advertisement
Home
News
Sports
Suburban Business
Entertainment
Lifestyle
Opinion
Classifieds
Obituaries
Shopping
Newspaper Services
Sponsored

HIPAA covered entities: Are your business associates ready for a security incident?

Posted July 19, 2016 1:00 am
By Kim Metzger and Deepali Doddi, Ice Miller LLP

With OCR Phase 2 audits underway, many covered entities are taking a fresh look at their physical, technical, and administrative safeguards for electronic protected health information (ePHI). A comprehensive data security analysis, however, does not stop at the covered entity's own threshold. A covered entity must ensure the confidentiality, integrity, and availability of "all" ePHI the CE creates, receives, maintains, or transmits. This obligation includes proper management of business associate relationships.

A business associate is a person or entity that performs activities or functions that require it to use or disclose PHI on the covered entity's behalf. Examples of BAs include third party administrators that assist plans with claims processing, and consultants that perform utilization review for hospitals. As the Security Rule makes clear, a CE may not permit a business associate to create, receive, maintain, or transmit ePHI on the CE's behalf unless the CE obtains "satisfactory assurances" that the BA will appropriately safeguard the information, typically embodied in a written "business associate agreement."

In a May 3, 2016 listserv mailing, OCR cautioned covered entities to consider how they will address a breach by their business associate. This is an area of insecurity for many CEs. While the Breach Notification Rule requires BAs to notify their CE after discovering a breach of unsecured PHI, OCR reports that a large percentage of CEs believe their BAs will not, in fact, notify them of breaches or security incidents. OCR also reports that CEs find it "difficult" to manage security incidents involving BAs, and "impossible" to determine whether their BAs' security policies and procedures are adequate to effectively respond to a breach.

While business associates are now directly liable under the Security Rule and many aspects of the Privacy Rule, covered entities remain responsible for selecting their BAs, properly vetting BAs' physical, technical, and administrative safeguards, and embodying the parties' agreement in a compliant BAA. OCR has provided suggestions on how CEs can help manage risks to ePHI held by business associates to a manageable level. Covered entities should be particularly mindful of their own, and their BAs', minimum necessary obligations to appropriately limit the amount of PHI that could be exposed by a breach at the BA. CEs should likewise make reasonable efforts to ensure role-based access to PHI at the BA, limiting the opportunity for human error.

To read an extended version of this article, click here.

• Kim Metzger is a partner with Ice Miller LLP, Contact her at kimberly.metzger@icemiller.com. Deepali Doddi is an associate with Ice Miller LLP. Contact her at deepali.doddi@icemiller.com

• This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader's specific circumstances.

0 Article Comments
Article Categories
Business Legal Services Sponsored
Article Comments
Guidelines: Keep it civil and on topic; no profanity, vulgarity, slurs or personal attacks. People who harass others or joke about tragedies will be blocked. If a comment violates these standards or our terms of service, click the "flag" link in the lower-right corner of the comment box. To find our more, read our FAQ.
Back To Top
About Us
Staff
Quick Links
Advertising
Services
Copyright © 2024 Paddock Publications, Inc., P.O. Box 280, Arlington Heights, IL 60006
Paddock Publications, Inc. is an Employee-Owned Company