Developing a Unified Approach to Information Security in Business Associate Relationships 

 
Download Article Article in Digital Form

Newspapers and trade journals feature a growing number of stories detailing instances in which organizations have entrusted their most sensitive information and data to a vendor or other business partner only to see that information compromised because the vendor failed to implement appropriate information security safeguards. Worse yet, those same organizations are frequently found to have performed little or no due diligence regarding their vendors and have failed to adequately address information security in their vendor contracts, in many instances leaving the organizations without a meaningful remedy for the substantial harm they suffer as a result of a compromise. That harm may take a variety of forms: damage to business reputation, loss of business, potential liability to the data subjects, and regulatory and compliance issues. Recent studies by the Ponemon Institute have shown that, on average, a company will pay US $202 per record compromised and, in the aggregate, an average of US $6.6 million if it experiences a security breach.1

Those organizations, entities and individuals that provide health care services possess extremely sensitive and valuable information about patients, including both health and financial information. In today’s business and legal environments, health care providers must be far more careful when entering into vendor relationships in which the personally identifiable information (PII) of patients will be placed at risk. The US Health Information Technology for Economic and Clinical Health (HITECH) Act and its implementing regulations strengthen the privacy and security requirements of the US Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its implementing regulations by imposing stringent new fines for violations and adding a wide range of new requirements. For example, the HITECH Act requires providers to notify patients, the government and, in some cases, the media of certain security breaches involving unsecured protected health information (PHI).

The US Department of Health and Human Services (HHS) has published guidance indicating that PHI (e.g., patient medical records) can be properly secured if it is encrypted or destroyed in accordance with HHS guidelines. This applies to PHI that is generated and used solely within the US and also to health care information that is generated overseas and then sent to the US to secure payment from a US payment source. If PHI is secured, it is not subject to the security breach notification requirements. However, it is virtually impossible to maintain PHI in an encrypted state when it is in use, i.e., being created, viewed, modified. As a result, from a practical perspective, at any given moment, providers will have significant PHI at risk of a security breach that would trigger the notification requirements.

Health care providers frequently hire vendors, referred to as “business associates,” to perform services involving PHI, including services that require the business associate to create, view or modify PHI. Such PHI is also subject to the HITECH Act security breach notification requirements; however, if a business associate has a security breach that triggers the notification requirements, that business associate’s sole obligation under the HITECH Act is to notify the provider. The obligation to notify affected patients and to take other required action remains with the provider. There could be significant costs associated with security breach notification, including, but not limited to, the cost of creating and sending out the required notifications and responding to queries and complaints from affected patients, in addition to the costs to implement mitigation steps, such as free credit report monitoring. There may also be costs associated with negative publicity and investigation and enforcement actions by the HHS Office of Civil Rights or other agencies. If contractual provisions that address allocation of liability for costs associated with security breach notification requirements are not present, a provider will likely find itself liable for all costs connected to security breaches of PHI that were under the control of a business associate.

HIPAA and the HITECH Act contain requirements that providers must follow when contracting with business associates, including contractually binding their business associates to implement security measures to protect PHI. However, providers are not legally required to monitor a business associate’s contractual or statutory compliance with HIPAA and the HITECH Act. Although business associates are directly subject to the HIPAA Security Rule under the HITECH Act, as noted previously, much of the risk and liability associated with security breaches remains with the providers. As a result, in this new environment, providers should take a more regimented approach to security to further mitigate risk. The recommendations in this article are intended to reduce the likelihood of security breaches by ensuring that business associates are mandated to provide information security protections for handling PHI that comport with applicable law and industry best practices.

This article discusses three tools that providers can immediately put to use to substantially reduce the information security threats posed by their business associates, to ensure proper due diligence is conducted and documented, and to provide remedies in the event of a compromise.2 Those tools are:

  1. A due diligence questionnaire
  2. Key contractual protections
  3. An information security requirements exhibit

Whenever a business associate has access to an organization’s network, facilities, PHI, or other sensitive or valuable data, one or more of these tools should be used.

Use of these tools will enable a provider to achieve a number of important goals:

  • Reduce the risk of security breaches that trigger notification requirements under the HITECH Act and minimize potential liability. As noted previously, costs arising out of security breaches and those associated with security breach notifications can be substantial.3 In addition to investigations by the Office of Civil Rights or other government agencies, security breaches could result in actions by state attorneys general.
  • Protect valuable assets of the provider. In many instances, a provider’s proprietary and confidential information is the most important asset of the company (e.g., new service lines, future marketing activities, prospective transactions, trade secret information, source code). Such information in the hands of a competitor could result in material harm for the provider. For publicly traded providers, a compromise of corporate data may result in shareholder suits against the officers of the corporation for failure to exercise reasonable business judgment in protecting that information.
  • Create contractual remedies for providers in the event of a security breach by a business associate.
  • Establish that the provider has used due diligence in protecting both PHI and its information systems. In the event of a compromise, the tools will assist the provider in documenting its efforts to minimize risk.
  • Protect the provider’s reputation, and avoid the public embarrassment associated with a security compromise.

While this article focuses on US law, the concepts presented can be used in many other jurisdictions to mitigate the risk of sharing sensitive health care information with third parties. The laws of other jurisdictions frequently have much in common with HIPAA and HITECH, providing general frameworks for protecting information, but lacking specific guidance for protections such as those discussed in this article. Local counsel in relevant jurisdictions should be consulted to ensure compliance with the laws of that jurisdiction.

The First Tool:  A Due Diligence Questionnaire

Providers may conduct some form of due diligence before entrusting business associates with PHI or with access to their systems; however, the due diligence is often done informally and in a nonuniform manner and is not clearly documented. In very few instances is the outcome of that due diligence actually incorporated into the parties’ contract. This ad hoc approach to due diligence may no longer be appropriate or reasonable in the context of today’s business and regulatory environment. To help to ensure proper documentation and uniformity of the due diligence process, especially for high-risk arrangements, providers should consider developing a standard due diligence questionnaire for prospective business associates to complete. Areas covered by the questionnaire would include: corporate responsibility, insurance coverage, financial condition, personnel practices, information security policies, physical security, logistical security, disaster recovery and business continuity, and other relevant issues.

Use of a standardized questionnaire has a number of significant benefits:

  • It provides a uniform, ready-made framework for due diligence.
  • It ensures an “apples-to-apples” comparison of business associate responses.
  • It ensures that all key areas of diligence are addressed and that none are overlooked.
  • It provides an easy means of incorporating the due diligence information directly into the parties’ contract. That is, the completed questionnaire can be attached as an exhibit to the final business associate agreement that will be executed along with the underlying services agreement.

From the outset, business associates must be on notice that the information they provide as part of the due diligence process and, in particular, in response to the due diligence questionnaire, will be relied on in selecting the business associate and incorporated into and made a part of the final business associate agreement, together with the underlying services agreement between the parties. To be most effective, the questionnaire should be presented to potential business associates at the earliest possible stage in the relationship. It should be included as part of all relevant requests for proposal (RFPs) or, if no RFP is issued, as a stand-alone document during preliminary discussions with the business associate.

Key areas for the due diligence questionnaire include:

  • HIPAA and HITECH compliance:
    • Has the business associate implemented approved means to render PHI unusable, unreadable or indecipherable to unauthorized individuals?4 If so, what means are used?
    • Has the business associate been the subject of any breaches of security or confidentiality with regard to PHI in the last five years? If so, what are the details of those events?
    • Has the business associate developed a program to detect and prevent identity theft?
    • Does the business associate provide specific training to its personnel regarding the requirements of HIPAA and HITECH? When is training conducted, and how much is conducted?
  • Information security in general:
    • Does the business associate have an established policy to ensure that potential or actual security incidents are promptly reported to the relevant company personnel?
    • Does the business associate have a written information security policy? How often is the policy reviewed and updated? When was the last update?
    • Has the business associate conducted a recent Statement on Auditing Standards (SAS) No. 70 Type II audit? Were any deficiencies corrected? Is a copy of the audit report available for review? How often does the business associate conduct audits?
    • Does the business associate have a policy controlling transfer of PHI to removable media?
  • The business associate’s financial condition:
    • Is the business associate a private or public company?
    • Can the provider obtain copies of the most recent financial statements? Financial condition may not appear to be a critical factor for information security purposes, but the possibility that a business associate may file bankruptcy or simply cease to do business while in possession of a provider’s most sensitive information presents a substantial risk, especially in the current economic environment. In such instances, it may be difficult, if not impossible, to retrieve the data and ensure that they have been properly scrubbed from the business associate’s information systems.
  • Insurance coverage:
    • What types of coverage does the business associate have?
    • What are the coverage limits and other terms?
    • Are the coverage claims made or occurrence based?
    • Does the business associate’s insurance cover liability related to privacy violations or security breaches?
  • Corporate responsibility:
    • Are there, for example, any criminal convictions, recent material litigation, or instances in which the business associate has had a substantial compromise of security or been investigated for privacy violations?
  • Subcontractors:
    • Will the business associate require the use of any subcontractors or affiliates in the performance of its services?
    • Will the business associate use subcontractors or affiliates outside of the country in which the provider is based?
    • Where are the subcontractors and affiliates located?
    • What types of services will the subcontractors provide?
    • What information, if any, of the provider will be sent to these entities? In the US, transmission of PHI to contractors or subcontractors located outside of the US has been identified as creating unique risk. Such entities will not be subject to US court jurisdiction. There have been highly publicized reports of situations in which PHI was potentially subject to unauthorized disclosure.
  • Organizational security procedures:
    • What are the business associate’s information handling policies?
    • Does it have a dedicated information security team?
    • Is there an incident response team?
    • What are the business associate’s information security practices with contractors and agents (e.g., due diligence, requisite nondisclosure agreements, specific contractual obligations relating to information security)?
  • Physical security:
    • What physical security measures and procedures does the business associate employ?
  • Encryption:
    • Does the business associate use encryption to protect PHI and other sensitive information?
    • Is the method of encryption consistent with the HHS guidelines?5
  • Destruction:
    • Does the business associate destroy PHI and other sensitive information through appropriate methods, such as shredding paper, film or other hard copies and clearing, purging or destroying electronic media in accordance with HIPAA requirements?
  • Technological security:
    • Does the business associate have appropriate access controls and logging/audit trail capabilities?
    • Does the business associate use system access control on its systems to limit information access to only those of its personnel who are specifically authorized?
  • Policies:
    • If PHI is at risk, does the business associate have an information security policy and privacy policy?
    • What is the revision history of its policies?
    • Are there any instances in which the business associate has had to report a significant breach of security?
  • Contingency plans:
    • What are the business associate’s business continuity/ disaster recovery plans? When was their last test? When was their last audit, and were there any adverse findings in the audit? Have deficiencies been corrected?
    • What is the revision history of the plan?
    • What security procedures are followed at the recovery site?
  • Special issues for software developers:
    • If the business associate is a software developer, what are its development and maintenance procedures?
    • What security controls are used during the development life cycle?
    • Does the business associate conduct security testing of its software?
    • Does the business associate maintain separate environments for testing and production?
    • Does the business associate license code from third parties for incorporation into its products, and if so, what types of code?

The Second Tool:  Key Contractual Protections

In the majority of engagements conducted by the authors, the underlying services contract entered into between a provider and its business associates has little or no specific language relating to information security. At most, there is a passing reference to undefined security requirements set forth in the business associate agreement and a basic confidentiality clause. Of course, the business associate agreement should contain language requiring the business associate to comply with HIPAA, including a requirement to implement reasonable and appropriate administrative, physical and technical safeguards to protect the confidentiality, availability and integrity6 of PHI. However, today’s best practices in business associate contracting suggest that far more specific language is required. Moreover, the personnel responsible for negotiating the underlying services agreement are often not those charged with negotiating the business associate agreement. As a result, there is often a disconnect between the risks to PHI implicated by the types of contemplated services and the terms to protect such PHI and the provider in the business associate agreement. Providers should consider inserting very specific language into underlying agreements, referencing information security provisions in the business associate agreement and clearly incorporating such an agreement into the underlying services agreement. The underlying services agreement and the business associate agreement should be read together to ensure that ambiguities related to information security are eliminated (e.g., confidentiality provisions in the underlying agreement that could be interpreted to apply to PHI and conflict with the terms of the business associate agreement).

Providers will likely have to amend their business associate agreements following the issuance of a final HITECH rule, expected sometime this year, which is anticipated to set forth specific requirements for such amendments. Many providers have already done so based on provisions in the HITECH statute and proposed rule. Although providers are advised to make the changes discussed in this article sooner rather than later, these mandated amendments will present a critical opportunity to more comprehensively address information security. In addition to other provisions that must be inserted under the HITECH Act, the following protections related to information security should be considered for inclusion in relevant business associate agreements:

  • Warranties
  • Specific information security obligations
  • Indemnity
  • Responsibility for costs associated with security breach notification
  • Limitation of liability
  • Confidentiality
  • Audit rights

Warranties
In addition to any standard warranties relating to how the services are to be performed and authority to enter into the underlying services agreement, the following specific warranties relating to information security should be considered for business associate agreements:

  • A warranty requiring the business associate to comply with “best industry practices relating to information security” (the quoted material indicates the proposed language to be used in the warranty)
  • A warranty of compliance with the provider’s privacy policy in accessing, using, disclosing and intentionally releasing PHI
  • A warranty against sending PHI to offshore subcontractors or affiliates, unless specifically authorized to do so by the provider
  • A warranty stating that the business associate’s responses to the due diligence questionnaire are true and correct, if a due diligence questionnaire has been completed. The warranty should be attached as an exhibit to the contract.

Specific Information Security Obligations
In addition to the provisions relating to the business associate’s compliance with the HIPAA Security Rule and generalized language relating to the business associate’s obligations to take all reasonable measures to prevent unauthorized uses or disclosures of PHI and to report all breaches or potential breaches of security to the provider, more specific information security obligations should be addressed. Where appropriate, specific language can be inserted requiring the business associate to secure and defend its information systems and facilities from unauthorized access or intrusion, to participate in joint security audits, to periodically test its systems and facilities for vulnerabilities, to use appropriate encryption and access control technology where applicable, and to use proper methods and techniques for destruction of PHI to render such PHI “secure” as set forth in the HHS guidance.

Indemnity
Along with general indemnity language, a specific provision should be included requiring the business associate to hold the provider harmless from claims, damages and expenses incurred by the provider resulting from a breach of the business associate’s security. That is, the business associate should protect the provider from lawsuits and other claims that result from the business associate’s failure to adequately secure its systems. In the past, indemnity provisions were often negotiated out of business associate agreements. However, in light of the heightened enforcement environment, including the authority conferred on state attorneys general to bring civil actions against providers, decisions to forego indemnification should be reevaluated in light of the risk under each business associate arrangement.

Responsibility for Costs Associated With Security Breach Notification
As noted previously, there could be significant costs associated with security breach notification, including costs related to making the required notification and costs associated with negative publicity, governmental investigation and enforcement action. Provisions can be inserted into the business associate agreement that require the business associate to pay for all costs associated with security breach notification requirements if a security breach occurs with PHI in the control of the business associate.

Limitation of Liability
Most software/services agreements, and many other services agreements, have some form of “limitation of liability”—a provision designed to limit the type and extent of damages to which the contracting parties may be exposed. It is not uncommon to see these provisions disclaim the business associate’s liability for all consequential damages (e.g., lost profits, harm to the provider’s reputation) and limit all other liability to some fraction of the fees paid. These types of provisions are almost impossible to remove from most underlying services agreements, but it is possible to require the business associate to exclude from the limitations those damages flowing from the business associate’s breach of the business associate agreement, including breaches related to information security obligations. Without these exclusions, the contractual protections described previously would be illusory. If the business associate has no real liability for breach of privacy or confidentiality because the limitation of liability limits the damages the business associate must pay to a negligible amount, the providers’ contractual protections are rendered meaningless.

Confidentiality
The business associate agreement is the venue for protecting the privacy and security of PHI; however, a fully fleshed-out confidentiality clause should be the cornerstone for information security protections related to non-PHI in every underlying services agreement. The confidentiality clause should be drafted broadly to include all information the provider desires to be held in confidence. Specific examples of protected information should be included (e.g., source code, proprietary care plans, marketing plans, new product information, trade secrets, financial information). Although the term of confidentiality protection may be fixed (e.g., five years), ongoing, perpetual protection should be expressly provided for valuable information such as the trade secrets of the provider. Requirements stating that the provider mark relevant information as “confidential” or “proprietary” should be avoided. These types of requirements are unrealistic in the context of most arrangements. The parties frequently neglect to comply with these requirements, resulting in proprietary, confidential information being placed at risk. It is important to read carefully the confidentiality provision in conjunction with the protections for PHI under the business associate agreement to ensure that there is no ambiguity.

Audit Rights
The agreement should include clear rights permitting the provider to audit the business associate to confirm compliance with the terms of the agreement and applicable law, including HIPAA and HITECH. While reasonable limitations can be included regarding the number of times that audits may be conducted and their timing, providers should avoid any strict limitations (e.g., limiting audits to only once per year or imposing an excessive notice period before the audit can be conducted). The business associate must reasonably cooperate with the audit, including providing all appropriate documentation. Such cooperation should be at no cost to the provider. Finally, the audit language should require that the business associate furnish the provider with copies of all relevant third-party audit reports (e.g., SAS 70 Type II).

The Third Tool:  An Information Security Requirements Exhibit

The final tool in minimizing business associate information security risks is an exhibit or statement of work that specifically defines the security requirements relevant for a particular transaction. For example, engagements in which PHI or other highly sensitive information will be entrusted to a business associate may require the business associate to observe strict practices in its handling of the information, e.g., the information security requirements exhibit may prohibit the business associate from transmitting the provider’s information over internal wireless networks (e.g., 802.11a/b/g) or from transferring that information to removable media that could be easily misplaced or lost. The exhibit may also contain specific requirements for use of encryption and access control technology, decommissioning hardware and storage media on which the provider’s information was stored to ensure that the information is properly scrubbed from the hardware and media. Other specific physical and technological security measures should be identified as relevant to the particular transaction.

An example security requirements exhibit is provided in figure 1.

Figure 1

Conclusion

Providers are presented with unique risk when they entrust PHI and their proprietary and confidential information to their business associates. The risk can be minimized by employing the tools discussed in this article: appropriate and uniform due diligence, use of specific contractual protections relating to information security, and—where relevant—use of exhibits or other attachments to the agreement detailing unique security requirements to be imposed on the business associate. Doing so will ensure that PHI is handled in a secure manner, not only in compliance with the baseline standards established in HIPAA and HITECH, but also at a level consistent with best practices used in the industry. The due diligence questionnaire will enable the provider to ask the right questions and obtain critical information—before the contract is entered—with respect to the ability of the business associate to adequately safeguard PHI. The contractual provisions establish the provider’s expectations with respect to privacy and security requirements, provide the basis for mandating that the business associate complies with those requirements, and give the provider remedies to assert a claim against the business associate in the event of the business associate’s failure to provide adequate privacy and security measures. Finally, the information security requirements exhibits allow the provider to customize the privacy and security requirements to fit the particular circumstances of the transaction, and they provide a level of detail that, ordinarily, would not be found in standard contractual provisions.

Endnotes

1 Ponemon Institute, “Ponemon Study Shows the Cost of a Data Breach Continues to Increase,” www.ponemon.org/news-2/23
2 These tools were developed by the authors from their professional experience.
3 Op cit, Ponemon Institute.
4 US Department of Health and Human Services (HHS), 45 Code of Federal Regulations (CFR) Parts 160 and 164, “Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under Section 13402 of Title XIII (Health Information Technology for Economic and Clinical Health Act) of the American Recovery and Reinvestment Act of 2009; Request for Information,” www.nacua.org/documents/HHSGuidance_SpecifyingTechnologiesMethodologiesRenderPHIUnusable.pdf
5 Ibid.
6 HHS, 45 CFR Part 164.314(a)(2)(i)(A)

Michael R. Overly, CISA, CRISC, CIPP, CISSP, ISSMP
is a partner in the Los Angeles, California, USA, office of Foley & Lardner LLP. He is chair of the Legal Working Group for the Cloud Standards Customer Council, an end-user advocacy group. He can be reached at moverly@foley.com.

Chanley T. Howell
is a partner in the intellectual property department of Foley & Lardner LLP. Howell represents companies in a variety of technology law areas, including data privacy, security compliance and technology-related agreements. He can be reached at chowell@foley.com.

R. Michael Scarano
is vice chair of Foley and Lardner LLP’s Health Care Industry Team and cochair of the firm’s Health IT Group. He can be reached at mscarano@foley.com.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.