This past month I had the opportunity to participate in several national and regional healthcare conferences and meetings around the country, and one of the main topics of discussion at each of those events was business associates. In particular the effects the HIPAA omnibus rule has had on responsibilities and the relationship between covered entities and their vendors.
For the most part, those changes were subtle, but one of the most important was the source of much misunderstanding. That change, of course, is the renewed emphasis the omnibus rule places on vendor security management and the responsibility that covered entities bear for performing appropriate due diligence.
As usual, much of the discussion centered on updating business associate agreements. There's no doubt that these are important, but responsibility for managing business associates starts well before the BAA and carries on well after contracts and agreements are in place. An encouraging number of organizations seemed to recognize that this was the new paradigm and that their security programs would need to reflect more attention to vendors and their security.
Where to start
Considerations for security should begin as soon as an acquisition is anticipated. Level of access to protected health information, performance specifications and duration of the contract are all important factors when deciding selection criteria for prospective vendors. A security questionnaire as part of the RFI/RFP process or source selection process that asks the right questions to evaluate vendors readiness against these requirements helps to narrow the field to only those that are best suited to perform successfully.
It's also important to determine at the onset of contracting what exactly constitutes "minimal necessary" for this engagement. Minimal necessary is defined as the minimum amount of necessary access or information that needs to be shared with the vendor to support the contracted purpose. Separate guidance on minimal necessary is forthcoming from the HHS Office for Civil Rights sometime in the next several months. The OCR has said it will issue guidance by the end of 2013.
Organizations should share their security questionnaire, specific security expectations for this contract and their BAA to support due diligence with vendors during this early stage of the contracting process. Only those vendors who demonstrate their ability or willingness to meet these requirements should advance to the next stage.
Contracting
Next up is documenting privacy and security requirements and more detailed due diligence. As the contracting process begins, depending on the requirements of the contract, providers may consider additional evaluation of vendors to include a review of documentation, interviews of certain staff members and possibly site visits for certain vendors where appropriate. BAAs should be updated to include modifications to the security and privacy rules. Contracts initiated after Jan. 25, 2013 and those updated or modified after that date must reflect the omnibus changes. All others in effect prior to Jan. 25 and not scheduled for change must be updated by Sept 23, 2014.
When considering updates for the BAA, organizations also need to consider other factors such as notifications concerning material changes in the vendors' business model (how or where they store information), new relationships such as additional subcontractors and requests for protected health information by external parties (OCR, law enforcement, etc.). Minimize the opportunity for surprises. Unique security requirements should be captured either in the contract itself or in a separate security agreement as part of the contract. Things to capture here include secure transmission requirements, proof of compliance documentation requirements and proof of third party evaluations.
Ongoing maintenance and monitoring
There is nothing in HIPAA or the omnibus rule that says an organization has to actively monitor its business associates, but the implication is there for organizations to be aware of their vendors and issues that could arise. The need for monitoring, like other requirements in security, should be risk-based. That means the level of monitoring and the activities involved should correspond to the level of risk associated with the contract. A vendor who only has access to protected health information when on site presents a much different risk profile than one that hosts information or applications, or even the infrastructure. A cloud vendor presents a different set of risk factors than a company providing transcription services, for instance.
In its simplest form, monitoring may only include requesting and reviewing security related documentation from vendors such as policies, proof of training, proof of background investigations, third party security evaluations and facility assessments such as SAES 16 reports. If the vendor is hosting data or systems, the documentation requested may be more specific, like proof of back-ups, actual contingency test reports, proof of terminations and destruction certificates.
Some organizations may consider site visits or may require a third party security assessment. Anything that a covered entity would have to produce in support of an audit or investigation is certainly open for review. There are also several new products and services on the market now to assist organizations in managing their business associates. These tools allow providers to register all of their vendors, identify which ones are business associates and what requirements need to be monitored. There are also tools that enable and manage vendor access to corporate assets.
When incidents happen
Planning for incidents is necessary, and the omnibus rule not only finalized breach notification procedures but also made sure that business associates knew they were responsible for being prepared should an incident occur. The business associate is still responsible for informing the covered entity, and they still have the bulk of the notification requirements to include the local media, OCR and, most importantly, the victims of a breach.
One factor that may impact the level of incident readiness organizations expect from their vendors could be omnibus rule changes in enforcement. The removal of the requirement for OCR to offer informal resolution prior to going to the penalties will make it easier for OCR to seek a formal outcome. That coupled with the additional subjective criteria when determining penalties that focus on measuring the potential impact of a breach makes it all the more important that covered entities know and understand their vendors' readiness.
The BAA should lay out the expectations for the vendor in terms of process, documentation and notification. Under the final rule, the definition of breach has changed and requires an integrated approach to analyzing events around the breach that involves both the covered entity and the business associate. So, the first thing covered entities will want to communicate to vendors are their expectations around the breach process and timelines for notifications. Indemnification for costs associated with breaches should be included in the contract.
Closure
All contracts have a termination date and require disposition instructions for both access and retention of data. Detailed requirements should be documented in the contract or security addendum that describes exactly what the vendor has to do in the event the relationship ends. The contract or addendum should also specify how to eliminate and document any and all access to patient information and instructions for returning or destroying all patient information in their possession. Related to this is other paperwork such as destruction certificates.
Termination procedures also need to take into account any subcontractors involved. There is a certain amount of risk here that cannot be eliminated. If a vendor chooses to retain information despite instructions to the contrary, short of running a data loss prevention assessment, it may not be discovered. This documentation will be very important should a breach occur later involving a covered entity's information has after that entity has terminated its relationship with the vendor. Minimally it should include termination instructions, methods of return or destruction and destruction certificates.
The omnibus rule marks a paradigm shift for covered entities and business associates that places greater emphasis on both to understand and collaborate on readiness. That readiness begins with developing security requirements and performing due diligence prior to contracting when selecting vendors.
Then, during contracting, the organizations involved must incorporate the right controls in the BAA and contract itself. There needs to be monitoring and auditing performed throughout the life of the agreement. It ends when the contract terminates, all access has been removed and all patient information has been returned or destroyed properly.
Covered entities can no longer afford to just issue blanket BAAs to vendors. A lifecycle approach to vendor security management is needed. For many covered entities, this will mean greater rigor around their processes and even the creation of vendor management functions due to the large number of vendors they may have. More guidance is coming, and it will also affect the business associate relationship. Guidance such as how to apply minimal necessary and the accounting for disclosure rule will be issued in the near future, and it too will need to be incorporated into business associate agreements and vendor management processes. No matter how you slice it, vendors are both integral to the industry's success and critical to achieving compliance.
Mac McMillan is co-founder and CEO of CynergisTek, Inc., a firm specializing in the areas of information security and regulatory compliance in healthcare. He is the current chair of the HIMSS Privacy & Security Policy Task Force. Mr. McMillan brings over 30 years of combined intelligence, security countermeasures and consulting experience to his position from both government and private sector positions. He has worked in the healthcare industry since his retirement from the federal government in 2000 and has contributed regularly to organizations such as HIMSS, HCCA, AHIA, AHIMA, AAHSA, HFMA and AHLA and contributes regularly to the thought leadership around data security in healthcare.
More Articles on HIPAA Compliance:
The New HIPAA Rule: The Ticking Time-Bomb of Unsecured Text Messaging
Don't Let Human Error Compromise Patient Data
Warning: Every Business Associate Poses Risk to Your Hospital