Business associates of entities covered under the HIPAA security rule must report security incidents to the covered entity, according to new guidance from the Centers for Medicare and Medicaid Services.
The centers issued guidance in five areas of the security rule through new additions to its Frequently Asked Questions page at http://www.cms.hhs.gov/hipaa/hipaa2.

The contract between a covered entity and a business associate “must require a business associate to report to the covered entity any security incident of which it becomes aware,” according to the guidance. In the contract, the covered entity and business associate “must document the specifics of the reporting requirements, including the frequency, level of detail, format and other relevant considerations.”

For instance, the contract could require a business associate to report each month certain types of security incidents, such as an aggregate number of “pings,” or real or attempted connections, to the business associate’s network from an external source. The contract also could require that suspicious patterns of pings be reported in detail as soon as the business associate is aware of them, according to the guidance.

Other new guidance on the Web site’s FAQ page cover complying with the security incidents procedures standard; assigning the same user ID to multiple employees; examples of threats to address in risk analyses; and plan sponsors reporting security incidents to a group health plan.

Posted to HIPAAcomply 5/6/05