[BreachExchange] Ten Tips For Actions By A Covered Entity After A HIPAA Breach By A Business Associate

[Audrey McNeil]

http://www.jdsupra.com/legalnews/ten-tips-for-actions-by-a-covered-91123/

This blog recently discussed tips for a covered entity (CE) in dealing with
a HIPAA business associate (BA). Now, even though you have adopted all of
the tips and more, in this dangerous and ever more complex data security
world, one of your BAs suffers a breach and it becomes your responsibility
as the victim CE to respond. What should you do?

Our partner Elizabeth Litten and I discussed aspects of this issue with our
good friend Marla Durben Hirsch who included some of our discussion in her
article in the June 2017 issue of Medical Practice Compliance Alert
entitled “6 ways practices can reduce the risk of delegating
breach-notification duties.” Full text of the article can be found in the
June, 2017 issue, but a number of the items included below are drawn from
the article.

1. Locate the most recent Business Associate Agreement (BAA) with the BA
who experienced the breach, and see what it says about the post-breach
obligations of the CE and the BA. Two important threshold issues are
whether the BA complied with the time period for reporting breaches to the
CE contained in the BAA and the remaining time, if any, available to the CE
for complying with any reporting requirements under HIPAA and state law,
remediation and limitation of loss requirements, and notification
requirements to affected individuals (collectively, the Requirements).
2. Determine promptly what are the time deadlines for notification to
insurance carriers if cybersecurity or general liability insurance may be
available to the BA and/or the CE for payment of expenses of the breach and
its remediation.
3. Spell out any circumstances where the BA will handle the consequences of
a breach that occurred on its watch, and the scope of its responsibilities
vs. that of the CE. These can range from delegating to the BA the entire
range of Requirements to assumption by the CE of complying with the
Requirements with payment by the BA of the costs thereof.
4. Make sure that the required reporting and notification Requirements are
sent on CE stationery or, if such Requirements are being delegated to the
BA (especially where the breach affected a number of different CEs), the
notifications make it clear that the breach was attributable to the acts of
the BA and not the CE. As CE, insist that the final wording of the required
reporting and notification documents be subject to your approval.
5. Ensure that your staff is familiar with the circumstances of the breach
so that they will be able to answer questions from affected individuals and
the media intelligently. It may be advisable to designate a single trained
and articulate person to be referred all inquiries, so that the responses
are uniform, accurate and clear.
6. Assess whether the BA handled the breach adequately and whether you want
to retain your relationship with the BA. Did the BA comply with HIPAA and
the BAA in the post-breach period? Did the BA cooperate with the CE? What
is the likelihood of a repeat breach by the BA? Is the CE assuming the risk
of potential repeat HIPAA breaches if the BA relationship is continued?
7. If you determine as CE that you will continue your relationship with the
breaching BA, consider whether the BAA with the BA requires changes based
upon the experience of the breach and its aftermath.
8. As CE, consider modifying, updating and/or strengthening all of your
BAAs as a result of your experience.
9. As CE, you may require improving and/or changing your cybersecurity
insurance coverage as a result of experience with the breach.
10. As CE, document all activities and decisions respecting HIPAA made in
the post-breach period to defend your actions as reasonable and to provide
concrete planning steps for future HIPAA compliance.

While all the precautions in the universe by a CE cannot eliminate a HIPAA
breach by a BA, a CE that is victimized by such a HIPAA breach can do many
things to reduce its liability and image damage and strengthen its own
HIPAA compliance and risk avoidance efforts for the future by adopting the
steps described above.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170724/2b44a2fa/attachment.html>