Protecting patient healthcare data is becoming a greater challenge for healthcare facilities as the industry transitions from manual to electronic information storage and sharing.
Consider these statistics:
- Since 2009, about 30.1 million individuals have been affected by health data breaches
- A recent Ponemon Institute report found that criminal attacks on hospital and healthcare system data increased 100 percent since 2010
- The same report found that data breaches cost the healthcare industry approximately $5.6 billion annually, with each individual healthcare organization spending an estimated $2 million over a two-year period to address an attack.
Because of these threats, healthcare organizations are facing greater regulatory pressures to protect patient data – and face financial losses if found noncompliant. The Health Insurance Portability and Accountability Act (HIPAA) Privacy & Security Rule requires that covered entities (healthcare organizations) and their business associates (certain vendors) enter into contracts to ensure business associates (BA) will appropriately safeguard protected health information (PHI). The new HIPAA Final Omnibus Rule expanded the definition and security responsibility for business associates so that now more vendors fall under this category: those that create, receive, maintain or transmit PHI or ePHI on behalf of a covered entity and their subcontractors.
While many health systems have worked to understand where data resides, which vendors have access, and how it is handled within their facilities, the Omnibus Rule requires that this same level of understanding extend to management of data within business associates processes and those of their subcontractors. The average healthcare organization has, on average, between 700-1,500 BAs with varying degrees of access to some of its most sensitive areas and data. Yet, most hospitals lack visibility and the necessary control over their BAs to avoid compliance violations and subsequent penalties.
The costs of lacking such oversight can be significant. Each fine for willful neglect without correction costs $50,000. While the fines are limited by category to a maximum of $1.5 million, a hospital with multiple violations in each of the four violation categories within a calendar year could face up to $6 million in fines. Additionally, the average cost to an organization of an ePHI breach is $2 million, but that rises to an average of $8.7 million for any breach involving more than 500 records.
Top five ways to protect yourself
Every day healthcare organizations and their employees interact with thousands of vendors both face-to-face and remotely via electronic means of communication.
Below are five ways a healthcare organization can protect itself from data breaches associated with BAs, and minimize its risk for unnecessary expenses, fines and accreditation loss.
1. Identify your vendors: An organization should conduct an initial review of its vendors, which means it needs a master list of all companies providing products and services, including vendors selected by the IT department for meaningful use. An accounts payable list of vendors paid in the past 18 months is a good source for this information.
2. Define them: Determine which vendors potentially fall under the definition of business associate and secure agreements with these vendors up front. It's not uncommon to find that 30 to 40 percent of BAs have not been identified. Simply asking every vendor to sign a BAA is not sufficient either. Once signed, the health system is responsible for ensuring that a vendor is living up to the SLAs in the agreement. When entering into a BAA ensure that you and the vendor understand the ramifications.
3. Redefine your policies: Revise policies and procedures regarding vendor management to be in compliance with BA requirements. Identify which suppliers meet vendor management policies – and which don't – and take steps to bring them into compliance and ensure they stay there. When on-boarding a new vendor, conduct a thorough vetting process to ensure the vendor is legitimate and compliant, and as stated above both parties understand the ramifications.
4. Be audit ready: From the date the OCR notifies a healthcare organization of an audit, it has 20 days to prepare, and the OCR will only take into account documentation and data in existence prior to the receipt of the audit notification. The organization will be required to send the OCR proof of compliance with BA policies and procedures under the HIPAA Final Omnibus Rule. To be prepared, an organization should have readily available, in a centralized system, detailed information on its vendors, the status of their BA agreements, onboarding steps and all existing vendor contracts.
5. Minimize your risk: Knowing who its business partners are and which ones operate within its facilities increases an organization's ability to meet accreditation and regulatory requirements. Conduct a thorough vetting process of ALL vendors to ensure they are legitimate and in compliance with regulations, including:
- Conducting initial business verification checks and subsequent checks on an annual basis
- Performing initial sanction checks (vendor and representatives) and subsequent checks every 30 days
- Collecting conflicts of interest information
- Identifying vendors for oversight and avoid allegations of willful neglect
Conclusion
Healthcare data breaches are on the rise and organizations must act now to combat them. Improper management of vendors – particularly those defined as business associates – poses significant risk to patient privacy and the financial health of organizations. Knowing your vendors, identifying BAs and driving compliance with policies and procedures are critical steps in safeguarding patients, complying with new regulations and avoiding financial losses.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.