Best Practices for Business Associates to Protect PHI
When it comes to responsibility, business associates sometimes think they are exempt from HIPAA compliance, especially by those who don’t consider themselves within the healthcare industry.
The problem is, the Department of Health and Human Services (HHS) requires any business associate that stores, processes, transmits, maintains, and/or touches protected health information (PHI) in any way must be HIPAA compliant. Business associates are legally bound to protect PHI by following the three HIPAA rules (e.g., Security, Privacy, and Breach Notification Rules).
The investigation of numerous healthcare compromises has confirmed that the security controls and processes required for HIPAA compliance are essential to protecting patient data. But if organizations are breached and not compliant with HIPAA requirements, they may face the following financial consequences:
- HHS fines: Up to $1.5 million per violation per year
- Implementation of new systems and processes: Depends
- On-going credit monitoring for affected patients: $10 per individual
- Federal Trade Commission: $16,000 per violation
- Class action lawsuits: $1,000 per record
- State attorney generals: $150,000 – $6.8 million
With all the financial consequences, you need to take HIPAA compliance seriously, especially since the HHS will hold you to a similar (if not higher) standard as covered entities.
In this white paper, you learn business associate basics, what you need to know to protect PHI, and business associate best practices.
BUSINESS ASSOCIATE BASICS
WHO IS A BUSINESS ASSOCIATE?
A business associate (BA) is a person or entity that performs certain functions that involve the use or disclosure of patient heath information (PHI) (e.g., CPA, IT provider, billing services, coding services, laboratories, etc.).
Business associates can be from legal, actuarial, consulting, data aggregation, management, administrative, accreditation, and/or financial organizations. Some possible business associate functions include:
- Claims processing or administration
- Data analysis, processing, or administration
- Utilization review
- Quality Assurance
- Benefit management
- Practice management
A business associate can be a third-party administrator that assists a healthcare organization with claims processing. They can also be a consultant performing utilization reviews for a hospital.
On the other hand, a covered entity (CE) is a health plan, healthcare clearinghouse, or healthcare provider that electronically transmits health information (e.g., doctors, dentists, pharmacies, health insurance companies, company health plans, etc.). While a member of the covered entity’s workforce is not a business associate, a covered healthcare provider, health plan, or healthcare clearinghouse can be a business associate of another covered entity.
BUSINESS ASSOCIATE AGREEMENTS
After the 2013 HIPAA Final Omnibus Rule, HIPAA compliance for business associates has become even more important. HHS requires you to sign business associate agreements with the covered entities you assist. In this agreement, the covered entity and business associate agree to share responsibility for patient data protection and breach notification.
Yes, it’s still the primary responsibility of the covered entity to ensure PHI protection, but HHS makes it clear that you need to offer covered entities satisfactory assurance that you safeguard the patient data you receive or create on behalf of the covered entity.
Basically, every covered entity with business associates is required to obtain assurances that you treat patient data the way the HHS wants them to, and the way they want them to. Some covered entities require proof of a completed Risk Analysis, request the implementation of a standard Risk Management Plan, and/or perform a HIPAA audit even before they send you patient data.
In addition, some covered entities choose to personally audit each business associate, while others require business associates to provide them with documented data security business procedures. As you progress towards compliance, covered entities may want to track your success to ensure an approved level of compliance. You’ll likely need to provide the following:
- Recently signed agreements (including agreements with subcontractors)
- Agreements updated to include Omnibus language
- Satisfactory assurance that you safeguard patient data
- Your risk evaluation
- Annual re-evaluation of contracts
If you allow subcontractors to create, receive, maintain, or transmit PHI on your behalf, make sure your subcontractors sign BAAs that require equal or greater security than your BAAs with your covered entities.
HIPAA Omnibus ruling states that even if a business associate has never signed a business associate agreement, they may still be held liable.
On the other hand, just because you have signed a business associate agreement doesn’t mean you are exempt from anything that goes wrong with patient security. If data in your or your subcontractor’s possession is stolen, you may share equal consequences as the healthcare provider and/or your subcontractor.
You can be liable for up to $50,000 per violation per day as a result of any breach of your patient data—and that’s just HHS penalties. That doesn’t include civil action, cost of mitigation, and loss of customer trust that may come as a result of a breach.
BREACH NOTIFICATION RULE
Even organizations with the strictest data security and IT policies could easily go the way of recent victims like Anthem, Premera Blue Cross, and TRICARE without proper care and upkeep to their data security programs. Last year, medical and healthcare entities accounted for 35.5% of reported data breaches.
The HIPAA Breach Notification Rule, 45 CFR §§164.400-414, requires HIPAA business associates and covered entities to provide notification following a breach of unsecured patient data.
If you’re a business associate, notify affected covered entities after discovering the data breach immediately (and no later than 60 days after discovering the breach). Identify each individual affected by the breach and send this information to all affected covered entities.
Business associates are liable to financial consequences if their covered entity is found to be in breach of HIPAA requirements.
TIPS FOR BUSINESS ASSOCIATES TO PROTECT PHI
A common problem with healthcare data security and HIPAA is complacency. While many people think stealing data a technical and complicated process, reality is much different. Many organizations don’t realize how easy it is for someone to walk in, take something with valuable data on it, and walk out.
Nearly 90% of healthcare organizations have been breached in the past 2 years, exposing over 112 million records and costing the healthcare industry $5.6 billion annually. Most, if not all of these breaches could have been prevented if the organization had followed more secure practices.
Basically, if you don’t secure your data, you will get breached. This section will help business associates know what they need to do to protect and secure PHI.
WHERE IS YOUR PHI?
One of the first steps in protecting PHI is determining how much of it you have, what type you have, where it can be found in your organization, what systems handle it and who you disclose it to.
Create a diagram that shows how PHI enters your network, the systems it touches as it flows through your network, and any point it may leave your network. For example, after patients fill out forms at hospitals, receptionists email you medical records. Another example would be patients adding sensitive information to your third-party patient portal, which then emails a dental receptionist.
Next, you should interview personnel to document those systems and who has access to them. You probably are not aware of every task and situation that your employees encounter on a daily basis or every aspect of their individual jobs.
Interviewing personnel is one of the best ways to get further insight into how you are interacting with and using PHI on a regular basis. It may help you discover access to systems or certain disclosures that you were not aware of.
Identify everywhere PHI is created and where it enters your entity. By doing so, you know exactly where to start with your security practices. Consider the following questions about where your electronic PHI is created and enters your environment:
- Email: How many computers do you have, and who can log on to each computer? What email services are in use?
- Texts: How many mobile devices do you own, and who uses them?
- Your communications: How do you communicate with covered entities or subcontractors?
- Databases: How do you communicate with covered entities and/or patients? What records and data do you enter into your database?
You need to document where PHI is created, how it enters your environment, what happens once PHI enters, and how PHI exits.
You need to know exactly what happens to PHI after it enters your environment. Is it automatically stored in an electronic health record (EHR) or electronic medical record (EMR) system you operate for a covered entity? Is it copied and transferred directly to a specific department (e.g., accounting, marketing)?
Additionally, you must document all hardware, software, devices, systems, and data storage locations that can access PHI. PHI is commonly stored in the following places:
- EHR/EMR systems
- Mobile devices
- Calendar software
- Operating systems
- Encryption software
- Shred bin containers
- Physical locations/storage (e.g., filing cabinets)
- Non-approved storage locations
When PHI leaves your organization, it is your job to ensure it is transmitted or destroyed in the most secure way possible. Here are some things to consider when PHI leaves your environment:
- Covered entities: Are you sending through encrypted transmission? Are they? Is data sent to them kept at a minimum?
- Email: How does your organization send patient data?
- Flash drives: What policies are in place?
- Trash bins on computers: How often are these cleared out?
- Physical storage and transportation: How do you transport PHI from one location to another?
By limiting PHI access to the smallest number of people possible, the likelihood of a breach or HIPAA violation decreases significantly.
Business associates often set up large flat networks, where everything inside the network can connect to everything else. This is because when they first started to accept PHI, they started with small, secure environments, but as their business grew, organizations often forget that compliance and security needs to happen at every level and process.
For example, they may have one firewall at the edge of their network, but that’s it. Flat networks make securing your sensitive data extremely difficult because if an attacker gets inside of the network, they have access to everything. Generally, the more places that have access to patient information, the higher the chances for a HIPAA violation or data breach.
Yes, segmentation is not necessarily required to be HIPAA compliant. However, if you’re looking for one of the easiest ways to reduce cost, effort, and time spent on getting in-scope systems compliant, you may want to consider segmentation.
If a small piece of your system handles PHI or is HIPAA related, create a network segment or use different servers or systems (e.g., healthcare component). You’ll want to implement adequate physical security, firewalls, and distinct segmentation.
Firewalls can be used to implement segmentation within an organization’s network. When you create networks with PHI access that is firewalled off from the rest of the day-to-day business traffic, you can better ensure patient data is only sent to known and trusted sources. This potentially lowers your scope and HIPAA compliance efforts.
For example, you install and configure a multi-interface firewall at the edge of your network. From there, you create one interface on the firewall dedicated just to the systems that store/process/transmit PHI data. If that interface doesn’t allow any other traffic in or out of any other zones, this is proper network segmentation.
Segmentation can be extremely tricky, especially for those without a technical security background. Consider having a security professional double check all your segmentation work (e.g., segmentation checks).
The objective of a segmentation check is to identify whether there is access into a secure network because of a misconfigured firewall. Basically, segmentation checks confirm if segmentation was set up properly.
If you need to keep data and permanently deleting isn’t an option, you need to encrypt PHI. This is because if an attacker breaks into your network devices, encryption renders files useless by masking them into an unusable string of indecipherable characters.
With this danger in mind, HIPAA requires you to “implement a method to encrypt and decrypt electronic protected health information” in requirement §164.312(a)(2)(iv). All electronic PHI that is created, stored or transmitted in systems and work devices must be encrypted (e.g., mobile phone, laptop, desktop, flash drive, hard drive).
You need to make sure that you adequately map out where PHI is created and enters your environment, what happens once PHI enters (and where it is stored), and exits your environment or organization. Although HIPAA regulations don’t specify the necessary encryption, industry best practice would be to use AES-128, Triple DES, AES-256, or better.
Three common data handling processes that are often confused: masking, hashing, and encrypting.
- Masking is hiding part of the data from view. It is still there in clear text, you just can’t see all of it on the screen. You use this to hide parts of the patient information not needed by specific workforce members.
- Hashing is running the data through a mathematic algorithm to change it into something indecipherable. You cannot undo a hashed value to get back to the original data. Generally, healthcare entities don’t hash PHI.
- Encrypting is similar to hashing because data is run through a mathematic algorithm; however, you use an encryption key that has a paired decrypting key. This way the data is safely stored and the only way to see the data is by using the decryption key to unlock it. Currently, the strongest, most common encryption algorithm is AES-256. Whenever implementing encryption, always use the strongest algorithm your system can handle. Remember that many older algorithms are not acceptable (e.g., rc4, DES).
Anywhere PHI is stored you should have encryption enabled so the data requires a decryption key to view it. Most computer systems can automatically handle encryption if they are properly configured.
FULL DISK ENCRYPTION
Historically, one of the largest reported threats to ePHI has been loss or theft of a physical device. While employing adequate physical security and media movement procedures is the first line of defense to prevent these types of incidents; they still sometimes occur despite your best efforts in those areas.
Encryption is the best way to protect you from penalties associated with a breach when a device is lost or stolen. The HITECH act of 2009 modified the HIPAA Breach Notification Rule by stating that if a device is lost or stolen, the loss is not reportable as a breach if the data can be proven to have been rendered unreadable by either secure destruction or encryption.
Disk encryption for laptops and desktops is very easy to put into use and usually comes with no additional cost as most current operating systems come equipped with the capability.
A large portion of the Privacy Rule is based on the minimum necessary requirement, which states that only those who need to see PHI to do their jobs should get to see it, and unless you have a specific need for the information, access must be restricted. For example, a receptionist (or someone that doesn’t provide direct patient care) probably doesn’t need to see the X-rays of a patient to do their job.
Business associates should only accept and use the minimum necessary data.
Business associates often think their covered entity holds the sole responsibility for deciding how much data they receive. This is not the case. Both business associates and covered entities have a minimum necessary responsibility in under HIPAA.
That means you can be fined by the HHS for misapplying (or completely disregarding) the minimum necessary rule. For example, if you demand more data than is necessary from covered entities, you could be fined for ignoring the rules.
To avoid these issues, you need to assess your responsibilities concerning minimum necessary data, making sure to limit the amount of PHI you use, disclose, or request to the minimum necessary to accomplish the intended purpose. Specifically, every time you grant employee access to PHI or receive PHI from another organization or individual, ask yourself what is the minimum amount of information required to accomplish the requested task.
PERMANENTLY DESTROYING PHI
If your covered entity terminates your contract, you need to follow the termination clause. Basically, you need to make sure that any PHI you have received, created, or maintained is:
- Returned to the covered entity
- Protected by adequate safeguards and security
- Not used or disclosed
- Permanently deleted
Most people know how to destroy physical sensitive data (e.g., shredding, burning, pulping, etc.), but when it comes to securely destroying electronic data, most organizations don’t know where to begin or what is required (e.g., options, tools, procedures). For example, if you delete sensitive information (like patient health records, Social Security Numbers, etc.) on your computer, they’re probably still on your computer and accessible to attackers.
Take special note, when you empty the Recycle Bin or Empty Trash, it doesn’t actually wipe the file(s) off your computer. It simply marks the file as acceptable to overwrite and is generally no longer visible to the user. For the average user, those files are nearly impossible to retrieve because the operating system deletes the references to the file. Your computer can’t find that file for you anymore, but the file still exists. For those with more advanced computer skills (such as hackers), that data is still accessible by looking at the unallocated disk space.
The HHS has determined that for electronic PHI, clearing (i.e., using software or hardware products to overwrite media with non-sensitive data) is the best ways to securely delete sensitive patient healthcare data on systems still in use.
If media is magnetic (e.g., tapes, hard drives), it should be degaussed and/or demagnetized. Make sure to use an appropriately sized and powered professional grade degausser to ensure no data recovery is possible. You can also physically destroy the media in an almost endless amount of ways. One organization ground up their hard drives and dissolved them in a sulfuric acid solution.
If you plan to re-use or sell the media, use a repetitive overwrite method, also known as erasure or wiping. This is when you overwrite the data with randomized with 1’s and 0’s, using a different set of binary sequences to ensure all the data has been overwritten. However, there still could be some type of recoverable data on the media.
If you use a solid state drive or flash memory, you’ve got several options. You can use an ATA Secure Erase command to wipe or reset the data; some manufacturers supply software that will enable you to perform secure erasures (though some have flaws). But the only sure way to destroy data on a solid state drive or in flash memory is to physically destroy it.
When thinking about how to permanently delete files
off your network, don’t forget about any archived
- Time Machine backups
- Cloud backups
- External hard drive backups
- CD or DVD backups
- Email backups
- FTP backups
- Server backups
- Mirror backups
- Offsite backups
HIPAA compliance doesn’t have to be an impossible task. Break your HIPAA compliance efforts into small, manageable pieces.
Start by understanding the flows of PHI in your unique environment. Until you understand your flows, it’s impossible to understand exactly what must be secured and what business practices need to be altered. After your networks have been properly segmented, make securing and encrypting PHI a standard procedure.
HIPAA compliance is never completely finished. Your environment is constantly shifting with changes to new workforce, technology, and security processes. Because of this, now is an ideal time to rethink your data security and reduce your HIPAA compliance workload.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.