Knowledge is power and information sharing across the healthcare data protection community helps us all improve.
Thanks to Art Gross at HIPAASecureNow for sharing the following content of a letter that one of their prospective clients received following a breach notification to the OCR from one of the prospective client’s Business Associates.
It is instructive for us all…
Note that OCR asked the covered entity to supply the following information within 20 days of the receipt of its letter.
Here is what the HIPAASecureNow team reports was the content of the letter:
- Please submit a response to the allegations made in the complaint. Please describe the circumstances leading to the alleged incident to include the date of the incident and the date of discovery of the incident. Please list in detail the protected health information (PHI) that was made available to unauthorized individuals.
- Copies of any notes, documents and reports relating to any internal investigation including of any forensic analysis, conducted by the covered entity, or its designated contractor or agent, of the alleged incident. Please detail any corrective measures taken as a result of this alleged incident.
- Please indicate whether you conducted a breach risk assessment for the alleged incident. If so, please provide a copy of the breach risk assessment; a) if you determined that a breach of patients’ PHI occurred as a result of this incident, please indicate, as applicable, whether you notified the affected individuals, the media, and the HHS Secretary and, b) if you notified the affected individuals, the media, and the HHS Secretary, please provide OCR with documentation of said notifications.
- A copy of the covered entity’s policies and procedures with respect to uses and disclosures of PHI and safeguarding PHI developed pursuant to HIPAA.
- Please provide a copy of the covered entity’s business associate agreement with the vendor that was in effect at the time of this incident.
- A copy of any risk analysis performed pursuant to 45 C.F.R 164.308(a)(1)(ii) prior to the date of the incident and any risk management plans developed as a result of the risk analysis including any revisions or updates made to the risk analysis to include malware infection or hacking attacks as a risk item AND evidence of all implemented security measures to reduce the risk of malware infection or hacking (e.g. screenshots, configuration settings).
- Evidence of information system activity reviews (e.g. user access, user activity, network security, etc.).
- Evidence of any network scans or penetration tests performed before and/or after the incident.
- A copy of the covered entity’s approved access management policy pursuant to 45 C.F.R. 164.308(a)(4).
- A copy of the covered entity’s security awareness and training materials prior to the incident. Please include evidence of workforce attendance to the training.
- Evidence of malicious software protection (antivirus system) installed at the time of the incident. Please also include evidence of patching on the affected systems.
- A copy of the covered entity’s approved data backup procedures. Please include evidence of data backup mechanism/process.
- Evidence of technical access controls that the covered entity implemented. Please include a copy of the covered entity’s approved password management policy and procedure.
- Evidence of implemented network security devices such as firewalls, intrusion detection systems, etc. Please include evidence of any network scans performed on the network/computer before and/or after the incident.
- Details of network security monitoring to identify network related threats and vulnerabilities.
For each data request item listed above, specify the name and title of each individual who furnished information in response to the request.
I remember when we first got our hands on the OCR Document Request List from Phase 1 of the HIPAA Audit Program. Everyone wanted know what documents, and the level of documentation, that OCR was requesting. It was instructive. It not only helped organizations ready themselves for audit, it provided valuable insight into OCR’s expectations…the “how” we should be implementing the HIPAA Security Rule. This implementation guidance is something that we have craved, really begged for, as an industry.
We can look at this content in the same way. It is instructive. It provides insight into how we should be implementing the HIPAA Security Rule generally, and, more importantly, on this eve of key dates with the Omnibus Rule re: Business Associates, how we should be approaching Business Associate risk management.
This can be turned into a checklist of sorts. Challenge your organization to take a look at one, just one, of your BA relationships vis-a-vis these 15 items. As a result, you will end up taking a look at your security management program and controls broadly. That is a good thing.
Thanks again Art, for the share.