What happens to the participating organizations if a healthcare provider in a health information exchange (HIE) suffers a health data breach? Much of the security language and how to deal with a breach for that specific type of exchange needs to be spelled out in a HIE legal agreement, as there are different types HIEs.
From a legal standpoint, there are data security land mines at every turn for healthcare organizations and CIOs. How well these organizations prepare for security risk, both on the EHR and HIE level, can often be traced back to the language in their business agreements. Kathryn Coburn, founding partner of technology law firm Cooke Kobrick & Wu, LLP, has handled these types of healthcare IT agreements for more than 20 years.
Her experience includes transfer and distribution of data in Accountable Care Organizations (ACOs) and HIEs, as well as data breach management. Coburn had a chance to talk with HealthITSecurity.com about the level of scrutiny and detail healthcare organizations and their CIOs and IT managers need to use when dealing with the security provisions in EHR and HIE contracts.
HIPAA doesn’t directly address HIEs, but does so for their business partners. What type of language is generally included in HIE security agreements?
The level of security that’s required in these HIE contracts is found in the business associate agreement (BAA), which is negotiated with every HIE and EHR vendor. When the contract is signed, every party should look closely at the BAA and actually negotiate those terms because there’s a tendency to think that one size fits all and there should be a form that covers everything but the kitchen sink. But the critical provisions and who’s responsible for certain aspects of the agreement are often left up in the air. There’s also a tendency to try to combine contracts for different types of providers. Companies say “we don’t need all these different types of contracts, we’re going to have one standard BAA and it will be to our advantage. And we’ll have everyone that we transmit information to and from sign that contract.”
However, this is definitely not to the advantage of some of those people signing HIE contracts. They may go ahead and sign a BAA thinking that the contract is fairly generic. Because the government has stated the minimum HIE provisions and those are likely to be included, some go without seeing the contract in the context of the particular agreement. For example, the agreement of the transmission of healthcare information may be completely inappropriate for one party. They need to negotiate business associate contracts and look at them if they vary from an BAA that they’ve signed in the past or one that their attorneys told them that they’re legally comfortable with. They need to look at them in the context of the new arrangement in every contract they sign. That’s where the critical provisions are in regard to EHR and HIE contracts.
Is this one-size-fits-all contract approach common? Can you name an example?
Many entities such as hospitals and other providers will just sign the contract. The vendor or business partner presents them with a BAA and they may be simply asked to sign it as a boiler plate attachment that they’re required to sign without looking at it. And this can be greatly to their financial detriment in some situations; they may be agreeing to something they don’t realize.
The big questions often for HIEs are “what is someone going to do with my information if I’ve entered an HIE?” “Who will have access?” “What people are participating and what are they going to do with that information?” Since information is often the most valuable asset an organization has, are they entering a BAA that says yes, [the other party] or the HIE may provide data aggregation services? This isn’t required, it’s optional, but if they’ve given that away, then they’ve given away a lot of information that they may wish to control themselves.
Where do you see health data breaches trending?
I think that human nature being what it is, health data breaches are not decreasing and in fact we’re seeing tremendous numbers of them. [An entity] can protect itself by requiring encryption on mobile devices and in fact that’s been in place for a long time. The federal government has had guidance, maybe not necessarily regulations that secure hypertext transfer protocol (HTTP), which should be minimum requirements when mobile devices are used. Some of it is low-level encryption, but it makes a big difference.
Providers can also use different metrics. Fingerprint methods are very common on these devices. Training and reviewing policies and procedures and writing them is important. I would recommend documenting policies and procedures. Go through those HIPAA security rules and have policy and procedure, which means you have somebody to ensure that policy is followed. So if you have that procedure, who do you notify when a laptop is taken from the office and how do you record and document it? This goes a long way in protecting system security.
Who usually handles these procedures? Who should be?
Often [the providers] will go to the law department, consultant or lawyer and say draft us some procedures so that we comply with HIPAA and HITECH and we comply with security requirements. They often do it in-house, but they sometimes miss some of the policies and procedures for privacy and security. They put them in a file and don’t have anybody assigned as part of their job description to force that policy. So that’s where they fall down in the procedure end and in order to do that, there are significant operational concerns within an entity. So what they should do is go to the CIO or person that’s responsible for the technical end and work with that person and not draft policies and procedures in a void. They need to work with the CIO and find out what goes on instead of having the law department, consultant or lawyer draft them in a void.
Is ACO security talked about enough?
ACOs are where data’s flowing and those contracts need to include security requirements and sometimes when a company signs a BAA, both sides say we’re responsible for our security and they’re responsible for their security. Other times, they’ll even have mutual-indemnification provisions. This means if there’s a breach on one side and the other side is included in the lawsuit from a third party because of the breach, the breached-side is going to have you indemnify the non-responsible party and pay them for all the damage. And we’ll do the same for you. These provisions are really murky, though. The important thing with ACOs is that everybody takes a good look at where the information actually goes into their organization. Is it pushed in or pulled in electronically? And who’s responsible for the portal and interface? And then they need to put it in the contract.
There’s a lot to consider on the legal side when dealing with HIE, ACO or EHR security, so it’s incumbent upon healthcare organizations to do their homework on contracts they sign and partnerships they enter into.