Here we discuss the need for, and an approach for developing, a structured Business Associate oversight program for data security risk management.
HIPAA and the HITECH Act have highlighted the importance of Business Associate (BA) security. Covered Entities (CEs) need to effectively manage Business Associates security risk, and BAs need to understand their compliance requirements and liability under HIPAA and HITECH regarding protecting protected health information (PHI).
The entire supply chain of PHI from CEs to BAs to BA subcontractors are now subject to compliance with the HIPAA Security Rule. Not only has the definition of BAs been expanded to include data transmission services like HIEs and RHIOs, but BAs now face dual liability – they have both contractual liability to CE for HIPAA compliance via Business Associate Agreements (BAAs) and also direct liability to the government. Furthermore the July 14th, 2010 notice of proposed rulemaking (NPRM) modifying HIPAA under the HITECH Act clarifies that a lack of understanding is not a valid defense for HIPAA compliance violations.
Given the enhanced breach notification requirements, monetary penalties and increase government scrutiny, both CEs and BAs need to effectively manage security risk. As a security assessment firm, we understand that performing an objective and technically astute security assessment or HIPAA Risk Analysis is an effective way to support a structured information security program that mitigates security and compliance risk under HIPAA. However, we also understand that while performing a dedicated assessment on one’s own organization is a practical solution, devoting significant capital to performing security assessments on BAs and subcontractors might not be feasible. But given the current regulatory climate, having no visibility into a BAs current state of security is not practical either.
What follows is a high-level view of an approach to managing BA risk that is manageable, structured, practical and can be documented to show organizational commitment to a robust risk management program. We see this as an effort that is implemented by a CE in several phases. While the duration for completion of the entire process varies widely depending on the size of the CE in question, we’d expect the duration of the entire process to range from several weeks for a small organization to several months for a larger CE. BA’s need to also be aware of this process – not only to manage any of their own BAs, but also with the expectation that their CE clients will soon be asking the very same questions discussed here.
Business Associate Oversight Program Overview
The primary goal of a BA oversight program is to create a systematic and well-documented process for evaluating and prioritizing risk of a BA PHI data breach or HIPAA Security Rule compliance violation by determining that BAs have the necessary technical, physical and administrative safeguards in place to protect shared PHI.
Step 1: Create BA risk matrix to characterize BAs in terms of data classification, BAA terms and testing history.
Compile a complete list of BAs and create a matrix of readily available information about each BA. While each situation is unique, the following categories should be considered for evaluation.
- Data Classification: This category defines attributes associated with the data the BA has access to, such as the number of records shared with the vendor, criticality and sensitivity of the data, breach history, etc.
- Business Associate Agreement Terms: For each BA on the list, document status of BAA. Does BAA specify appropriate BAA PHI safeguards, notification of disclosures, etc.? Is there a termination-after-breach clause and a right-to-audit clause, …?
- Testing History: Note for each BA the last security assessment performed, the date, and whether it was performed internally or by a third-party. Are results of security assessments available for review by CE?
Step 2: Based on attributes logged in the previous step, prioritize BAs in terms of risk.
Based on the information above, compiled in a matrix, the BAs can be readily prioritized based on risk – high risk at the top, low risk at the bottom. This can be implemented qualitatively or quantitatively. In the example below we show a snippet of a matrix in which a hybrid approach is taken. Notice how the data sensitivity, for example, is given a 1, 2 or 3 rating to represent low, medium or high sensitivity. In this way the data risk can be used as a numerical risk rating to aid in risk prioritization.
Step 3: Determine which vendors require additional evaluation as a function of risk profile on matrix.
Based on the number of vendors on the list and the general risk profile of the BAs, determine the scope and schedule for additional BA security verification. Additional evaluation may include:
- Requiring vendor to complete additional information via questionnaire (download sample Business Associate Questionnaire)
- Telephone interview of BA
- Spot checking of specific security controls defined on questionnaire as a cost-effective sampling strategy to extrapolate opinion of overall state of security
- Full-scope security assessment or HIPAA Risk Analysis
Step 4: Report to BAs and monitor progress
Any findings, deficiencies or requests for further information (such as validation that a security issue has been mitigated, or that the BA has completed security testing) should be reported to the BAs. Any deficiencies should be documented and followed-up on by CE to ensure BA is addressing issues.
Step 5: Keep matrix up-to-date.
Annually, or whenever there is significant change, keep matrix up-to-date to ensure that high risk vendors are given appropriate attention. Based on this, just as in a traditional information security program, cycle back to Step 1 as necessary.
While even the largest healthcare organizations are not likely to perform an onsite security assessment for each BA, our clients that range from small-to-medium sized organizations to Fortune 100s, have effectively utilized a risk-based approach to prioritize vendors by risk such that high risk vendors are quickly isolated for further scrutiny. The process outlined above can systematically reduce risk in a rapid and cost-effective manner with a repeatable process that ensures accountability and documents an organization’s dedication to a robust information security program.