We had our regular HIPAA training with all of our SOS staff this morning. This is a sometimes unexciting meeting, as we review SOS policies and procedures related to HIPAA and Protected Health Information (PHI). This morning, we noticed that the amount we have learned about HIPAA, our responsibilities as a Business Associate and the responsibilities of our mostly behavioral health customers as Covered Entities has resulted in much more refined discussion of what we should all be thinking about.
One of our regular concerns is that we, as a Business Associate to our customers, have in place and understand how to act on, policies and procedures to protect the PHI of our customers should it ever be in our hands.
This morning we found ourselves talking about the danger to Covered Entities of not having Business Associate Agreements (BAAs) with their computer tech, maintenance and repair consultants, and having no idea what the policies and procedures of those Business Associates are.
The Office of Civil Rights (OCR) sent out this information on May 3, 2016:
Covered Entities Should Consider:
1. Defining in their service-level or business associate agreements how and for what purposes PHI shall be used or disclosed in order to report to the covered entity any use or disclosure of PHI not provided for by its contract, including breaches of unsecured PHI, as well as any security incidents.
HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of security incident at 45 CFR 164.304). HIPAA also identifies breaches as, generally, an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information. (See the definition of breach at 45 CFR 164.402).
According to the US-CERT, cybersecurity incidents could include the following types of activity, but are not limited to:
§ Attempts (either failed or successful) to gain unauthorized access to ePHI or a system that contains ePHI.
§ Unwanted disruption or denial of service to systems that contain ePHI.
§ Unauthorized use of a system for the processing or storage of ePHI data.
§ Changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent.
2. Indicating in the service-level or business associate agreements the time frame they expect business associates or subcontractors to report a breach, security incident, or cyberattack to the covered entity or business associate, respectively. Keep in mind; incident-reporting should be done in a timely manner, and covered entities are liable for untimely HIPAA breach reporting to affected individuals, OCR, and the media, as applicable. The quicker the incident is reported, the faster a covered entity or business associate can respond, possibly:
§ Minimizing the damages caused by the security incident.
§ Protecting and preventing further loss of electronic patient health information.
§ Preserving evidence for forensic analysis, if necessary.
§ Regaining access to and secure information systems.
3. Identifying in the service-level or business associate agreements the type of information that would be required by the business associate or subcontractor to provide in a breach or security incident report. The report should include:
§ Business associate name and point of contact information.
§ Description of what happened, including the date of the incident and the date of the discovery of the incident, if known.
§ Description of the types of unsecured protected health information that were involved in the incident.
§ Description of what the business associate involved is doing to investigate incident and to protect against any further incidents.
4. Finally, covered entities and business associates should train workforce members on incident reporting and may wish to conduct security audits and assessments to evaluate the business associates’ or subcontractors’ security and privacy practices. If not, ePHI or the systems that contains ePHI may be at significant risk.
I know all of you have BAA’s in place, so the OCR’s advice is just repetitious to you. Or do you? If you do not know what your BAA’s should and do contain, if you do not have BAA’s with everyone who is not your employee and who may see your PHI, if you do not know your responsibilities as a Covered Entity, if you do not regularly train your employees on HIPAA and its requirements…please take a look at OCR’s website where this information is provided.
We worry about you guys! Please make sure you (and your patients) are protected!
Barbara Langley says:
One of the reasons that SOS is the first software company that I refer to anyone that is making an inquiry is because SOS is watching out for us. As the saying goes, “You’re watching our backs.” It’s very hard to keep up with all of the HIPPA and PHI regulations. I have had a small billing service for mental health providers for 22 years. As my business grew I’ve had two people work with me as subcontractors I’ve had these individuals sign Business Associate Agreements as well as confidentiality agreements. I appreciate your well-researched advise and help.
Kathy says:
Thank you, Barbara.
Kim Giacalone says:
Kathy, Am I correct that a Billing Service should have a BAA in place with each customer/provider? I see on the HHS page, under the Sample BAA it states
” A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.” Thanks, Kim
Kathy says:
As I understand it, it is actually just the opposite, Kim. A provider who uses a Billing Service, as the Covered Entity, is required by HIPAA to have a BAA with the Billing Service. However, I would not wait for the provider to request a BAA. As a Billing Service, I would insist on having a BAA and would offer a standard one. The Billing Service is a Business Associate whether the provider has a BAA with them or not, so best to be covered by an agreement.
BTW, that is what we do with our customers. We provide a BAA and insist that they sign it, even though it is actually their responsibility to require one of us. Whenever a customer provides us with their own BAA, we sign that instead of our standard one.