Business associates have been involved in about 23 percent of the 647 health data breaches that have been reported over the past four years, and breaches during that time period have affected a total of 22.5 million individuals and 137 covered entities.
It's no secret that the healthcare industry is in the midst of a sweeping overhaul and has been undergoing major changes — even before the Patient Protection and Affordable Care Act was enacted. As one example, the federal government has mandated a shift in the way health records are managed and greater precautions must be taken to protect patient privacy.
With the Health Information Technology for Economic and Clinical Health Act, a bill that was passed as part of the American Recovery and Reinvestment Act of 2009, a number of incentives were created to encourage the adoption of health information technology, such as electronic health record systems. Furthermore, the HITECH Act anticipates considerable exchange of electronic protected health information among healthcare providers and has increased the reach of privacy and security regulations under the Health Insurance Portability and Accountability Act.
The U.S. Department of Health and Human Services has ramped up investigations of health data breaches. This summer, HHS settled with a managed care plan that will pay $1.2 million for neglecting to delete confidential patient information from the hard drive of a photocopier that was later purchased by CBS Evening News. The health plan estimated that 344,579 people may have been affected by the breach.
Also, earlier this year HHS issued the final Omnibus Rule, greatly expanding the types of entities that are required to protect patient privacy under HIPAA. Up until this point, the HIPAA Privacy and Security Rules mostly focused on healthcare providers, hospitals, health plans and other "covered entities" that process health insurance claims. The Omnibus Rule expands many of the requirements to business associates of these entities, such as vendors and subcontractors who have access to protected health information. Specifically, the new rule affects the HIPAA Privacy, Security, Enforcement and Breach Notification Rules mandated by the HITECH Act and includes penalties of up to $50,000 per comprised health record with a maximum penalty of $1.5 million for violations of an identical provision in a calendar year.
There is a simple reason for these seemingly harsh penalties: Patients' information must be protected. Business associates have been involved in about 23 percent of the 647 breaches reported on the Department of Health and Human Services website from Sept. 2009 through Aug. 2013, and breaches during that time period have affected a total of about 22.5 million individuals and 137 covered entities. Theft at a business associate was the biggest threat to the safety of patients' health records and covered entities. Thirty-seven percent of breaches involved theft, 29 percent involved unauthorized access, 10 percent involved hacking/IT incident, 16 percent involved loss, 5 percent involved other or unknown causes and 3 percent involved improper disposal.
Earlier this year, a Texas hospital learned that a vendor hired for secure handling and destruction of documents failed to destroy the patient records in accordance with their contract, putting their patients' information at risk, creating unexpected costs and headaches to manage the data breach and exposing the hospital, the vendor to financial penalties and generating negative press. Not a great way of using the hospital's limited resources.
Hospitals rely on business associates to provide healthcare-related products and services to their patients, but hospital administrators need to realize that they are responsible for a business associate's misuse or unauthorized disclosure of PHI. Therefore, hospitals should ensure that business associates safeguard PHI in accordance with HIPAA/HITECH.
In today's digital environment, what can you do to protect your hospital and your patient's information?
Hospitals must have a comprehensive vendor or business associate management program which includes contract provisions and adequate vendor due diligence processes. A central team should set policies and guidelines to ensure consistency in implementation.
Hospitals should monitor business associates for compliance with contracts and service level agreements. Effective monitoring should include:
- The review of yearly HIPAA/HITECH independent security and privacy audits
- The assessment of the business associate's internal controls related to confidentiality, availability, processing integrity, security and/or privacy using the Service Organization Control 2 report from the American Institute of Certified Public Accountants
- The right to audit the business associate's HIPAA/HITECH compliance programs
However, given the broader set of risks that hospitals are required to manage, treating every business associate exactly the same would make this process excessively burdensome. Therefore, hospitals may want to categorize business associates based on the level of risks that each one poses to the hospital and then develop appropriate assessment and vendor management protocols for each category. For example, a business associate that stores and transmits electronic PHI will not pose the same risk as a business associate that simply has access to PHI. Therefore, the first vendor should be more carefully assessed than the second. The more a hospital understands the big picture of risks posed by business associates, the better it can tailor its risk assessment and information security program to manage risks.
Patients expect that hospitals will ensure adequate protection of their data, which may include confidentiality provisions and notification in the event that their records are compromised. Potentially damaging incidents happen every day. Strong risk management procedures with your business associates can help you handle these incidents more effectively and mitigate the negative impact.
Hospitals must implement a formal process for managing security and privacy incidents with business associates, which may include:
- Initial response, investigation and communication to potential incidents
- Proper management when actual incidents escalate
- Coordinated response to incidents
- Reporting to authorities and patients on a timely basis
As the healthcare industry keeps evolving and maturing, it is imperative to realize that electronic health records are here to stay and business associates are an intrinsic part of your risk environment that need to be managed. Use proactive measures to get a head start now. Every hospital needs to assess the risk that each business associate poses to them and make sure that compliance programs are in place to help them manage the perpetual threat of health data breaches.
Jorge Rey, CISA, CISM, CGEIT, is an associate principal and the director of information security and compliance at Kaufman, Rossin & Co., one of the largest independent accounting and advisory firms in the Southeast. He provides information security and advisory services, including HIPAA/HITECH compliance services, business consulting, security audits, training, and implementation of IT security programs. Jorge can be reached at jrey@kaufmanrossin.com.