When hospital giant Community Health Systems recently experienced a data breach involving 4.5 million patient records, the Franklin, Tenn.-based company identified the culprit as a sophisticated Chinese cyber-espionage team. Yet, as of Aug. 27, 2014, only about 7 percent of healthcare data breaches reported to HHS are the work of hackers. Many of the rest are the result of simple human mistakes – not just by employees but by an organization’s many business associates, according to data reported to HHS' Office for Civil Rights. These violations include losing laptops containing unencrypted patient data, using insecure Wi-Fi connections and even selling photocopiers that haven’t been properly scrubbed of patient data.
On the HHS website, there’s a notorious page often dubbed the “Wall of Shame.” Visitors to this page will find the names of hundreds of well-known healthcare organizations responsible for data breaches affecting a total of nearly 34 million Americans. As of Aug. 27, 2014, BAs are responsible for a whopping 58 percent of the records breached, according to OCR data. BAs work on behalf of healthcare organizations in countless ways: quality improvement analysis, patient safety activities, billing and collections, IT services, benefits administration and so on. Many of the BAs that have reported breaches are household names that include Iron Mountain, Towers Watson, McKesson, ADP, EMC and K-Mart.
Here are some examples of healthcare organizations that were penalized for the insufficient security of their downstream BAs or subcontractors:
- In July 2013, WellPoint was fined $1.7 million when one of its business associates, following a software upgrade, exposed more than 600,000 patient records on the Internet.
- LabMD was forced to close its doors earlier this year following a Federal Trade Commission investigation into a breach caused by inadequate security in a BA’s file-sharing services.
- In another FTC settlement, transcription service provider GMR agreed to remediation requirements and a biannual independent security assessment for the next 18 years when a BA allowed medical information to be publicly accessible by search engines.
Rules are constantly evolving
Regulatory agencies are continuously fine-tuning their rules and requirements regarding data security. Here are some of the most recent developments:
- The HIPAA omnibus final rule made BAs equally responsible for protecting health information, but left notification responsibility with the covered entity (e.g., hospitals and health plans).
- The FTC is invoking the False Claim Act against healthcare organizations and BAs whose websites claim that patient data is protected and then experience a data breach.[1]
- The Securities and Exchange Commission has stated that boards of organizations responsible for safeguarding protected health information that choose to ignore or minimize the importance of data security do so at their own peril.[2]
Protecting against BA missteps
Here are some practical steps healthcare organizations can take to help ensure their BAs are being diligent about data security:
Conduct a BA inventory. Hospitals should document a list of all BAs and the contact information of their compliance officers. Every organization should ensure their BAs are receiving the minimum necessary PHI for the services they are providing. This list should include outside legal counsel, IT contractors and auditors.
Risk-rate BAs. Hospitals should determine which BAs have access to the highest volume of patient data and the ones that are most critical to the organization. These are the BAs that will need the closest scrutiny.
Review BA agreements. Hospitals should make sure that new BA regulations required under the omnibus final rule have been incorporated into all contracts.
Provide BAs with a Notice of Privacy Practices. This helps ensure they are aware of their compliance requirements. BAs should be provided any updates to the NPP on a timely basis.
Vet prospective BAs. Problems can often be prevented by sending prospective BAs a questionnaire on their privacy/security policies, including requesting details of any previous incidents or breaches and of the remediation steps taken to avoid others in the future. BAs should also provide information on where data will be stored (overseas or U.S.-only) and how that information will be destroyed or returned when the contract is terminated.
Require greater BA accountability. Hospitals should insist on an annual attestation of HIPAA compliance from all BAs and follow up to ensure their delivery. BAs should also be required to notify hospitals of incidents or breaches within five days.
Request a list of all BA subcontractors and services. A subcontractor or vendor working for a BA can also pose a security threat. Although provider organization are not responsible for ensuring their compliance, requesting a list of subcontractors will help ensure they are on top of their compliance requirements.
Have adequate BA backup. If a BA is terminated for ongoing insufficient security, it’s wise to have a substitute ready to take over.
Maintain thorough documentation of all these activities. Documenting BA security program shows regulators a hospital is serious about safeguarding patient data.
Avoiding the “Wall of Shame”
There’s an objective way to determine financial exposure to a data breach and to use that information for obtaining additional funds to strengthen your security program. The American National Standards Institute offers a free publication entitled “The Financial Impact of Breached Protected Health Information” that’s availableonline. The ANSI paper provides an excellent overview of data breach issues and includes tools for calculating the cost of a breach.
One additional preventive measure that’s actually required by the HIPAA security rule is to complete a rigorous risk analysis. It’s the best way to reduce the likelihood of showing up on the “Wall of Shame.”
Mary A. Chaput, MBA, HCISPP, CIPP/US, CIPM, is CFO and chief compliance officer at Clearwater Compliance, a HIPAA/HITECH advisory firm in Brentwood, Tenn.
[1]http://www.ftc.gov/system/files/documents/cases/140203gmrcmpt.pdf; http://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark-settles-ftc-chargesfailed-protect-medical-financial; http://www.ftc.gov/news-events/press-releases/2010/07/rite-aid-settles-ftc-charges-it-failed-protect-medical-and; http://www.ftc.gov/news-events/press-releases/2013/08/ftc-files-complaint-against-labmd-failing-protect-consumers
[2]http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#.VBxzWLl0yM-