Advise your business partners on the telltale signs of a cyberattack Your business associates (BAs) may not be aware that the healthcare industry remains a favorite target for hackers and cyber thugs worldwide. So, though you may have all your practice protocols in place to prevent HIPAA violations, your BAs may not. That’s why it’s essential to implement a cohesive compliance plan with your partners now to sidestep costly breach hassles later on. According to guidance from the HHS Office for Civil Rights (OCR), covered entities (CEs) and BAs should think about how they’ll handle a vendor’s or subcontractor’s breach. Problem: Not only do a large percentage of CEs believe they will not be notified of security breaches or cyberattacks by their BAs, they also think it’s difficult to manage security incidents involving BAs and impossible to determine if data safeguards, security policies, and procedures at their BAs are adequate to respond effectively to a data breach, maintains OCR. Solutions: The OCR offers the following tips on making sure that your BAs or subcontractors are prepared for a HIPAA breach or security incident: Tip 1: Include Specifics in Your BAAs You should consider defining in your service-level or business associate agreements (BAAs) how and for what purposes your BA will use or disclose PHI. This is important so that your BA can report to you any PHI use or disclosure that’s not provided for in your BAA or vendor contract, including breaches of unsecured PHI and any security incidents. According to the United States Computer Emergency Readiness Team (US-CERT), cybersecurity incidents may include activity such as: Tip 2: Identify a Timeframe for Breach Reporting OCR also advises that you define in your BAA the timeframe in which you expect your BA or subcontractors to report a breach, security incident, or cyberattack. Keep in mind that CEs are liable for untimely breach reporting to affected individuals, as well as to OCR and the media. Rule of thumb: The quicker the incident is reported, the faster a CE or BA can respond, OCR points out. Reporting an incident rapidly can help minimize damages caused by the security incident, protect and prevent further loss of ePHI, preserve evidence for forensic analysis (if necessary), and regain access to and secure your IT systems. Tip 3: Define What You Expect in the Incident Report Consider identifying in your BAAs the type of information that’s required in a breach or security incident report. Your BA or subcontractor should include in such reports: Tip 4: Conduct Security Audits on Your BAs CEs and BAs alike should train their workforce members on incident reporting. You may also want to conduct security audits and assessments to evaluate your BAs’ or subcontractors’ privacy and security practices. “If not, ePHI or the systems that contain ePHI may be at significant risk,” OCR warns. Resource: To see the OCR’s advice on BA https://www.hhs.gov/sites/default/files/hipaa-cyber-awareness-monthly-issue-4.pdf?language=es.