When working with our clients, I often receive Business Associate Agreements (BAA’s) that contain indemnification clauses that don’t apply to the services an offsite digital record storage facility like Perpetual Storage, Inc. (PSI) provides. The indemnification clauses we receive look like they have all come from the same source because they all contain the same language. They put the blame and costs of a data breach on the offsite storage facility and hold no liability themselves. My question is this – doesn’t a company/organization that sends records to the facility also have a responsibility to properly protect their data on the records they send us? If the organization properly protects records with data encryption prior to delivery to the offsite facility, there is no indemnification clause needed because records reach a Safe Harbor.
What about Private Health Information (PHI) and Private Account Numbers (PAN)
Presently the BAA’s we receive that contain these indemnification clauses for records that have Private Health Information (PHI) and Private Account Numbers (PAN) on credit cards. Absolutely these types of information need to be protected and there are specific guidelines for each of these types of information as to how to protect them from a breach or what has to happen or not happen if there is a breach.
Records Containing Private Health Information (PHI)
Records containing PHI fall under HIPAA and the HITECH Act. According to these Acts, there are two types of PHI – “unsecured PHI” and “protected PHI”. Quoting from the final ruling by the Health and Human Services Department (who is over HIPAA/HITECH issues), “…section 13402(h) of the ACT defines “unsecured PHI” as “protected PHI that is NOT secured through the use of a TECHNOLOGY or METHODOLOGY specified by the Secretary (of Health and Human Services) in guidance” and provides that the guidance specify the TECHNOLOGIES and METHODOLOGIES that render PHI UNUSABLE, UNREADABLE, OR INDECIPERABLE TO UNAUTHORIZED INDIVIDUALS. Covered entities (offsite storage client) and business associates (offsite storage facility) that implement the specific technologies and methodologies with respect to PHI ARE NOT REQUIRED TO PROVIDE NOTIFICATIONS IN THE EVENT OF A BREACH OF SUCH INFORMATION – THAT IS, THE INFORMATION IS NOT CONSIDERED “UNSECURE” IN SUCH CASES. The guidance listed and described ENCRYPTION AND DESTRUCTION as the two technologies and methodologies for rendering PHI unusable, unreadable, or indecipherable to unauthorized individuals.”
So, if a client sends PHI in their records to the offsite storage facility and these records are ENCRYPTED using the algorithms accepted by Health and Human Services, there is no need for an indemnification clause in a BAA . If these records are ENCRYPTED and there is a breach, according to the ACT, there is no need to report this to anyone, hence no costs to do so. Encrypted records sent to an offsite facility that contain PHI reach a “safe harbor” – if a “safe harbor” is met, the HIPAA breach notification obligation is not triggered. The client’s obligation then is to encrypt their records sent offsite that contain PHI and remove unecessary indemnification clauses found in BAA’s that hold the offsite storage facility liable.
Records Containing Private Account Numbers (PAN)
If digital records contain Private Account Numbers (PAN), according to a letter from the PCI Security Standards Council given to PSI, “If a merchant does store PAN with a third party (like PSI or an offsite storage facility), “…IT IS THE RESPONSIBILITY OF A MERCHANT TO PROTECT THE PRIMARY ACCOUNT NUMBER WHEREVER IT MAY BE STORED, PROCESSED OR TRANSMITTED.” The letter suggests encryption to protect PAN. The letter says, “if a third party facility (PSI or an offsite storage facility)) ONLY PROVIDES PHYSICAL STORAGE AND NO CARDHOLDER DATA IS TRANSFERRED ELECTRONICALLY TO THAT FACILITY THEN ONLY THOSE PHYSICAL AND LOGICAL CONTROLS PRESCRIBED IN REQUIREMENTS 7, 8, 9, AND 12 OF THE PCI DSS WOULD BE REQUIRED TO BE EVALUATED.” The Requirements mentioned are the physical safety procedures and technologies provided by the storage company. So, if an offsite storage facility stores records that contain PAN, they should require these records to be encrypted to protect both the client and offsite facility. When hiring an offsite record storage facility, make sure they meet the physical safety requirements mentioned above like PSI does to ensure your records are safe.
Any BAA that contains an indemnification clause that places the blame and costs of a breach on an offsite storage company needs to reevaluate that clause taking into consideration what the HIPAA/HITECH Act and the PCI Security Standards Council guidelines are for PHI and PAN. Placing all the blame and costs for a breach on the offsite storage company needs to be deleted if the standards mentioned above are met.
To learn more about Perpetual Storage and service offering, please download our brochure.