The Department of Health and Human Services Office for Civil Rights (OCR) sent out an email on May 3, 2016 providing the OCR Cyber-Awareness April Monthly Update. This update addresses the fact that, according to OCR, covered entities often believe business associates will not notify them of a breach or cyber attack, and that it is difficult for the covered entity to manage security incidents involving their business associates.

This update specifically highlights the following three provisions that a covered entity should include in its service-level or business associate agreements to help ensure that business associates and subcontractors adequately prepare for and respond to a security incident:

  1. Define how and for what purposes protected health information (PHI) shall be used or disclosed in order to report to the covered entity any use of disclosure of PHI not provided for by its contract, including breaches of unsecured PHI, as well as any security incidents;
  2. Indicate the time frame covered entities expect business associates or subcontractors to report a breach, security incident, or cyber attack to the covered entity or business associate, respectively; and
  3. Identify the type of information that would be required by the business associate or subcontractor to provide in a breach or security incident report.

This update also reminds covered entities and business associates to train their employees on security incident reporting and suggests that the covered entity consider conducting audits of their business associates’ or subcontractors’ security and privacy practices. The timing of this update on managing business associate security incidents comes on the heels of two recent OCR settlements with covered entities ($1.55 Million and $750,000) that resulted from breaches of unsecured PHI that had been disclosed to business associates without a business associate agreement in place.