cyber security iStock_000041562536_LargeIn light of the uncertainty generated in the healthcare industry by recent decisions of the OFCCP regarding which entities qualify as federal contractors and subcontractors, this article explains which types of healthcare providers may be affected by the Final Rule.

On May 16, 2016, the Department of Defense (DoD), General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) issued a long-anticipated Final Rule amending the Federal Acquisition Regulation (FAR) to add a new subpart and contract clause aimed at the safeguarding of contractor information systems that process, store, or transmit federal contract information.

The Final Rule, published at 81 Fed. Reg. 30439, requires federal contractors to implement minimum safeguards for certain information systems “reflective of actions a prudent businessperson would employ” to protect federal contract information on these systems. In light of the uncertainty generated in the healthcare industry by recent decisions of the Office of Federal Contract Compliance Programs (OFCCP) regarding which entities qualify as federal contractors and subcontractors, this article explains which types of healthcare providers may be affected by the Final Rule.

Providers Subject to the Final Rule

The Final Rule prescribes the new FAR contract clause 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” for solicitations and contracts under which a contractor or subcontractor “may have Federal contract information residing in or transiting through” their information systems. A federal prime contractor includes any person or entity directly contracting with the federal government to provide supplies or services, while a subcontractor can generally include any supplier, vendor, or firm that furnishes supplies or services for the performance of a federal contract or subcontract.

Examples of supplies that may be provided by a healthcare provider under a federal contract include pharmaceuticals, medical supplies, and medical devices, while services might include providing medical care to federal personnel under a contract with a federal agency, or contracting with the agency to reimburse medical care.  Importantly, because the OFCCP relies on a different set of regulations to guide its decisions, healthcare providers subject to that agency’s rules are not necessarily subject to the Final Rule. Accordingly, providers should carefully review the nature of any federal programs in which they participate to ensure they understand which requirements do and do not apply to them as a result.

For those providers subject to the Final Rule, the new contract clause “applies to all acquisitions” where a contractor’s information systems “may contain Federal contract information.” This includes acquisitions below the simplified acquisition threshold, and only commercially available off-the-shelf items are exempt from the Final Rule. The scope and applicability of the Final Rule are intentionally broad “because [the] rule requires only the most basic level of safeguarding.”

Final Rule Requirements

The Final Rule’s requirements apply to “covered contractor information system[s],” which broadly include any information system “owned or operated by a contractor that processes, stores, or transmits Federal contract information.”  The definition of “Federal contract information” is very broad and generally covers nonpublic information “provided by or generated for the Government under a contract to develop or deliver a product or service to the Government[.]”

The FAR contract clause identifies 15 performance-based security safeguards that contractors must implement to protect their covered information systems. These controls include, among others:

  1. Limiting system access to authorized users to the types of transactions and functions that authorized users are permitted to execute;
  2. Sanitizing or destroying information system media containing federal contract information before disposal or release for reuse;
  3. Limiting physical access to organizational information systems, equipment and their operating environment to authorized individuals;
  4. Escorting visitors and monitoring visitor activity, including maintenance of an audit log of physical access; and
  5. Monitoring, controlling and protecting organizational communications at the external and key internal boundaries of the information systems.

In addition, contractors must flow down the FAR contract clause to subcontractors for subcontracts “in which the subcontractor may have Federal contract information residing in or transiting through its information system.”

Because the Final Rule imposes only minimum standards, it does not affect any other safeguarding requirements that may be specified in contracts involving sensitive information such as Controlled Unclassified Information. Of particular relevance to healthcare providers, the Final Rule has no effect on their obligations to safeguard patient information under the Health Insurance Portability and Accountability Act.

The Final Rule becomes effective on June 15, 2016.  Because the Final Rule prescribes only basic safeguards based on what the DoD, GSA and NASA perceive to be common practice in the private sector, many contractors are likely already in compliance.  Nevertheless, healthcare providers that have direct prime contracts with the federal government should carefully review their information security practices, along with the practices of applicable subcontractors, to confirm that they are in accord with the requirements of the Final Rule; additionally, while the Final Rule is limited to information systems that may store or transmit federal contract information, contractors should consider the cost-effectiveness of implementing these safeguards on a broader basis in order to avoid inadvertent noncompliance.