[BreachExchange] Small Health Care Providers: Do You Really Know What Your IT Services Vendor is Providing to Secure Your Systems?

[Audrey McNeil]

https://www.jdsupra.com/legalnews/small-health-care-providers-do-you-76398/

A small health care provider such as a physician office or clinic often
will contract with an IT services vendor to meet overall IT needs to
operate the business. A small health care provider may not have the
resources and expertise to understand the technical support that an IT
services vendor provides, and it relies upon the IT services vendor’s
expertise to support, secure, and protect the IT systems and patient data.
A health care provider that is a covered entity as defined by the Health
Insurance Portability and Accountability Act of 1996 (HIPAA) is required to
comply with HIPAA, the Health Information Technology for Economic and
Clinical Health Act (the HITECH Act), and the privacy and security
regulations promulgated (the Privacy and Security Rules). HIPAA requires a
covered entity to enter into a business associate agreement with an IT
services vendor that has access to, uses, maintains, and transmits
protected health information (PHI) on behalf of the health care provider.
The business associate agreement includes the regulatory minimum
requirements that the business associate must take to protect the covered
entity’s PHI. But does the health care provider understand what the IT
services vendor is providing to secure PHI from unauthorized use and
disclosure?

The U. S. Department of Health and Human Services Office for Civil Rights
(OCR) issued guidance in October 2016, on HIPAA compliance when a covered
entity and a business associate utilize cloud solutions for data
management. The guidance, while focusing on cloud services, also easily
applies to procuring and using traditional IT services. The parties should
specify in the IT services agreement which party will be responsible for
implementing the Privacy and Security Rules’ administrative, physical, and
technical safeguards. Both parties should conduct a security risk analysis
to identify the potential threats to and vulnerabilities of the
confidentiality, integrity, and availability of the health care provider’s
electronic PHI. For the small health care provider, this may require
engaging the expertise of an IT security firm to conduct the security risk
analysis and to develop the risk management plan.  Although an additional
expense, obtaining a security risk analysis will go a long way to help the
health care provider determine where security is needed to protect patient
information, and demonstrate compliance with the HIPAA Privacy and Security
Rules if OCR were to investigate a breach.

In the Guidance, OCR sets forth recommendations for parties to consider
when entering into a services agreement that are applicable to traditional
IT services:

- The IT services agreement sets forth the respective parties’
responsibility to secure the information system consistent with the HIPAA
Privacy and Security Rules, such as:


-- User tools that may be used to increase privacy and security protections.
-- Backup and data recovery to respond to emergency situations such as
ransomware and other malware attacks.
-- The manner in which the IT services provider will return data to the
health care provider or securely destroy the data after the services are
terminated.
-- Delineation of responsibility between the parties for implementation and
management of the IT security services.
-- Use, retention, and disclosure limitations.
-- Use of encryption.
-- Responsibility for access and termination controls.
-- Breach and security incident monitoring and notification,
-- Cyberliability insurance requirements.
-- Documentation and data retention requirements in the event of a breach,
such as preservation of logs and equipment, to demonstrate compliance with
the HIPAA Privacy and Security Rules and state law requirements.
-- Cooperation and assistance in investigating a breach, security incident,
and OCR investigations.
-- Requiring the IT services vendor to provide documentation of its privacy
and security practices, such as submitting to a security audit.
-- Data and log retention requirements.

- The health care provider and the IT services vendor are required to enter
into a HIPAA-compliant business associate agreement, and should review the
terms set forth in the service level agreement for consistency with the
parties’ regulatory obligations under the business associate agreement.
- The health care provider and the IT services vendor should conduct a
security risk analysis to identify gaps in the services and implement a
risk management plan to address the identified risks and allocate
responsibility for compliance.

In the publication, “Health Information Privacy in the Digital Age,” OCR
indicates that the agency will continue to focus enforcement efforts and
resources on matters that identify industrywide noncompliance, where
corrective action under HIPAA may be the only remedy, and where corrective
action benefits the greatest number of individuals. OCR reminds covered
entities and business associates of their ongoing HIPAA responsibilities,
and OCR has indicated that it will review the contractual obligations
between the respective parties regarding control and implementation of the
security features of the [cloud] services consistent with the HIPAA
Security Rule when investigating any breach involving such parties. Expect
OCR to use this same approach when evaluating the respective parties’
obligations under traditional IT services in the event of an investigation
of a health care provider following a breach of unsecured PHI involving
contracted IT vendor services.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171228/5cc05a26/attachment.html>