Under the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule published January 25, 2013, 78 Fed.Reg. 5566, Covered Entities (CEs) with Business Associate Agreements (BAAs) that were entered on or before January 25, 2013 and that were not modified after March 26, 2013 must revise their BAAs by September 23, 2014 as necessary to ensure compliance with the Final Rule. If you are a CE or a Business Associate (BA) and have not done so already, you may want to inventory all existing BAAs and related sub-contracts.  If they were executed on or before January 25, 2031, you may need to send revised agreements or amendments to the other contracting parties.

We suggest CEs and BAs pay particular attention to terms requiring the reporting of Security Incidents.  Under the Final Rule, contracts between CEs and BAs must include provisions that require BAs to report to CEs any Security Incidents of which they become aware.  45 CFR § 164.314(a)(2)(i)(C) & (b)(2)(iv) defines "security incident" as "the attempted or successful unauthorized access, use, disclosure, modification or destruction of information or interference with system operations in an information system."

However, this definition and the reporting requirements are less concrete than they may appear. As stated in the preamble to the Security Rule, 68 Fed. Reg. 8350 (February 20, 2003), covered entities may determine what will constitute a Security Incident in the context of their business operations. Specifically, based on information gathered in complying with other security standards, entities may decide in advance: 

  • What specific actions will constitute a Security Incident in the context of their business operations
  • How incidents will be documented, including what information should be contained in the documentation
  • What incidents must be reported, how often and to whom, and what information reports should include
  • What other responses will be deemed appropriate to specific kinds of incidents and
  • Whether identifying patterns of attempted security incidents is reasonable and appropriate under the circumstances.

Indeed, CEs may decide that certain types of attempted or successful security incidents or patterns of attempted or successful incidents warrant different actions. For example, a CE may decide that a “ping” (a request-response utility used to determine whether a specific IP address, or host, exists or is accessible) warrants (1) minimal, if any, response; (2) no mitigation since no harmful effects were caused by the incident; and/or (3) brief documentation of the Security Incident and outcome.

If you are a CE, consider amending your BAAs, policies, procedures and/or notices of privacy practices to define "Security Incident" with particularity and to address the above.  At a minimum, you should provide written notice of your definitions and requirements to your BAs if you have not yet done so.

If you are a BA, we suggest you request information from the CEs with which you contract about what actions constitute a Security Incident, how such incidents should be documented, and what type of reporting and/or record-keeping they require.

You may also wish to use the September 23, 2014 deadline as an opportunity to address ownership of PHI, how PHI may be de-identified, private dispute resolution and any other matters that were not addressed in your early BAAs.