“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
There are many lessons to be learned from last week’s settlement agreement between the OCR and North Memorial Health Care, but first let’s break down the facts to put these lessons into context.
- An unencrypted laptop with the ePHI of 6,697 individuals was stolen from a Business Associate (Accretive) workforce member’s locked car.
- North Memorial did not have an executed Business Associate Agreement with Accretive at the time of the incident.
- North Memorial and Accretive did not enter into a Business Associate Agreement until 7 months after the incident during which time the PHI of at least 289,904 individuals was shared between them.
- North Memorial Health Care did not demonstrate satisfactory risk analysis and risk management processes.
It is important to note that this breach was reported in 2011 and our practices have come a long way since then but lesson #1 – make sure you have a Business Associate Agreement (BAA) in place with every entity with whom you share ePHI/PHI, and only those with whom you have an ePHI/PHI sharing relationship.
Covered Entities do a pretty good job of ensuring that BAAs are in place before ePHI/PHI is shared and Business Associates (BAs) have become more responsive to timely execution of these required agreements. That said, in our consulting work we still observe two recurring issues in the risk assessments that we perform: 1) decentralized contracting practices create gaps in BA identification, risk assessment and management; and 2) CEs overuse the BAA and make every vendor execute one to address the risk associated with “incidental contact” of PHI. The overuse of the BAA is something that the OCR has commented on frequently. Treating every vendor like a BA should not be your organization’s prevailing practice.
The OCR staff has addressed these practices in several presentations, interviews and publications stating that CEs need to know, with certainty, with whom they are sharing ePHI/PHI, the precise nature of the ePHI/PHI that is being shared, and the protection safeguards that BAs put in place. This brings us to lesson #2 – a CE should classify its vendors, create a BA inventory, and document the nature of the information sharing relationship – What PHI? How much PHI? How often? To how many BA workforce members? What safeguards does the BA have in place to protect your ePHI/PHI?
This is a tall order, and one that we find organizations are really just starting to tackle in a manner consistent with this performance benchmark that the OCR has established.
Finally, this settlement agreement, like virtually each and every one that precedes it, references insufficient risk analysis and risk management practices. More to come below on this recurring issue.
OCR’s Corrective Action Plans (CAP) are incredibly instructive, so let’s look at excerpts from North Memorial’s CAP for the specific requirements that have been set for them to be in compliance going forward:
Develop Policies and Procedures Related to Business Associate Relationships
North Memorial shall develop policies and procedures that: (a) designate one or more individual(s) who are responsible for ensuring that North Memorial enters into a business associate agreement with each of its business associates, as defined by the HIPAA Rules, prior to North Memorial disclosing protected health information (PHI) to the business associate; (b) create a process for assessing North Memorial’s current and future business relationships to determine whether each relationship is with a business associate, as defined by the HIPAA Rules, and requires North Memorial to enter into a business associate agreement; (c) create a process for negotiating and entering into business associate agreements with business associates prior to disclosing PHI to the business associates; (d) create a process for maintaining documentation of a business associate agreement for at least six (6) years beyond the date of when the business associate relationship is terminated; and (e) limit disclosures of PHI to business associates to the minimum necessary amount of PHI that is reasonably necessary for business associates to perform their duties.
The OCR has given North Memorial 90 days to remediate its policies and procedures pursuant to the guidance in the CAP. The policies are the easier part. The challenge is in the procedures.
Lesson #3 – When thinking about BA management, you should work together with your BA to create the kinds of procedures the OCR references as each party has tasks and accountabilities. These procedures should be documented in a Memorandum of Understanding, Data Agreement or similar companion document to the BAA. In most cases, the information sharing relationship is bidirectional so the management effort should be collaborative, cooperative and, of course, risk-aware. The CE, the BA and ultimately, our patients, benefit because the integrity around the information sharing relationship improves and risk is reduced through that collaboration. This, however, is simply not the way that business is done in most organizations today. Sadly, most CEs, and most BAs for that matter, do not have the structure, tools or staff to enable this kind reciprocal relationship. This needs to change. The OCR certainly expects better practices as evidenced in this CAP.
Modify Existing Risk Analysis Process
Within one hundred eighty (180) calendar days of the Effective Date, North Memorial shall complete an updated, comprehensive, and thorough risk analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, and applications controlled, administered, or owned by North Memorial, its workforce members, and affiliated staff that contains, stores, transmits, or receives electronic PHI (ePHI). North Memorial shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI, which will be incorporated in its risk analysis. The risk analysis shall be forwarded to HHS for its review and approval consistent with section V.C.2 of this CAP.
Note the use of the words “workforce” and “affiliated staff” in this directive. We sometimes forget that the word “workforce” when used in HIPAA includes our BAs. Lesson #4 – your risk analysis must include your BAs and your efforts should demonstrate a clear intent to comply with how the OCR frames this requirement as evidenced in the language above. This represents a significant shift from what we see in most organizations that we assess or audit. Prudent steps need to be taken and there is a methodical way to integrate BAs into our risk analysis process.
Develop and Implement a Risk Management Plan
North Memorial shall develop an organization-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis and, if necessary, revise its policies and procedures accordingly. The risk management plan and any revised policies and procedures shall be forwarded to HHS for its review and approval consistent with section V.C.2 of this CAP.
Again, the OCR gives North Memorial 90 days to document its risk management plan after the completion of the “modified risk analysis” but the takeaway is lesson #5 — the scope of your organization’s risk management program should include BAs specifically. It should reflect clear awareness of BA risks and plans/timelines to address them. It should articulate a continuous, proactive auditing and monitoring plan to identify new risks. It should establish a process by which risk assessment is performed on any new vendor with whom ePHI/ PHI will be shared.
Within sixty (60) days of HHS’ approval of the policies and procedures required by section V.A.1 of this CAP regarding business associates, North Memorial shall forward its proposed training materials on the policies and procedures to HHS for its review and approval.
Within ninety (90) days of HHS’ approval of the training materials, North Memorial shall provide training to all appropriate workforce members, in accordance with North Memorial’s applicable administrative procedures for training.
Training = Workforce Enablement.
Does your training program enable and coach your workforce on your policies? On the behaviors and practices that your expect? Does it inspire your workforce to think differently about the way they create and handle ePHI/PHI? Is it role-based to drive a more explicit connection between the workforce member, the ePHI/PHI they handle and your organization’s data protection values and culture? Do your BAs have to participate in your training program?
If your answers to these questions are “no” it is a good time to reorient your program as is the call to action for North Memorial in its CAP.
The days of generic “HIPAA 101” training programs fitting the bill are long past. The computer-based training platforms that you license every year have a place in your program but they cannot be your program. The OCR has commented and presented on this as well. Lesson #6 – Your HIPAA training program needs to foster workforce enablement, stewardship and adherence. It needs to coach your policies, procedures, desired behaviors and reflect your corporate values. It needs to be aligned with, and informed by, your identity and access management program. It needs to include your BAs since, by definition, they are part of your workforce.
There are certainly more lessons that we could surface but in our review of this CAP, we have tried to distill the OCR’s essence and intent and translate them for you here.
This settlement is not simply about another unencrypted, stolen laptop from the back seat of a car. If that is what we take away from it, then we are missing the mark. The OCR makes a point to tie BA management, risk analysis, risk management, and workforce training together in this corrective action plan. The call to action is to connect these activities and efforts with the understanding that your BAs are not simply an extension of your organization, they are a part of organization. They are creating, managing, using, storing and transmitting ePHI/PHI like any other part of your workforce.
Immersive is working at the center to transform the CE-BA relationship. Our phased approach and optional managed services integrate best practices from risk management, data governance and data lifecycle management with powerful technology that offers instant visibility to business associate risk.
We invite you to learn more here: Immersive Business Associate Risk Management