In last month’s Cyber-Awareness Monthly Update, the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) asked “Is Your Business Associate Prepared for a Security Incident?”
The OCR, which is tasked with, among other things, ensuring equal access to certain health and human services and protecting the privacy and security of health information, noted growing concerns by covered entities under the Health Insurance Portability and Accountability Act (HIPAA) regarding security breaches of their business associates. In particular, the OCR explained that “[d]espite the requirements of HIPAA, not only do a large percentage of covered entities believe they will not be notified of security breaches or cyberattacks by their business associates, they also think it is difficult to manage security incidents involving business associates and impossible to determine if data safeguards and security policies and procedures at their business associates are adequate to respond effectively to a data breach.”
In response to these concerns, the OCR advised covered entities to consider the following for their contracts with business associates:
-
Using service-level agreements (SLAs) or business associate agreements (BAAs) to define in detail the purpose and scope of use of Protected Health Information (PHI). Any use of PHI outside of this purpose or scope should require the business associate to approach the covered entity and obtain consent, which allows the covered entity an opportunity to consider the increased risks associated with any expanded use on a case-by-case basis.
-
Specifying clear timelines in SLAs or BAAs within which the business associate must report any security incidents, breaches, or cyberattacks involving the covered entity or business associate. Because covered entities ultimately bear the greatest risk from delays in notifying individuals and/or regulatory authorities of security incidents, it is important to specify timelines for notification from business associates that allow the covered entity to meet its obligations. In our experience, while obligations to notify the covered entity “promptly” or “as soon as practicable” are commonly seen in these types of contractual provisions, setting an “outside date” with which the covered entity is comfortable (e.g., “But in any event not more than [twenty-four (24)] hours after the occurrence of such incident”) is preferable.
-
Identifying certain necessary information to be included in any security incident report provided by the business associate in SLAs or BAAs. For example, the incident report should include (1) the date and time that the incident occurred, (2) the date and time that the business associate became aware of the incident, (3) a detailed description of the type and amount of PHI that was subject to the incident, and (4) a detailed description of all response and remedial measures undertaken by the business associate. In our experience, setting defined timelines for the delivery of the security incident reports in the contract (similar to the timelines for breach notification) is also key, as much of this information will be necessary for the covered entity to develop its response, including any required individual or regulatory notifications.
-
Implementing effective training of security and privacy practices for employees and other representatives of the covered entity and business associate and security audit and assessment procedures to evaluate compliance with those practices. These training and assessment procedures should apply to both the general security and privacy obligations under the contract and any specific policies or practices of the covered entity with which those workers and the business associate are expected to comply.
In addition, remember to ensure that the above concepts “flow down” into the contracts between the business associate and any subcontractors who may provide services for the covered entity.
Copyright © 2025 by Morgan, Lewis & Bockius LLP. All Rights Reserved.