channel, and I would want to tell them who to send it to, when they should send it to the person, and then also put in there something about in a business associate agreement they may actually be involved in working with the covered entity to remediate it and maybe even possibly share in the costs if notification letters had to go out and it was the business associate's fault.
So those are some of the key things you would want to put into the business associate agreement. I would also want to remind them that under the HIPAA Security Rule, any policies or procedures they create should be retained for six years from the date of creation. It is in the rule, but it is kind of a nice little reminder to put that in the agreement.
ANDERSON: Okay, just to reiterate, what is the single best procedure for business associates to use for reporting the breach to their partner? And, what about the best procedure for notifying consumers affected by the breach?
WALSH: Well we will start first with the contacting of their healthcare partners or the covered entities. So there should be some well-defined structure as far as what they are collecting, and the kind of basic questions of who, what, where, when, why and how. You don't want them to send this in an e-mail. If they send it certified mail, how many days is it going to take to get there?
Certain states have more restrictive laws as far as breach notification than the federal government. For example, in California, they only have five calendar days to report a breach to the state department of health. You are not going to make it in five days if your business associate doesn't report it to you until 10 or 15 days after the event occurred. So you really need to be specific as far as when they report it. And then I would say it would really help to give the name of the person that you want them to report it to, the contact information of that person, the telephone number, cell phone number, so that someone can get that call. If they are not there, who is their backup that they can call to report this?
And then as far as business associates notifying consumers, they probably want to create for themselves some type of templates in advance. If they had to do a breach notification, whether it be to their covered entity, or to the actual patients or individuals whose data was compromised, it is better to have that template done in advance when you are not under pressure, when you have time to get legal review and marketing input on it.
ANDERSON: How often should healthcare organizations touch base with their business associates for updates on their breach notification plans?
WALSH: I would say you would want to do it at least annually, and I would think you would want to do it at the last quarter of the year. That is because reports of all breaches, no matter the size, are due to the Department of Health and Human Services within 60 days after the end of the calendar year. So you have until about March 1 to get those reports in. So by checking with your business associates in the last quarter of the year, you can ask them then, did you have any incidents throughout the year that we needed to report at the end of the year? Do you have everything? Are your plans okay? Have you got everything working properly so that you can report that to us on time?
Any more often than annually may be too burdensome because a lot of covered entities do business with multiple business associates and they have a lot of contracts out there.
ANDERSON: Finally, now that the HIPAA security and privacy rules and the penalties apply directly to business associates, what steps would you recommend that those business associates take to improve security and minimize the risk of breaches?
WALSH: I think it would be good for business associates to have some third party come in and verify that the controls and safeguards they have in place meet typical healthcare standards. Many of these organizations have for years agreed to put in appropriate safeguards and controls, but one person's definition of what is appropriate may not meet another person's definition. Having an impartial party, like a third-party auditor, come in and review it would add credibility when the business associate says to the covered entity, "We are doing our part to protect your data and here is our proof."
Within the financial world, generally when you do work with business partners they do an audit...and so what I see is probably in the future there will be similar audit-type criteria established for healthcare organizations that they could ask their business associates to go through so that when they tell us that they are protecting data properly, we have got some assurance that they, in fact, really are protecting it.
ANDERSON: Well thanks very much Tom. We have been talking today with security consultant, Tom Walsh. This is Howard Anderson of Information Security Media Group.