• United States




Third-party vendors must abide by HIPAA privacy rules as well

Mar 28, 20166 mins
ComplianceData and Information SecurityGovernment

Keeping up with the latest HIPAA rules and guidance

happy patient healthcare
Credit: Thinkstock

This month I wanted to cover the HIPAA business associate rule and the FIPA (Florida Information Protection Act). The business associate rule is critical as it helps assure that your business partners are also fully HIPAA compliant.

The Target data breach was an excellent example of how a third-party vendor can cause a data breach. Each business enterprise is only as secure as its weakest vendor. We know in healthcare that clinical engineering (which does not fall under corporate IT),  can have as many as 100 vendors! 

FIPA strengthens accountability for all enterprises which include healthcare/HIPAA, Since HIPAA is prescriptive with some flexibility, FIPA helps assure that what really matters in HIPAA compliance is met and adds a bit more. Finally, I wrap up with a summary of the latest FDA cyber security guidance on medical devices. 

HIPAA business associate rule

Most covered entities (health plans and health providers) know they fall under the HIPAA Security and Privacy rule. But what some don’t know is that their business associates and subcontractors also fall under these rules.

This is the result of the HIPAA Omnibus Rule of January 2013. Some major provisions are as follows:  

  • Make business associates of covered entities directly liable for compliance with certain parts of the HIPAA Privacy and Security Rules’ requirements.
  • Strengthen the limitations on the use and disclosure of protected health information for marketing and fundraising purposes, and prohibit the sale of protected health information without individual authorization.
  • Expand individuals’ rights to receive electronic copies of their health information and to restrict disclosures to a health plan concerning treatment for which the individual has paid out of pocket in full.
  • Require modifications to, and redistribution of, a covered entity’s notice of privacy practices.

Covered entities should review their existing Business Associate Agreements (BAA) to include:

  • Updating the BAA  to state that if the business associate is to carry out the covered entity’s obligations under the Privacy Rule, the business associate must comply with the requirements of the Privacy Rule that apply to the covered entity in the performance of such obligations; and Adding a provision stating that the business associate is directly subject to the Security Rule.

The 2013 Omnibus ruling also added: a business associate must enter into a BAA with subcontractors to whom the business associate has delegated a function, activity, or service the business associate has agreed to perform for a covered entity, and such function, activity, or service involves the creation, receipt, maintenance, or transmission of PHI.

For example, if a business associate serving as a third-party administrator for a covered entity hires a company to handle document and media shredding to securely dispose of paper and electronic PHI, then the shredding company would be considered a subcontractor, and the parties would have to enter into a written BAA to govern the subcontractor’s HIPAA responsibilities. Even law firms that work with HIPAA are obtaining HIPAA compliance audits to comply with HIPAA. 

 Business associates and subcontractors should take the following steps:

  • Business associates and subcontractors must first evaluate their business relationships to determine where BAAs are required (i.e., evaluate which subcontractors create, receive, maintain, or transmit PHI or electronic PHI).
  • Where a BAA is required, business associates and subcontractors must prepare and negotiate the terms of the BAAs.
  • As part of the BAA preparation and negotiation process, business associates and subcontractors need to make certain that they fully understand their responsibilities under HIPAA and the BAAs, and they must ensure that they actually have the systems and procedures in place to comply with these responsibilities.
  • After the parties have completed the previous steps, they must execute the BAA.

Finally, and what we often hear from legal; you can transfer a business function to a third party but you can’t transfer liability. But now your vendors that store, process or transmit PHI are required by law to achieve the same standard you are required to meet. In the end this is a win-win for all.

FIPA in healthcare

An act relating to security of confidential personal  information; providing a short title; repealing s.  817.5681, F.S., relating to a breach of security concerning confidential personal information in third- party possession; creating s. 501.171, F.S.; providing definitions; requiring specified entities to take eight reasonable measures to protect and secure data containing personal information in electronic form; requiring specified entities to notify the Department of Legal Affairs of data security breaches; requiring notice to individuals of data security breaches under  certain circumstances….

That’s how the Florida statute reads but what does it really mean when it comes down to the responsibility to secure patient records?

Florida’s expanded law places even more emphasis on organizations to safeguard data. “Before, the definition of breach meant it was unlawful and unauthorized. Now it’s just unauthorized. The statute now requires a notification to the Attorney General for breaches, which is a big change. It requires consultation with local law enforcement; before, it was optional.

This act may be cited as the “Florida Information Protection Act of 2014.  

What is required? 

  • Appraise policies and procedures to verify that they are implemented effectively.
  • Set up reporting for large printing jobs.
  • Limit access to sensitive information.
  • Review all employees’ access to systems, data, and sensitive areas.
  • Review business associate and contractor agreements and security.
  • Consider the role of bring-your-own-device (BYOD) policies.
  • Assess physical security, as well as cyber security.
  • Ensure that customer record disposal policies meet new legal provisions.
  • Create an investigative and reporting process if a breach occurs.
  • Select an external partner for forensic investigations, audits, and other data breach services.

The bottom line is that FIPA strengthens accountability for all enterprises which include healthcare (HIPAA). Since HIPAA is prescriptive with some flexibility, The Florida Information Protection Act helps assure that what really matters in HIPAA compliance is met and adds a bit more. Finally I wanted to cover the latest FDA cybersecurity medical device guidance. I believe the FDA has done an excellent job with this much needed guidance.

Post Market management of cyber security in Medical Devices

On Jan. 15, 2015, the Food and Drug Administration (FDA) released draft guidance on the Postmarket Management of Cybersecurity in Medical Devices.

This is only a Draft publication at this time, however I believe it’s going to be well received.

The FDA is taking proactive steps to assure that medical device manufacturers incorporate risk management into their products’ life cycle. This FDA guidance will help manufacturers of medical devices develop and implement controls to ensure their devices are secure to protect patients.  

The guidance includes specific cyber security risk management practices including, pre and post market considerations, defining essential clinical performance, assessing cyber security vulnerabilities, assessing severity impact to patient health and evaluation of risk to essential clinical performance.

The guidance also covers much needed focus on not only detecting vulnerabilities but remediation and reporting of any such findings. The guidance also recommends the NIST framework for improving critical infrastructure cybersecurity. (i.e., identify, protect, detect, respond, recover) which I covered in my Virtual CISO blog titled “What every IT department needs to know about IT Audits.”


A senior security and compliance specialist, George Grachis has over 25 years’ experience in the tech sector. Some of his experience includes over a decade supporting the Space Shuttle program for Computer Sciences Corporation & Grumman Aerospace, security management for CFE Federal Credit Union, IT auditing & consulting for Deloitte and serving as Chief Security Officer for Satcom Direct.

George holds both the CISSP, and CISA certifications. George received the ISSA fellow Designation in 2016 and is currently an active senior board member of ISSA. George has been interviewed by WFTV ABC TV and Fortune Magazine. When not working he enjoys spending time with family & friends, Big Brothers Big Sisters, Playing the Drums, motorcycling, fitness, and writing articles for his blog, Virtual CISO.

The opinions expressed in this blog are those of George Grachis and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.