Managing Business AssociatesExperts Offer Insights on Preventing Breaches
Writing a good business associate agreement that spells out privacy and security expectations is one important risk mitigation step. But hospitals, clinics, insurers and other healthcare organizations should go beyond that step to create a comprehensive vendor management program, security experts advise.
They also urge healthcare organizations to give business associates access to the least possible amount of patient information to help minimize risk. And they encourage security professionals to ask business associates challenging questions about their business practices.
Vendor ManagementAbout 20 percent of the major health information breaches reported to federal authorities so far, including two of the largest incidents, have involved business associates (see: 11 Million Affected by Major Breaches). Thus, good vendor management is an essential component to any breach prevention strategy.
"I would recommend defining a formal vendor management program ... to set the policy and procedures for engaging with vendors," says Christopher Hourihan, manager of development and programs at the Health Information Trust Alliance (see: Business Associate Management Tips). "Set expectations from a security perspective ... and then set up how to actually go about validating that upfront, prior to the contract signing, and then on a continual basis."
Expectations for vendors should be based on the level of risk involved, and the size of the business associate, Hourihan and others advise. The vendor management program "should be a risk-based program to provide some flexibility for business associates that are small ... and have a limited impact on your organization," he notes. In contrast, a business associate using cloud computing to host an application should be required to meet higher standards, such as sharing the results of an annual third-party security review, he adds.
Sanjeev Sah, information security officer at Amedisys Inc., one of the nation's largest home healthcare providers, says that he writes detailed security provisions into initial contracts with larger business associates, rather than including them in a standard business associate agreement. That's because many smaller vendors wouldn't sign a business associate agreement if it were too demanding, he says.
As a result, contracts with large vendors might "call out specific types of safeguards," such as access controls and encryption, Sah says. For a cloud computing vendor, the contract might require complete documentation of all security steps plus the right to conduct an audit, he explains.
Business Associate AgreementCertain key security issues, however, should be addressed in all business associate agreements, Hourihan and other experts say. For example, the agreements should spell out expectations for how the vendor will notify the healthcare organization of a breach.
If a vendor lacks an incident response plan, "it should throw up a huge red flag," says Brian Lapidus, chief operating officer at Kroll Fraud Solutions (see: Business Associates: Minimizing Risk). Also, healthcare organizations should make sure the vendor's plan includes "a mechanism to alert clients without unreasonable delay so that the covered entity can abide by the HITECH Act [breach notification] rule," he says.
Good Samaritan Hospital in Vincennes, Ind., requires its business associates to notify the hospital within seven days of any security incident, says Terry Allen, internal auditor and compliance officer. That's because hospitals must report breaches to federal authorities within 60 days, he notes. "We want to make sure that we have plenty of time to get our ducks in a row and decide how to handle it," he adds.
But business associate agreements should go beyond simply requiring that vendors comply with HIPAA or HITECH, Hourihan stresses. "The organization should specify its own security policies and requirements," he says, and then set the expectation that the vendor will meet those same requirements.
The agreements also should spell out permitted uses of protected health information and rules for how and when it can be disclosed to others, Lapidus says.
In addition, healthcare organizations should take steps to share the least amount of patient information possible with their business associates, Lapidus stresses. "You have to focus on what data is really required by that business associate to perform services so that you can limit access to the minimum necessary," he says. "The simple truth is that if you limit access, you limit risk."
Questions to AskImportant questions to ask business associates regarding privacy and security include:
- Have you conducted a risk assessment in the past year, and can you provide a copy of the results? Hourihan recommends also asking vendors for a copy of a "corrective action plan" to "validate that not only do they understand where their risks are, but they are actively doing something to remediate those risks." He also recommends asking specific questions about security controls for mobile devices and media, given the high number of breaches that have involved these technologies.
- What type of background check do you perform on your employees? "Background screening is a move that mitigates risk and demonstrates organizational commitment to safety and security," Lapidus says.
- How will data be stored, accessed, shared or transmitted? "This may be the most vital question you ask," Lapidus says. Healthcare organizations also should take steps to ensure vendors "are employing stringent access controls to safeguard data."
- Do you have a comprehensive privacy awareness training program for your employees?
- Will you allow us to perform an onsite review or audit? "Onsite reviews.... offer a first-hand glimpse of how privacy and security is handled on a day-to-day basis," Lapidus says. He also advises asking business associates if they have been accredited or audited by third parties.
- Will the vendor use subcontractors, and how is data protected when it's shared with these other vendors?
A proposed federal Accounting of Disclosures rule would require organizations to give patients, upon request, an access report listing everyone who has viewed their records, including, in some cases, business associates. Although the rule is not yet final, Hourihan says it makes sense to at least begin asking business associates about their ability to log access to protected health information.