Law360, New York (January 24, 2013, 12:49 PM ET) -- The 2010 theft of an unencrypted laptop containing confidential health care information made front-page news in 2013, not because a huge number of patients were affected, but for the exact opposite reason. On Jan. 2, 2013, the U.S. Department of Health and Human Services Office of Civil Rights announced that it had reached a settlement with the Hospice of North Idaho for potential violations of the Health Insurance Portability and Accountability Act of 1996 security rule arising from the theft of its laptop. It was the first settlement involving a breach of unsecured electronic protected health information (ePHI) affecting fewer than 500 individuals. To be specific, information concerning "only" 441 patients was at issue. When announcing the $50,000 settlement, the head of the OCR indicated that the agency was intentionally sending "a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information."
Just a few weeks after this pronouncement, the long awaited HIPAA/Health Information Technology for Economic and Clinical Health Act final rule was released. One of the changes announced in the final rule was that the definition of "breach" has been modified to make clear that an impermissible use or disclosure of PHI is presumed to be a breach unless the covered health care provider (HCP) or business associate (BA) adequately demonstrates that there is a low probability that the PHI has been compromised.
All this comes on the heels of the Ponemon Institute's Third Annual Benchmark Study on Patient Privacy & Data Security, released on Dec. 6, 2012, which found that 94 percent of health care providers in the study had at least one data breach in the past two years, and 45 percent report that they had more than five breaches. Ponemon estimated the average economic impact of the data breaches over the past two years to be $2.4 million for the HCPs that participated in the study, and that the average annual cost to the healthcare industry could potentially reach almost $7 billion.
Data breaches in the health care industry are taking place against a national backdrop of anxiety about data security. FBI director Robert Mueller has predicted that cybercrime will soon eclipse terrorism as the agency's top priority. He recently stated: "There are only two types of companies: those that have been hacked, and those that will be. Even that is merging into one category: those that have been hacked and will be again."
The harm inflicted by a data breach can run the gamut from regulatory fines, business interruption, civil litigation, credit card provider penalties, civil lawsuits and reputational harm. But if data breaches present difficult challenges even for the nation's top law enforcement agency, what can HCPs do to ensure that they protect PHI and comply with a growingly complex and punitive regulatory environment? Obvious steps include employee training, establishment of comprehensive formal organizational policies and procedures, incorporation of security technologies, and the purchase of cyber insurance to assist with the response to and the mitigation of damages from a data breach.
But an often overlooked component of an organization's data security risk management plan is addressing the issue with the vendors with whom HCPs routinely share PHI. Data security is an important subject that must be addressed at the time of contracting, and renewing contracts, with any third party that will have access to PHI, even if the access is incidental. In fact, the new final rule specifically requires that contracts with such vendors mandate their compliance with certain HIPAA privacy and security rule requirements. The final rule also makes clear that vendors will be directly liable for such compliance.
The following is an overview of contractual provisions that should be considered by HCPs when managing vendor relationships, with a focus on cloud-delivered solutions. Though cloud computing presents undeniable security and reputational risks, the economic benefits and technological possibilities associated with it are too profound for any chief information officer to ignore, and its proliferation in the health care space seems more inevitable with each passing week. As HCPs seek to run leaner more efficient operations in the 21st-century global marketplace, they have no choice but to consider the economic benefits of shared-resource computing.
For HCPs to discharge their duty of care to safeguard patient information, they must conduct thorough technical compliance-focused due diligence when comparing Vendors that may house ePHI in order to assess a vendor's security infrastructure and environment. Front-end due diligence can expose security issues that may be resolved through the contracting process, when the HCP has maximum leverage, or disqualify use of the Vendor. It is better to identify these up front.
In the precontracting phase, vendors rightly may require limited access to HCP's systems/network in order to scope out the project and provide fee estimates, potentially exposing them to ePHI. HIPAA requires HCPs providing access to its ePHI to execute a business associate agreement ("BAA") with the vendor designed to protect the confidentiality, integrity and availability of ePHI. Naturally, pursuant to HIPAA, BAAs are required to be executed by any vendor providing services that utilize ePHI (even for incidental access). This is also good practice since the precontract stage is where reputational exposure is great should an incident occur without a BAA in place. As made clear in the final rule, BAAs must be executed by any downstream subcontractor of the vendor that may have access to ePHI.
Who Owns the Data?
As intuitive as this may be, the contract should address who owns the data. In some instances, the vendor will never own data even though the vendor may have notification obligations under state or federal law if the data leaves the vendor's control. In some instances, the data may be shared with another HIPAAcovered entity (CE) and the other CE, such as a health plan, may be considered the owner of the data. The new HIPAA requirements regulating the use of patient data for marketing, and the strict federal and state laws governing notification, provide all HCPs with a clear reason to devote increased attention to contractual language regarding who the data owner is in any third-party relationship as well as limitations around how the data may be used.
Will the HCP be provided with an application programming interface necessary to export data independently? The HCP should require the vendor to return, or destroy, all data in the vendor's possession at any time upon the HCP's request, and upon contract termination. Some of the largest privacy incidents have occurred because of lost or forgotten data.
The HCP may request confirmation that third party reviews of the vendor's system infrastructure and environment occurred, each of which can be attached and incorporated into the contract. Examples, depending on the nature of vendor services, include:
Certification of its information security management and control system. A commonly utilized standard is the Internal Organization for Standardization and International Electrotechnical Commission 27001 ("ISO 27001") certification. ISO 27001 specifies requirements for the establishment, implementation, monitoring, review, maintenance and improvement of a management system for managing an organization's information security risks.
Independent audit of management's description of a vendor's system and the suitability of the design and operating effectiveness of controls, in the form of a Statement of Standards for Attestation Engagements # 16 ("SSAE # 16") Type II review.
Report on the vendor's controls relevant to security, availability, processing integrity, confidentiality and/or privacy, in the form of Service Organization Control 2.
Application security assessment tests (performed by an independent third party) designed to identify application security issues and put them in the context of the vendor's environment, including evaluation of security controls.
Other Security Requirements
- encryption of data in transit and at rest;
- encryption of Web-facing applications;
- background checks on employees with access to ePHI;
- vendor application of latest security patches; and
- biometric card access to data center.
In addition to the new breach analysis standards for notification under the final rule, the vendor also must promptly notify the HCP of all breaches in security, and immediate notify the HCP of all breaches of sensitive information including ePHI. The HCP must control the response to the security breach including the decision as to whether public disclosure is required. The HCP must also be afforded the opportunity to investigate the breach with its own resources either on-site or remotely through the vendor's computing resources.
The HCP may also want to consider being notified of any impermissible uses or disclosures, not just those that rise to the level of a breach. First, this allows the HCP to monitor the practices of the vendor to determine if it wants to continue the relationship. And, it also provides the HCP with control over what it considers to be a breach. In some instances, the vendor's philosophy or approach to breach analysis might be different than the vendor's. Notwithstanding the legal requirements to notify when a breach occurs, these events are a reputational issue and it is the HCP's reputation that is typically the target despite who caused the breach.
Compliance With Laws
The HCP may require the vendor to agree to comply with all applicable information security and privacy laws. Examples include HIPAA, HITECH, Massachusetts Standard for the Protection of Personal Information of the Commonwealth, Nevada NRS 603A.215 and EU Protection of Personal Data Directive. Notably, the final rule makes clear that HIPAA provides a federal floor of privacy protections and that states are free to impose more stringent protections.
The HCP should require at a minimum notification, or the right to approve, use of any third parties providing services comprising any part of the overall solution. Particularly for software-as-a-service, often times third parties provide back-end infrastructure and have contractual privity with only the vendor; in such instances the HCP will need transparency into infrastructure provider's system environment and security protocols, including third-party reviews described above.
Data Center Location
Geographical location of all data centers processing ePHI must be indicated in order for the HCP to assure compliance with data import/export regulations and local laws. Moreover, location of the data may expose them to personal jurisdiction in that location even though that was not the intent of the HCP.
The HCP must have right to monitor and/or audit the vendor's performance of its obligations including the ability to allow the HCP's third-party auditors to conduct reviews on-site at the vendor. HCPs must be careful with the language they use to assert this right. In some situations, if HCPs do nothing, they could be deemed to be negligent. Also, HIPAA requires that if the HCP is aware of ongoing conduct by a BA that is violative of HIPAA, the HCP must intervene.
Governmental and Third-Party Requests
The vendor must notify the HCP of all requests for disclosure of personal data by any party, including law enforcement or other government representatives, and give the HCP control over the response.
Service Level Agreements
Particularly for critical applications, the HCP may require uptime guarantees and predictable maintenance windows during periods of minimal disruption. Monetary credits may be given for failure to meet such standards. The HCP may also require defined response times and escalation procedures for service problems, with monetary penalties for failure to meet standards.
Together with limitation of liability, indemnification provides a framework for addressing risk allocation. The HCP may seek that the vendor indemnify it for harm caused to third parties by: claims that use of services infringe third-party intellectual property rights, the vendor's breach of confidentiality obligations, the vendor's breach of data security/privacy obligations and the vendor's noncompliance with laws. Be sure to address notification costs separately so that a third-party claim is not the only trigger if a disclosure occurs. Fault should not be a factor in the duty to indemnify since many losses occur outside the fault of the vendor, e.g., theft of a laptop.
The HCP may seek to obtain liability protection commensurate with the monetary value and organizational importance of the services provided, with a high cap for critical applications. Carve-out of significant events from the liability limitation is optimal for the HPC, including: the vendor's indemnification obligations, breach of confidentiality, noncompliance with laws and gross negligence/willful misconduct.
Business Continuity/Disaster Recovery
The vendor should provide copies of its business continuity and disaster recovery plans, which may be attached and incorporated into the contract. The HCP should vet these to ensure they comport with organizational standards.
Emergency Resource Allocation
The HCP may require that in the event of disasters/emergencies, the vendor will allocate resources to it as favorably as to any other customer receiving similar services.
Suspension of Services
Particularly for critical applications, the HCP should require ample notification, with time to cure, before the vendor is permitted to suspend services for any breach of contract. One can envision the horrific harm caused by an unexpected sudden outage of core hospital functionality.
Long-term contracts and/or robust termination fees may restrict the HCP's ability to move away from the vendor, which may be particularly problematic if security concerns arise; they should be avoided to the extent practicable. As a practical measure, to avoid over-reliance on one vendor, to the extent possible, the HCP may consider engaging multiple providers.
Vendor may be obligated to assist with data exportation and other transitioning from its services.
Data Breach Insurance
Increasingly, the HCP will require vendors to obtain adequate data breach, so-called cyber insurance covering both data loss and data breach response, which can include hiring attorneys, notifying attorneys general, conducting investigations, notifying impacted patients/customers and other costly measures. Requiring vendors to carry cyber insurance creates greater assurance that a major data breach won't bankrupt the vendor and increases the likelihood the vendor will uphold contractual obligations for financial compensation. Care should be taken to ensure that the vendor's coverage fits well with the HCP's coverage to provide as much protection to both parties as possible in the event of any type of breach.
Arbitration can serve as an efficient cost-effective means to resolve disputes; consequently it is increasingly identified as the dispute resolution mechanism in vendor agreements. Regardless, HCPs should carve out the right to seek immediate judicial relief for breaches of confidentiality or intellectual property rights.
The complexity of data security issues cannot be overstated in today's health care environment. The stakes couldn't be higher and the legal and regulatory environment seems to be changing on a daily basis. HCPs are encouraged to seek competent professional advice to protect their patients' PHI and ePHI as well as the HCP's own viability and reputation, when contracting with vendors who will be entrusted with PHI and ePHI.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.