HIPAA Solutions Rx

August 10, 2007 - CMS

Question: Must business associates report security incidents to the covered entity? If so, which must be reported and what level of detail is required when a business associate reports security incidents?

Answer: Although a business associate may not be a HIPAA covered entity subject to the HIPAA Security Rule, it would nevertheless be contractually obligated, through its business associate contract, to report such security incidents to the covered entity. Specifically, the required implementation specification at § 164.314(a)(2)(i)(C) states that the contract between a covered entity and a business associate must require a business associate to “report to the covered entity any security incident of which it becomes aware.”

The contracts between a covered entity and its business associate could serve as the vehicle to establish the covered entity’s specific reporting requirements and should be developed to meet the entity’s specific needs. The covered entity and business associate must document the specifics of the reporting requirements, including the frequency, level of detail, format and other relevant considerations (e.g., in aggregate or per incident, weekly or monthly).

In addressing this required implementation specification, a covered entity and its business associate may consider some of the following questions: what specific actions would be considered security incidents; how will incidents be documented and reported; what information should be contained in the documentation; how often and to whom within the covered entity should incidents be reported; what are the appropriate responses to certain incidents; and whether identifying patterns of attempted security incidents is reasonable and appropriate.

For example, in order to determine the requirements of the business associate contract, in taking into consideration the requirements of §§ 164.306(a) and (b) and its risk analysis, the covered entity may decide that certain types of attempted or successful security incidents or patterns of attempted or successful incidents, such as a “ping” (a request-response utility used to determine whether a specific Internet Protocol (IP) address, or host, exists or is accessible) on the business associate’s communications network initiated from an external source, could be reported to the covered entity in a monthly report that only includes an aggregate number of pings for that month. Based on its analysis, the covered entity may also determine that other types of incidents, such as suspicious patterns of “pings” on the business associate’s communications network initiated from an external source, or a specific malicious security incident, would require a detailed report to the covered entity as soon as the business associate becomes aware of them.