NRC Health, a software and patient satisfaction survey provider holding data from more than 25 million patients, was locked out of its computer system in February because of a ransomware attack. When a breach like this occurs, the fault (at least in the eyes of the federal Office for Civil Rights [OCR]) tends to land on the vendor’s shoulders. But this is not always the case.
In 2013, North Carolina’s Raleigh Orthopaedic Clinic worked with a vendor to transfer X-ray films to an electronic format. The provider realized a few months later – after it did not receive any electronic versions – that it had been the victim of a scam. The provider believes the films were sold to harvest silver. In this case, Raleigh was at fault for not performing due diligence on the vendor before handing over protected health information (PHI).
Though HIPAA does not outwardly require healthcare providers to perform due diligence on and monitor vendors’ cyber security policies, experts say HIPAA suggests it. It is not only good business, but it may help avoid state or OCR investigations.
The important point is that physicians are responsible for evaluating whether a breach has occurred and for breach notification under state and federal law, said David Holtzman, executive advisor for CynergisTek, based in Austin, Texas. “At the end of the day, the covered entity is the one who could be left holding the bag.”
Interpreting the law
Adam Greene, a partner at the national law firm of Davis Wright Tremaine LLP, said HIPAA is clear that covered entities must obtain a business associate agreement from its vendors. If a provider learns that a business associate is in violation of the agreement or HIPAA, the provider has to take action.
“What is not as clear is what extent they have to do due diligence of a vendor’s practices and if they need ongoing monitoring instead of waiting to learn of any problems,” Greene said. “There has been a lack of clarity as to the expectations of the provider here.”
Some rules suggest providers have some responsibility with regard to vendors. For example, the HIPAA privacy rule says “reasonable safeguards” should be taken with PHI.
If a breach occurs, providers must notify patients and consider costs they could incur like paying for patients’ credit monitoring and litigation. If OCR comes to a provider for a basic follow up after a vendor’s breach and finds the provider did not perform any due diligence (as in the Raleigh case) “that’s going to be on you,” said Becky Williams, chair of the health information practice at Davis Wright Tremaine. Once OCR has come in the door, they can ask about a practice’s risk analysis and compliance related to vendors. The last thing a practice wants to do is be part of a formal enforcement process, Williams said.
Ensuring the basics
If a practice is working with a large vendor like Epic or Cerner, they likely will not be amenable to offering up their risk assessment. But those organizations typically have good security measures in place. It may be easier for a practice to get security information from smaller vendors, such as a local billing company or managed service provider. For these companies, Williams recommends putting together a questionnaire to gauge compliance.
Vendor security questionnaires are widely available online and through some professional associations. Providers need to know if vendors perform a risk analysis; what security framework the vendor uses; if they have a third-party assessment of their security; what their risk history is; how they train the workforce for security and privacy; if they use encryption as part of their normal processes; if they have unique passwords and user IDs; and what their contingency operations are should they suffer an incident that puts them offline.
Holtzman said these questions will determine if a vendor will have the kind of security a practice needs and if “their actions allow me to sleep at night when storing my information … If you have a vendor that won’t answer this kind of basic questionnaire, you can judge that for what it is.”
Another way to manage vendors is by ensuring the use of business associate agreements (BAAs), which HIPAA requires. These agreements are a way to ensure vendors understand their rights and responsibilities for the use and disclosure of PHI.
But Holtzman said a lot of negotiating outside of those basic points should go elsewhere – in a vendor – or service – agreement. “You shouldn’t load the BAA up like a Christmas tree,” he said. “It’s not suited for things like insurance requirements, indemnifications and who’s responsible for paying for the cost of a breach.”
Part of the reason he prefers putting extraneous information in a service agreement is for liability. If a vendor fails to fulfill the duties set out in a BAA and the provider knows, OCR could hold the practice responsible after a breach, Holtzman said.
“The more complex the business associate agreement is, the greater the risk it puts you at,” he said. “Another reason you don’t want to look to a BAA is because HIPAA is no longer the only game in town.”
Any privacy requirements from the states or Federal Trade Commission that may be more stringent than HIPAA’s can be included in the vendor agreement.
Included in the service contract could be how a vendor handles their risk assessment; how changes can be made to the agreement; and how the vendor will notify a practice of changes like adding or subtracting subcontractors (which happens frequently with transcription and cloud computing firms).
It could also include their incident response process and notification (some states have shorter notification timelines than HIPAA). This can entail the vendor’s obligations for investigating and notifying the practice if a breach occurs. Another important point is how a vendor will reimburse the practice for costs incurred due to a vendor breach. A practice can also verify in the contract that the vendor has appropriate breach insurance coverage.
Finally, a vendor agreement should include what happens when a contract ends. It should note the terms under which a contract can be terminated, the steps to be taken at the end, and what happens to any data held by a vendor after termination.
A best practice for providers is to have a contract management system for their vendors so information they need is close at hand. Williams said providers should make a list of all vendors, their contact information, and if they have a newer BAA and/or service contract in place.
“If OCR audits you or there is an investigation, they will sometimes ask for a list of business associate agreements and that should be an easy request, not a hard one,” she said.