Consulting to healthcare providers

(Feel free to move this. I thought readers in this subforum would likely be in tune with this issue.)
I'm not looking for legal advice here, but I would welcome any input from someone that has knowledge about this:

I am an independent IT consultant and have several small clinics as customers. They are not all up to snuff on regulatory compliance and I am concerned about my liability as a business associate. Specifically, what 'due care' must I take in order to place the burden of compliance on the practice? If they don't have full disk encryption on their laptops and subsequently lose a device with PHI.. How can I mitigate this liability? I can't force them to do anything. I can strongly suggest and indicate the areas I have found as non-compliant with HIPAA/HITECH via a thorough risk assessment.

I am worried that the moment that a breach occurs that they will attempt to hang me out to dry. I am a custodian, not the data owner. I try to minimize the possibility of a breach as best I can, but some of my customers are simply negligent.

Would a limited liability or 'hold harmless' agreement be sufficient?

Find more posts tagged with

Comments

ninjaturtle

I work in healthcare too and I find it fascinating how many clinics oversee security. Why? Because of cost and ignorance. But most of the time it's due to cost. I can't say for certain if you'll be covered with an agreement, but it will definitely go a long way to get something in writing or an email where you make your recommendation(in detail) and a reply back with a denial. I always send out recommendations of this sort of thing, or anything relating to reliability via email. Nowadays email is the recording, the tap if you will of our day to day interactions.

TheProfezzor

I have close to no experience in Health Care. Generally speaking, you can ask your clients to adhere to some of the less costly measures pertaining to "Due Care". The lists goes as under:

1 - Ask them to make sure, no data on their laptop is left in plain text. Encrypt it all, even if it's not PHI.
2 - Tell them to make regular backups of their data, and encrypt backups too.
3 - Provide awareness of the risks they accept, with PHI on their laptops and their laptops being prone to theft and misuse.
4 - Train them to some extent, so they can't act completely ignorant. Get a sign off for the security and awareness training provided.

I've dealt with PII in the past and I have practiced stuff like this, to make sure my clients understand the severity of risk they are accepting. So, when risk does materialize, I have lots of emails to prove, the risk was properly communicated and unfortunately, accepted by the client.

This strategy has kept me from harms way, and from jail as well.

Cyberscum

Well,

For starters you need to have a statement of work, SLA, terms of service, scope of service or some other form of evidence that explains what it is you do from start to finish. It needs to be written to specifically state that security/compliance concerns are not in your scope of work (unless they are). If they are then that is a whole different story and your basically screwed. If they are not, then you would continue to operate under your agreed upon documentation and life is peachy.

*note: If you provide services that are associated with compliance standards you should be concerned

….Also, if compliance and security is not in your scope of work “DO NOT” give anyone any advice on security measures or compliance practices because you can be held liable as the employee would determine that you are the IT specialist/authority.

philz1982

Reference my PM I just sent you.

philz1982

Cyberscum wrote: »

Well,

For starters you need to have a statement of work, SLA, terms of service, scope of service or some other form of evidence that explains what it is you do from start to finish. It needs to be written to specifically state that security/compliance concerns are not in your scope of work (unless they are). If they are then that is a whole different story and your basically screwed. If they are not, then you would continue to operate under your agreed upon documentation and life is peachy.

*note: If you provide services that are associated with compliance standards you should be concerned

….Also, if compliance and security is not in your scope of work “DO NOT” give anyone any advice on security measures or compliance practices because you can be held liable as the employee would determine that you are the IT specialist/authority.

Even if he isn't contractually obligated. He could be held liable thru assumed Due Care and Due Diligence Gaps. He needs to point out the issue, referencing that he is not an expert and that further due care and due diligence needs to be done. To your point, if compliance/security is mentioned in his contract or more importantly not in his contract he needs to amend the contract or petition the senior executive.

dark3d

Compliance and security should be core concerns of any IT consultant to SMB. (IMO) I cannot envision a scenario in which I could provide any type of reasonable support to customers and not deal with security/compliance. It's half of the job. If you asked my customers who the 'expert' was..they would point to me.

Say, for example, we go with the loss of a laptop w/ PHI. I recommend that they use full disk encryption, which they decide against. I have sufficiently documented the risk and corrective action necessary beforehand. The laptop gets lost/stolen and a breach occurs. How would telling the client that I am not an 'expert' beforehand change my liability? I would think recommending the FDE would categorize me as the expert. Is the act of stating I am not an 'expert' similar to 'I'm not an attorney, so I cannot give you legal advice?' Do I need to locate an expert that will give recommendations and assume liability?

philz1982

Expert witness is actually a legal term / category in some states. By stating the discrepancy whilst stating your lack of expertise you absolve yourself contractually as long as cyber is not part of your contract. This is a gray issue and case law is constantly changing based on the State your contract was executed in.

There is more to this but I am on my phone so it's hard to post.

dark3d

I'll consult with a lawyer about additions to my contract. Thank you for the information, guys!

brewoz40

I work at a place where we host an EMR/PM solution for practices. Not to get to detailed but we run into the same issues as well. In a way we 'act' as consultants for the practices and make recommendations to them and they by theory have to meet them, weather or not they do abide by it is not always the case. We do a full hippa compliant risk assessment of each practice as well as here in cali there are certain criteria that they have to do in order to meet 'meaningful use' and receive money(benefits) for doing so. All I can say is document in a hippa risk assessment or some other type of assessment and have the practice, the provider(s)/office manager, if these are IPA's, sign off on it releasing all liability. With true crypt going by the way side has made it even more difficult.