The action response to a business associates data breach

In January 2024 alone, there were nine data breaches reported by business associates, affecting 644,716 records, as documented by the Health and Human Services Office for Civil Rights (HHS OCR). These incidents compromise the data's integrity and impact patients' privacy and security under the healthcare organizations they serve. This is where an action response plan becomes indispensable. This delineates the steps covered entities and their business associates will undertake after a data breach.

What happens when a business associate suffers from a data breach

The response of a business associate to a data breach significantly differs based on whether they have direct liability for the breach under HIPAA and the HITECH Act provisions or if the breach falls outside their direct liability.

According to HHS guidance materials, a business associate has direct liability for a breach, they are directly responsible for the incident's management and compliance with the HIPAA Breach Notification Rule. The actions expected from a business associate include:

• Immediate securing of data: Take immediate steps to secure data and prevent further unauthorized access or data loss.
• Investigation: Conduct a thorough investigation to understand the breach's cause and scope, often involving forensic experts.
• Notification to covered entities: Promptly notify any affected covered entities to allow them to fulfill their notification obligations under HIPAA.
• Cooperation with investigations: Cooperate with any investigations conducted by covered entities, HHS, or other regulatory bodies.
• Mitigation efforts: Implement measures to mitigate the effects of the breach on affected individuals and reduce the risk of future breaches.
• Review and enhance security measures: Review existing security protocols and enhance them to prevent similar breaches.

Conversely, if a business associate is not directly liable for a breach—perhaps because the breach occurred at a subcontractor or another entity down the chain—they are still expected to cooperate fully with the covered entity in responding to the breach. This includes providing all necessary information to the covered entity and assisting in the breach investigation and notification process, even though the primary responsibility for managing the breach and compliance requirements falls to the entity directly liable under HIPAA. 

When is a business associate directly responsible for data breaches

1. Failing to secure protected health information (PHI) as required by the Security Rule.
2. Not providing breach notification to a covered entity or another business associate.
3. Making impermissible uses and disclosures of PHI.
4. Not disclosing a copy of electronic PHI to the covered entity or the individual (or their designee) upon request.
5. Not limiting PHI to the minimum necessary to accomplish the intended purpose.
6. Failing to provide an accounting of disclosures in certain circumstances.
7. Not entering into or complying with the HIPAA-required business associate agreements with subcontractors that create or receive PHI on their behalf.
8. Failing to address a material breach or violation of the subcontractor’s business associate agreement.

The responsibility of the covered entity 

The covered entity's responsibility starts with an in-depth collaboration with the business associate to gain a comprehensive understanding of the breach, including which types of data were exposed and the overall scope of the incident. Armed with this information, the covered entity is required to conduct a thorough assessment to gauge the breach's impact on the privacy and security of patients' information. This evaluation assists in formulating a precise notification strategy, which may involve informing affected individuals, the HHS OCR, and, depending on the breach's severity, the broader public through media channels.

This situation also demands that the covered entity scrutinize its existing data protection strategies in partnership with the business associate. This scrutiny is not just about addressing the immediate fallout but also about reinforcing defenses against future incidents. It involves a careful review of the current security measures and compliance procedures, identifying any vulnerabilities that the breach has exposed, and implementing enhanced safeguards. 

The role of an action response plan 

An action response plan is comprehensive, flexible, and adaptable, ensuring that covered entities are well-prepared to manage the complexities of a data breach involving a business associate effectively. This specialized plan accounts for the unique dynamics between covered entities and their business associates, including the flow of PHI and the direct liability of business associates. This provides specific steps for a targeted response to an external breach which allows these organizations to avoid the lag that comes with reworking alternative responses to special circumstances.

The components of a good action response plan

1. Identification and notification procedures: Clear guidelines on how breaches are identified, reported, and escalated within the organization and to relevant business associates.
2. Roles and responsibilities: Specific roles and responsibilities for internal teams and business associates during the breach response, including legal, IT, compliance, and communication teams.
3. Communication strategy: Protocols for communicating with internal stakeholders, affected individuals, business associates, and regulatory bodies, ensuring transparency and compliance.
4. Investigation process: Steps for conducting a thorough investigation into the breach, including the involvement of forensic experts and collaboration with business associates.
5. Risk assessment guidelines: Procedures for assessing the breach's impact on PHI security and patient privacy, and determining the risk of harm to affected individuals.
6. Notification timelines: Adherence to HIPAA required timelines for notifying affected individuals, the HHS OCR, and, if necessary, the media.
7. Mitigation strategies: Plans for addressing and mitigating the immediate effects of the breach, and strategies to prevent future incidents.
8. Documentation and reporting: Requirements for documenting the breach response process and outcomes, and guidelines for reporting to regulatory agencies as required.

How to implement an effective response plan in healthcare

Develop a clear understanding of business associate agreements

Review and understand the specifics of the business associate agreements (BAAs) to determine the responsibilities and liabilities of the business associates in case of a data breach. When encountering unclear or unfavorable terms, contact the business associate to receive clarification. 

Inventory and classify data shared with business associates

Catalog the types of PHI and other sensitive data shared with each business associate. Then, to prioritize response efforts, this data must be classified based on sensitivity and regulatory requirements.

Establish direct communication lines

Set up direct communication lines with key contacts at the business associates for use in the event of a breach. Regularly update these contacts to ensure they are current and use secure methods of communication like HIPAA compliant email.

Create specific breach notification protocols

Define clear protocols for how and when business associates should provide notification of a breach. Include requirements for initial notifications and follow-up reports detailing the breach’s scope and impact.

Integrate into the overall incident response plan

Ensure the action response plan specifically addresses scenarios where a breach occurs at a business associate. This plan should seamlessly integrate with the overall incident response strategy.

Outline assessment and investigation procedures

Develop procedures for assessing the reported breach’s impact on the organization and patients. This includes coordinating with the business associate to investigate the breach and understand its causes and scope.

Define internal and external communication strategies

Prepare templated communications for stakeholders, including affected patients, regulatory bodies, and possibly the media, tailored to breaches originating from business associates. Determine the criteria for escalating communication based on the severity of the breach.

Plan for mitigation and remediation actions

Outline steps to mitigate the breach’s impact, including technical measures to secure data and prevent future breaches. Plan for remediation actions, such as offering credit monitoring to affected individuals.

Conduct regular training and simulations

Train relevant staff on their roles within the action response plan, focusing on scenarios involving business associates. Conduct tabletop exercises to simulate breaches at a business associate to test and refine the plan.

See also: What is a HIPAA corrective action plan?

FAQs

What is a data breach?

A data breach is an unauthorized access, use, disclosure, or theft of sensitive, protected, or confidential data.

What is a business associate agreement?

A BAA is a legally binding document that outlines the responsibilities and requirements of a business associate regarding the handling, use, and protection of PHI.

What is the difference between a business associate and a subcontractor?

The difference between a business associate and a subcontractor lies in their relationship to the covered entity; a business associate directly handles PHI for the covered entity, while a subcontractor performs these tasks on behalf of the business associate, not directly for the covered entity.