What Cybersecurity Obligations Do Business Associates Have Under HIPAA?
Under the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, some, but not all, HIPAA requirements apply to business associates. Business associates handling electronic PHI have specific obligations to comply with the HIPAA Security Rule. OCR issued regulations in 2013 implementing the HITECH Act, including regulations regarding the particular portions of the HIPAA rules applicable to business associates. Informal OCR guidance on its website indicates that business associates can be held directly liable for the following HIPAA violations:
- Failure to provide the Secretary of HHS with certain records and cooperate with compliance investigations;
- Retaliation against someone for filing a HIPAA complaint;
- Committing Security Rule violations;
- Failing to provide breach notifications to a covered entity or another business associate;
- Impermissible uses and disclosures of PHI;
- Failing to provide electronic copies of PHI upon an individual’s request;
- Failing to comply with the minimum necessary rule;
- Failing to account for disclosures when required;
- Failing to enter into business associate agreements with subcontractors; and
- Failing to take reasonable steps to address material violations of a subcontractor’s business associate agreement.
The HIPAA Security Rule requires a business associate to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the … business associate.” Also, business associates must implement security measures sufficient to reduce such risks and vulnerabilities to a reasonable and appropriate level. These provisions require business associates using or disclosing electronic PHI to implement cybersecurity protections for the data.
Are Covered Entities Liable if a Business Associate Has a Cyber Incident?
Whether a covered entity is liable for the acts of its business associate will require a fact-intensive analysis. Government guidance has been conflicting about whether covered entities can be liable for breaches committed by their business associates. Longstanding informal guidance from OCR has stated unequivocally that a covered entity is not liable for, nor is it required to monitor, the actions of its business associates. While a covered entity could be found to have violated the Privacy Rule if it finds out that the business associate has committed a material violation and does nothing about it, a covered entity does not violate HIPAA just because its business associate does. The Centers for Medicare and Medicaid Services (CMS), however, has published fairly recent guidance that states the opposite. The CMS guidance indicates that “[a] covered entity is responsible for the noncompliance of its business associate where the business associate does not comply with an applicable HIPAA Administrative Simplification requirement.” Based on the other language of the guidance, it may be argued that this liability relates only to failure to comply with the HIPAA standards for electronic transactions, code sets, unique identifiers, and operating rules. OCR has stated, however, that “a principal is liable for penalties … for the action of the principal’s agents acting within the scope of the agency,” so a covered entity can be liable for the actions of a business associate that is an agent, as opposed to an independent contractor. Thus, “where a covered entity or business associate has delegated out an obligation under the HIPAA Rules, a covered entity or business associate would remain liable for penalties for the failure of its business associate agent to perform the obligation on the covered entity or business associate’s behalf.” In light of this, it is important to document whether a business associate is an independent contractor or an agent.
What Are Key Cybersecurity Measures to Look for When Evaluating a Business Associate?
Regardless of whether a covered entity is directly liable for government penalties for its business associate’s actions, the reality is that failure to use proper diligence in selecting business associates can lead to data breaches, which can harm individuals, as well as the covered entity’s bottom line.
A company evaluating a potential business associate should look for strong cybersecurity measures such as an information security officer and privacy officer, policies, training, encryption, third-party attestations, cyberinsurance, and other safeguards. HIPAA is flexible and scalable, so appropriate security measures may vary depending on the company, its functions, and other circumstances. When a covered entity is deciding which security measures to use, HIPAA does not specifically list those measures. But it requires the covered entity to consider: its size, complexity, and capabilities; its technical, hardware, and software infrastructure; the costs of security measures; and the likelihood and possible impact of potential risks to PHI.
Two of the main documents a company may want to request from business associates holding large amounts of sensitive data are the Written Information Security Policy (WISP) and a Security Organization Controls 2 Type II (SOC 2) audit report. While these documents, by themselves, may not constitute a complete HIPAA compliance program, these will reveal a variety of cyber controls that the business associate has implemented and give an indication of the maturity of the business associate’s cyber security program.
What is a WISP?
A Written Information Security Policy (WISP) is a written document that describes the business associate’s overall approach to protect the data it handles. It gives the covered entity a high-level view of the safeguards that an entity uses to maintain the confidentiality, integrity, and availability of the data. Many companies will have a WISP as a routine business practice because the WISP addresses the companies’ own obligations under data protection laws in addition to HIPAA.
HIPAA and other data protection laws generally do not contain a detailed list of exactly what the business associate or company needs to do to establish the necessary data protection measures. Instead, compliance with these laws may involve a wide range of reasonable safeguards. For example, the New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) does not mandate specific safeguards, but it provides several examples of practices that are considered reasonable safeguards. These examples suggest the types of safeguards businesses should adopt.
Specific HIPAA Safeguards
Administrative Safeguards
- Designate individual(s) responsible for security programs;
- Conduct a risk assessment that identifies reasonably foreseeable internal and external risks and assesses the sufficiency of safeguards in place to control those risks;
- Train and manage employees in security program practices and procedures;
- Select capable service providers and require safeguards by contract;
- Adjust program(s) in light of business changes or new circumstances;
- Develop access management plan;
- Create security management process;
- Maintain workforce security;
- Provide information access management;
- Establish security incident response procedures; and
- Develop contingency plan(s).
Physical Safeguards
- Assess risks of information storage and disposal;
- Detect, prevent, and respond to intrusions;
- Implement device and media controls to protect against unauthorized access/use of private information during or after collection, transportation, and destruction/disposal;
- Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so the information cannot be read or reconstructed;
- Implement facility access controls and security plans; and
- Develop workstation use and security measures.
Technical Safeguards
- Develop integrity controls and regularly assess risks in network and software design to detect, prevent, and respond to attacks or system failures;
- Protect transmission security by assessing risks in information processing, transmission, and storage;
- Create audit controls and regularly test and monitor the effectiveness of key controls, systems, and procedures;
- Maintain access controls; and
- Require user authentication.
What is a SOC 2 Type II Audit Report?
A Security Organization Controls 2 (SOC 2) audit report is a third-party attestation that the organization has complied with a certain level of cyber protections. There are two types of SOC 2 reports. Type I assesses whether the design of cyber controls aligns with industry standards. This means determining whether the company’s security measures, such as data encryption during transmission and user authentication, are appropriately designed to protect patients’ sensitive medical information. A Type II report goes further to examine the ongoing effectiveness of these controls over a specific time frame, usually six to twelve months. This analysis ensures that the business associate consistently maintains the security measures it claims to have in place.
Remember that all business associates are directly liable for failure to comply with the requirements of the HIPAA Security Rule. While the SOC 2 standards are different from HIPAA, a SOC 2 Type II report can help assess whether the business associate has a robust security program that meets industry standards.
Conclusion
A covered entity is required to have a business associate agreement in place before sharing PHI with another entity that needs access to that data to perform work on behalf of the covered entity. It is prudent for a covered entity to evaluate the security measures of its business associates. The business associate should be able to show that it has certain safeguards to protect data access, transmission, storage, use, handling, and destruction. A business associate with WISP and SOC 2 Type II documentation may be able to use that documentation to demonstrate a variety of these cyber controls. If the business associate suffers a data breach, the covered entity may be able to rely on these efforts to demonstrate its commitment to protect the data.