Third-party business partners represent a significant security risk to health care providers, who may need several layers of protection to ensure the security of patient data.
The HIPAA Privacy Rule refers to third parties as "business associates" and defines them as individuals or organizations that handle protected health information, or PHI, in the course of working with a covered entity. The category may cover a range of companies, including data processing firms, IT consultants and cloud computing providers.
HIPAA's Security Rule calls for covered entities to create contracts with business associates to ensure that the partner "will appropriately safeguard" PHI. The HITECH Act of 2009 further strengthened HIPAA's rules regarding business associates and security obligations.
While the HIPAA rules have been around for a while -- the Security Rule's compliance date goes back to 2005 -- hospitals and other health care providers have not consistently devoted a significant amount of time to business associate security.
"It's a mixed bag," said Jan Hertzberg, managing director at Grant Thornton, an audit, tax and advisory services firm.
Hertzberg said many covered entities meet the business associate agreement requirement. But he suggested that such contracts might not be enough to protect health care providers, given HITECH's additional focus on data security and privacy.
Hertzberg said that health care providers "are becoming painfully aware of how [third-party security] affects their business, and they have to go beyond that."
Indeed, recent third-party breaches have exposed health care providers and their partners to legal consequences, while failure to adequately address business associate security has resulted in government action. For example, Stanford Hospital & Clinics is facing a $20 million class action lawsuit after the personal data of 20,000 patients ended up on a publicly accessible website. The hospital said it sent encrypted data to Multi-Specialty Collection Services, a business and financial support contractor.
According to a statement from the hospital, MSCS prepared a spreadsheet based on the patient data and delivered it to "a third person who was not authorized to have that information and who improperly posted it on a website."
Business associates were involved in three of the top five breaches occurring in 2011, according to Redspin's analysis of breach data reported to HHS. The company's 2011 Breach Report states, "Total records breached at business associates grew 76% in 2011 as compared to 2010."
In April, Phoenix Cardiac Surgery reached a settlement with HHS in which the physician practice agreed to pay $100,000 and implement policies and procedures to protect PHI. An HHS statement said the agreement followed an "extensive investigation" into potential violations of HIPAA privacy and security rules. For instance, HHS' Office for Civil Rights found that the physician practice "failed to obtain business associate agreements with Internet-based email and calendar services."
The business associate agreement represents the baseline of third-party security. The Security Rule stipulates that such pacts must direct business associates to protect the "confidentiality, integrity and availability" of the PHI in their possession. Although the rule provides little formal guidance beyond the general directive, health care providers can take a few steps to strengthen their business associate agreements.
Amy Fehn, partner at health care law firm Wachler & Associates, said a covered entity can create a business associate agreement that includes indemnification to help cover the notification costs involved if a business associate causes a breach.
"If they need to notify thousands of people because of the business associate's breach, the covered entity will want to have the business associate pay the costs," Fehn said.
Health care providers also might want to have their partners agree to a tighter schedule when it comes to breach notification. HHS' interim final rule on breach notification sets up a 60-day window within which covered entities must notify affected individuals about a data breach. The clock begins from the time the covered entity discovers the breach. However, the regulations "attribute knowledge of a breach" by a covered entity's agent -- which could be a business associate -- to the covered entity itself. Business associates also have a 60-day timeline for notifying their partners about a breach, meaning that a covered entity might not know about a business associate's breach until nearly the end of its own 60-day window.
Fehn, noting that those schedules don't match up, said a health care provider can require their business associates to adhere to a stricter notification timeframe -- within 24 hours of discovering a breach, for example.
The final rule on breach notification will "probably shed some more light on the business associate relationship," Fehn noted. HHS' final HIPAA Omnibus Rule, expected later this year, will include the final breach notification regulations.
Beyond the Agreement
Some HIPAA observers believe the business associate agreement doesn't provide complete protection.
Mac McMillan -- chief executive officer at CynergisTek, a company that specializes in health IT security -- said a comprehensive vendor management program can provide additional protection for health care providers. He noted that such a program should include:
Due diligence in contracting: According to McMillan, health care providers need a good process for vetting vendors during the request-for-proposals or selection process. For example, a health care provider could ask a prospective business associate to complete a security questionnaire to confirm that the partner has a security program in place.
Business associate agreements and security addenda: McMillan said that health care providers should craft a solid business associate agreement that covers basic responsibilities of the partners for breach notification and other topics. He also advised health care providers to have a security addendum that spells out data protection requirements -- such as how data should be transferred -- in more detail.
Monitoring mechanism: McMillan said that a business associate relationship should be monitored throughout the life of the contract to ensure proper data management. With that in mind, a health care provider can request documentation of a business associate's security assessments or conduct its own audit of the business associate.
Incident management plan: If a breach occurs, the covered entity and business associate should have a plan on hand that spells out the responsibilities of each party, McMillan said.
Procedure for termination: According to McMillan, covered entities and business associates should establish a process for handling PHI once a contract has been terminated. That could mean destroying the data or returning it to the covered entity.
To further prepare themselves for potential data breaches, Hertzberg recommended that health care providers take the time to update their inventories of vendors that handle PHI -- or create a list if one doesn't exist.
"There are third parties being signed up all the time and people don't even think it is necessary to let the general counsel know," he said.
With the inventory in hand, health care providers can risk-rank their vendors. For example, business associates could be ranked based on the sensitivity of the data they manage. Hertzberg said the risk-ranking process is a good way to ensure that health care providers focus their security efforts on the highest-risk vendors.
Hertzberg said a holistic approach to data breach protection prepares health care providers to take on the challenge of third-party risk.
"The right approach is not necessarily to say, 'We are not going to leverage outside third parties,'" Hertzberg said. "There is a risk, so we need to improve our controls and do the best job we can."