Michael R. Overly, CISA, CRISC, CIPP, CISSP, ISSMP, Chanley T. Howell, and R. Michael Scarano
Newspapers and trade journals feature a growing number of stories detailing instances in which organizations have entrusted their most sensitive information and data to a vendor or other business partner only to see that information compromised because the vendor failed to implement appropriate information security safeguards. Worse yet, those same organizations are frequently found to have performed little or no due diligence regarding their vendors and have failed to adequately address information security in their vendor contracts, in many instances leaving the organizations without a meaningful remedy for the substantial harm they suffer as a result of a compromise. That harm may take a variety of forms: damage to business reputation, loss of business, potential liability to the data subjects, and regulatory and compliance issues. Recent studies by the Ponemon Institute have shown that, on average, a company will pay US $202 per record compromised and, in the aggregate, an average of US $6.6 million if it experiences a security breach.1
Those organizations, entities and individuals that provide health care services possess extremely sensitive and valuable information about patients, including both health and financial information. In today’s business and legal environments, health care providers must be far more careful when entering into vendor relationships in which the personally identifiable information (PII) of patients will be placed at risk. The US Health Information Technology for Economic and Clinical Health (HITECH) Act and its implementing regulations strengthen the privacy and security requirements of the US Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its implementing regulations by imposing stringent new fines for violations and adding a wide range of new requirements. For example, the HITECH Act requires providers to notify patients, the government and, in some cases, the media of certain security breaches involving unsecured protected health information (PHI).
The US Department of Health and Human Services (HHS) has published guidance indicating that PHI (e.g., patient medical records) can be properly secured if it is encrypted or destroyed in accordance with HHS guidelines. This applies to PHI that is generated and used solely within the US and also to health care information that is generated overseas and then sent to the US to secure payment from a US payment source. If PHI is secured, it is not subject to the security breach notification requirements. However, it is virtually impossible to maintain PHI in an encrypted state when it is in use, i.e., being created, viewed, modified. As a result, from a practical perspective, at any given moment, providers will have significant PHI at risk of a security breach that would trigger the notification requirements.
Health care providers frequently hire vendors, referred to as “business associates,” to perform services involving PHI, including services that require the business associate to create, view or modify PHI. Such PHI is also subject to the HITECH Act security breach notification requirements; however, if a business associate has a security breach that triggers the notification requirements, that business associate’s sole obligation under the HITECH Act is to notify the provider. The obligation to notify affected patients and to take other required action remains with the provider. There could be significant costs associated with security breach notification, including, but not limited to, the cost of creating and sending out the required notifications and responding to queries and complaints from affected patients, in addition to the costs to implement mitigation steps, such as free credit report monitoring. There may also be costs associated with negative publicity and investigation and enforcement actions by the HHS Office of Civil Rights or other agencies. If contractual provisions that address allocation of liability for costs associated with security breach notification requirements are not present, a provider will likely find itself liable for all costs connected to security breaches of PHI that were under the control of a business associate.
HIPAA and the HITECH Act contain requirements that providers must follow when contracting with business associates, including contractually binding their business associates to implement security measures to protect PHI. However, providers are not legally required to monitor a business associate’s contractual or statutory compliance with HIPAA and the HITECH Act. Although business associates are directly subject to the HIPAA Security Rule under the HITECH Act, as noted previously, much of the risk and liability associated with security breaches remains with the providers. As a result, in this new environment, providers should take a more regimented approach to security to further mitigate risk. The recommendations in this article are intended to reduce the likelihood of security breaches by ensuring that business associates are mandated to provide information security protections for handling PHI that comport with applicable law and industry best practices.
This article discusses three tools that providers can immediately put to use to substantially reduce the information security threats posed by their business associates, to ensure proper due diligence is conducted and documented, and to provide remedies in the event of a compromise.2 Those tools are:
Whenever a business associate has access to an organization’s network, facilities, PHI, or other sensitive or valuable data, one or more of these tools should be used.
Use of these tools will enable a provider to achieve a number of important goals:
While this article focuses on US law, the concepts presented can be used in many other jurisdictions to mitigate the risk of sharing sensitive health care information with third parties. The laws of other jurisdictions frequently have much in common with HIPAA and HITECH, providing general frameworks for protecting information, but lacking specific guidance for protections such as those discussed in this article. Local counsel in relevant jurisdictions should be consulted to ensure compliance with the laws of that jurisdiction.
Providers may conduct some form of due diligence before entrusting business associates with PHI or with access to their systems; however, the due diligence is often done informally and in a nonuniform manner and is not clearly documented. In very few instances is the outcome of that due diligence actually incorporated into the parties’ contract. This ad hoc approach to due diligence may no longer be appropriate or reasonable in the context of today’s business and regulatory environment. To help to ensure proper documentation and uniformity of the due diligence process, especially for high-risk arrangements, providers should consider developing a standard due diligence questionnaire for prospective business associates to complete. Areas covered by the questionnaire would include: corporate responsibility, insurance coverage, financial condition, personnel practices, information security policies, physical security, logistical security, disaster recovery and business continuity, and other relevant issues.
Use of a standardized questionnaire has a number of significant benefits:
From the outset, business associates must be on notice that the information they provide as part of the due diligence process and, in particular, in response to the due diligence questionnaire, will be relied on in selecting the business associate and incorporated into and made a part of the final business associate agreement, together with the underlying services agreement between the parties. To be most effective, the questionnaire should be presented to potential business associates at the earliest possible stage in the relationship. It should be included as part of all relevant requests for proposal (RFPs) or, if no RFP is issued, as a stand-alone document during preliminary discussions with the business associate.
Key areas for the due diligence questionnaire include:
In the majority of engagements conducted by the authors, the underlying services contract entered into between a provider and its business associates has little or no specific language relating to information security. At most, there is a passing reference to undefined security requirements set forth in the business associate agreement and a basic confidentiality clause. Of course, the business associate agreement should contain language requiring the business associate to comply with HIPAA, including a requirement to implement reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, availability and integrity6 of PHI. However, today’s best practices in business associate contracting suggest that far more specific language is required. Moreover, the personnel responsible for negotiating the underlying services agreement are often not those charged with negotiating the business associate agreement. As a result, there is often a disconnect between the risks to PHI implicated by the types of contemplated services and the terms to protect such PHI and the provider in the business associate agreement. Providers should consider inserting very specific language into underlying agreements, referencing information security provisions in the business associate agreement and clearly incorporating such an agreement into the underlying services agreement. The underlying services agreement and the business associate agreement should be read together to ensure that ambiguities related to information security are eliminated (e.g., confidentiality provisions in the underlying agreement that could be interpreted to apply to PHI and conflict with the terms of the business associate agreement).
Providers will likely have to amend their business associate agreements following the issuance of a final HITECH rule, expected sometime this year, which is anticipated to set forth specific requirements for such amendments. Many providers have already done so based on provisions in the HITECH statute and proposed rule. Although providers are advised to make the changes discussed in this article sooner rather than later, these mandated amendments will present a critical opportunity to more comprehensively address information security. In addition to other provisions that must be inserted under the HITECH Act, the following protections related to information security should be considered for inclusion in relevant business associate agreements:
WarrantiesIn addition to any standard warranties relating to how the services are to be performed and authority to enter into the underlying services agreement, the following specific warranties relating to information security should be considered for business associate agreements:
Specific Information Security ObligationsIn addition to the provisions relating to the business associate’s compliance with the HIPAA Security Rule and generalized language relating to the business associate’s obligations to take all reasonable measures to prevent unauthorized uses or disclosures of PHI and to report all breaches or potential breaches of security to the provider, more specific information security obligations should be addressed. Where appropriate, specific language can be inserted requiring the business associate to secure and defend its information systems and facilities from unauthorized access or intrusion, to participate in joint security audits, to periodically test its systems and facilities for vulnerabilities, to use appropriate encryption and access control technology where applicable, and to use proper methods and techniques for destruction of PHI to render such PHI “secure” as set forth in the HHS guidance.
IndemnityAlong with general indemnity language, a specific provision should be included requiring the business associate to hold the provider harmless from claims, damages and expenses incurred by the provider resulting from a breach of the business associate’s security. That is, the business associate should protect the provider from lawsuits and other claims that result from the business associate’s failure to adequately secure its systems. In the past, indemnity provisions were often negotiated out of business associate agreements. However, in light of the heightened enforcement environment, including the authority conferred on state attorneys general to bring civil actions against providers, decisions to forego indemnification should be reevaluated in light of the risk under each business associate arrangement.
Responsibility for Costs Associated With Security Breach NotificationAs noted previously, there could be significant costs associated with security breach notification, including costs related to making the required notification and costs associated with negative publicity, governmental investigation and enforcement action. Provisions can be inserted into the business associate agreement that require the business associate to pay for all costs associated with security breach notification requirements if a security breach occurs with PHI in the control of the business associate.
Limitation of LiabilityMost software/services agreements, and many other services agreements, have some form of “limitation of liability”—a provision designed to limit the type and extent of damages to which the contracting parties may be exposed. It is not uncommon to see these provisions disclaim the business associate’s liability for all consequential damages (e.g., lost profits, harm to the provider’s reputation) and limit all other liability to some fraction of the fees paid. These types of provisions are almost impossible to remove from most underlying services agreements, but it is possible to require the business associate to exclude from the limitations those damages flowing from the business associate’s breach of the business associate agreement, including breaches related to information security obligations. Without these exclusions, the contractual protections described previously would be illusory. If the business associate has no real liability for breach of privacy or confidentiality because the limitation of liability limits the damages the business associate must pay to a negligible amount, the providers’ contractual protections are rendered meaningless.
ConfidentialityThe business associate agreement is the venue for protecting the privacy and security of PHI; however, a fully fleshed-out confidentiality clause should be the cornerstone for information security protections related to non-PHI in every underlying services agreement. The confidentiality clause should be drafted broadly to include all information the provider desires to be held in confidence. Specific examples of protected information should be included (e.g., source code, proprietary care plans, marketing plans, new product information, trade secrets, financial information). Although the term of confidentiality protection may be fixed (e.g., five years), ongoing, perpetual protection should be expressly provided for valuable information such as the trade secrets of the provider. Requirements stating that the provider mark relevant information as “confidential” or “proprietary” should be avoided. These types of requirements are unrealistic in the context of most arrangements. The parties frequently neglect to comply with these requirements, resulting in proprietary, confidential information being placed at risk. It is important to read carefully the confidentiality provision in conjunction with the protections for PHI under the business associate agreement to ensure that there is no ambiguity.
Audit RightsThe agreement should include clear rights permitting the provider to audit the business associate to confirm compliance with the terms of the agreement and applicable law, including HIPAA and HITECH. While reasonable limitations can be included regarding the number of times that audits may be conducted and their timing, providers should avoid any strict limitations (e.g., limiting audits to only once per year or imposing an excessive notice period before the audit can be conducted). The business associate must reasonably cooperate with the audit, including providing all appropriate documentation. Such cooperation should be at no cost to the provider. Finally, the audit language should require that the business associate furnish the provider with copies of all relevant third-party audit reports (e.g., SAS 70 Type II).
The final tool in minimizing business associate information security risks is an exhibit or statement of work that specifically defines the security requirements relevant for a particular transaction. For example, engagements in which PHI or other highly sensitive information will be entrusted to a business associate may require the business associate to observe strict practices in its handling of the information, e.g., the information security requirements exhibit may prohibit the business associate from transmitting the provider’s information over internal wireless networks (e.g., 802.11a/b/g) or from transferring that information to removable media that could be easily misplaced or lost. The exhibit may also contain specific requirements for use of encryption and access control technology, decommissioning hardware and storage media on which the provider’s information was stored to ensure that the information is properly scrubbed from the hardware and media. Other specific physical and technological security measures should be identified as relevant to the particular transaction.
An example security requirements exhibit is provided in figure 1.
Providers are presented with unique risk when they entrust PHI and their proprietary and confidential information to their business associates. The risk can be minimized by employing the tools discussed in this article: appropriate and uniform due diligence, use of specific contractual protections relating to information security, and—where relevant—use of exhibits or other attachments to the agreement detailing unique security requirements to be imposed on the business associate. Doing so will ensure that PHI is handled in a secure manner, not only in compliance with the baseline standards established in HIPAA and HITECH, but also at a level consistent with best practices used in the industry. The due diligence questionnaire will enable the provider to ask the right questions and obtain critical information—before the contract is entered—with respect to the ability of the business associate to adequately safeguard PHI. The contractual provisions establish the provider’s expectations with respect to privacy and security requirements, provide the basis for mandating that the business associate complies with those requirements, and give the provider remedies to assert a claim against the business associate in the event of the business associate’s failure to provide adequate privacy and security measures. Finally, the information security requirements exhibits allow the provider to customize the privacy and security requirements to fit the particular circumstances of the transaction, and they provide a level of detail that, ordinarily, would not be found in standard contractual provisions.
1 Ponemon Institute, “Ponemon Study Shows the Cost of a Data Breach Continues to Increase,” www.ponemon.org/news-2/232 These tools were developed by the authors from their professional experience.3 Op cit, Ponemon Institute.4 US Department of Health and Human Services (HHS), 45 Code of Federal Regulations (CFR) Parts 160 and 164, “Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information,” www.nacua.org/documents/HHSGuidance_SpecifyingTechnologiesMethodologiesRenderPHIUnusable.pdf5 Ibid.6 HHS, 45 CFR Part 164.314(a)(2)(i)(A)
Michael R. Overly, CISA, CRISC, CIPP, CISSP, ISSMPis a partner in the Los Angeles, California, USA, office of Foley & Lardner LLP. He is chair of the Legal Working Group for the Cloud Standards Customer Council, an end-user advocacy group. He can be reached at firstname.lastname@example.org.
Chanley T. Howellis a partner in the intellectual property department of Foley & Lardner LLP. Howell represents companies in a variety of technology law areas, including data privacy, security compliance and technology-related agreements. He can be reached at email@example.com.
R. Michael Scaranois vice chair of Foley and Lardner LLP’s Health Care Industry Team and cochair of the firm’s Health IT Group. He can be reached at firstname.lastname@example.org.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.