Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

OCR Cracking Down On Business Associate Security

Posted on May 13, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For most patients, a data breach is a data breach. While it may make a big difference to a healthcare organization whether the source of a security vulnerability was outside its direct control, most consumers aren’t as picky. Once you have to disclose to them that the data has been hacked, they aren’t likely be more forgiving if one of your business associates served as the leak.

Just as importantly, federal regulators seem to be growing increasingly frustrated that healthcare organizations aren’t doing a good job of managing business associate security. It’s little wonder, given that about 20% of the 1,542 healthcare data breaches affecting 500 more individuals reported since 2009 involve business associates. (This is probably a conservative estimate, as reports to OCR by covered entities don’t always mention the involvement of a business associate.)

To this point, the HHS Office for Civil Rights has recently issued a cyber-alert stressing the urgency of addressing these issues. The alert, which was issued by OCR earlier this month, noted that a “large percentage” of covered entities assume they will not be notified of security breaches or cyberattacks experienced by the business associates. That, folks, is pretty weak sauce.

Healthcare organizations also believe that it’s difficult to manage security incidents involving business associates, and impossible to determine whether data safeguards and security policies and procedures at the business associates are adequate. Instead, it seems, many covered entities operate on the “keeping our fingers crossed” system, providing little or no business associate security oversight.

However, that is more than unwise, given that the number of major breaches have taken place because of an oversight by business associates. For example, in 2011 information on 4.9 million individuals was exposed when unencrypted backup computer tapes are stolen from the car of a Science Applications International Corp. employee, who was transporting tapes on behalf of military health program, TRICARE.

The solution to this problem is straightforward, if complex to implement, the alert suggests. “Covered entities and business associates should consider how they will confront a breach at their business associates or subcontractors,” and make detailed plans as to how they’ll address and report on security incidents among these group, OCR suggests.

Of course, in theory business associates are required to put their own policies and procedures in place to prevent, detect, contain and correct security violations under HIPAA regs. But that will be no consolation if your data is exposed because they weren’t holding their feet to the fire.

Besides, OCR isn’t just sending out vaguely threatening emails. In March, OCR began Phase 2 of its HIPAA privacy and security audits of covered entities and business associates. These audits will “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standard interpretation specifications of the Privacy, Security, and Breach Notification Rules,” OCR said at the time.

Covering Your Practice When Using a Hosted EHR

Posted on June 12, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest post by William O’Toole discussing a really misunderstood topic about clinic responsibility in a hosted EHR environment and how to protect your clinic. This ties in really well to Katherine’s previous post about Business Associates HIPAA Preparation.

Too many times people in EMR acquisition mode have made the assumption that hosted solutions automatically insulate the customer provider from liability for data breach or unauthorized disclosure of patient information, which is unsettling because it is simply not true. Health care providers are always responsible to patients for these unfortunate situations and nothing in HIPAA or the HITECH Act shifts that responsibility to the vendor of the hosted software solution. While HITECH does extend compliance requirements and potential penalties to vendors that provide services to providers involving patient information, this does not mean that the provider is not responsible to the patient.

All that gloom aside, it is completely possible to protect the provider organization through indemnification language in the software agreement with the vendor. In situations where the fault (violation of HIPAA) lies with the vendor that is hosting the software, and controlling and possessing patient data, if no indemnification provision exists, then any award for damages in a patient lawsuit would have to be paid by the provider without any contribution from the vendor. Think of the indemnification in that manner. It basically means that if there is a violation, and it is caused in part by the vendor, then the vendor will contribute to the payment of damages to the extent it was at fault.

An indemnification from a vendor Business Associate to a provider Covered Entity for any data breach or unauthorized disclosure of patients’ Protected Health Information (capitalized terms as defined under HIPAA) is critical in light of ARRA/HITECH and its impact on HIPAA. Briefly, ONC will be investigating, auditing, and penalizing both Covered Entities and Business Associates through powerful enforcement of HIPAA as mandated by the HITECH Act.

Providers should review all IT vendor contracts and Business Associate Agreements with those vendors. Ideally, for every vendor relationship with your hospital or practice, those two contracts should have matching language stating that the vendor will indemnify your organization for data breaches or unauthorized disclosures caused by the vendor. There are cases where the main customer/vendor agreement does not contain such language but the Business Associate Agreement does, which is still good. If absent from both, your organization is seriously exposed and you must consider the potential consequences and amend the agreements to include this type of protection whenever possible.

INDEMNIFICATION means a party to an agreement takes on financial responsibility for its actions and is legally obligated to pay damages to the other party. As you read a proposed contract, substitute “pay money to” in place of “indemnify”. It means the party will pay the damages resulting from its actions that would otherwise be paid by the other party if no indemnification existed. Look carefully at what indemnification(s) your organization is asked to provide, and what the other side is offering for indemnification. This comparison must be carefully considered before signing anything.

LIMITATION OF LIABILITY means the vendor is stating (often in ALL CAPS) what it is NOT responsible for. Typical exclusions are “special, incidental and consequential” damages. What this means is that while the vendor might take on responsibility for direct damages for something like product failure, which is often limited to the value of the contract, it purposely disclaims any responsibility for damages over and above the cost of the product. If consequential damages are disclaimed and excluded, the provider could only hope to receive a refund, which would exclude any additional costs like outside consulting trying to make the original product work for your organization, or the additional cost for a more expensive replacement product.

Important note: If you are able to obtain indemnification from a vendor as described above, you must also make sure that any limitation on consequential damages specifically and expressly excludes the indemnification provision. This means that the indemnification will cover both direct damages and then anything over and above that amount, which would be the consequential damages portion.

In summary, as a general statement, a hosting solution by itself does not provide legal protection for data breaches or unauthorized disclosures of patient information. That protection must be negotiated in your contract with the vendor in the form of an indemnification and it is very important.

This posting provides general contract information and is not intended as specific legal advice.

William O’Toole founded the O’Toole Law Group following twenty years as counsel for Medical Information Technology, Inc. (Meditech). His practice is concentrated in health care IT contract review and negotiation. He can be contacted directly at wfo@otoolelawgroup.com.