Warning: Every Business Associate Poses Risk to Your Hospital

Business associates have been involved in about 23 percent of the 647 health data breaches that have been reported over the past four years, and breaches during that time period have affected a total of 22.5 million individuals and 137 covered entities.

It’s no secret that the healthcare industry is in the midst of a sweeping overhaul and has been undergoing major changes — even before the Patient Protection and Affordable Care Act was enacted. As one example, the federal government has mandated a shift in the way health records are managed and greater precautions must be taken to protect patient privacy.

With the Health Information Technology for Economic and Clinical Health Act, a bill that was passed as part of the American Recovery and Reinvestment Act of 2009, a number of incentives were created to encourage the adoption of health information technology, such as electronic health record systems. Furthermore, the HITECH Act anticipates considerable exchange of electronic protected health information among healthcare providers and has increased the reach of privacy and security regulations under the Health Insurance Portability and Accountability Act.

The U.S. Department of Health and Human Services has ramped up investigations of health data breaches. This summer, HHS settled with a managed care plan that will pay $1.2 million for neglecting to delete confidential patient information from the hard drive of a photocopier that was later purchased by CBS Evening News. The health plan estimated that 344,579 people may have been affected by the breach.

Also, earlier this year HHS issued the final Omnibus Rule, greatly expanding the types of entities that are required to protect patient privacy under HIPAA. Up until this point, the HIPAA Privacy and Security Rules mostly focused on healthcare providers, hospitals, health plans and other “covered entities” that process health insurance claims. The Omnibus Rule expands many of the requirements to business associates of these entities, such as vendors and subcontractors who have access to protected health information. Specifically, the new rule affects the HIPAA Privacy, Security, Enforcement and Breach Notification Rules mandated by the HITECH Act and includes penalties of up to $50,000 per comprised health record with a maximum penalty of $1.5 million for violations of an identical provision in a calendar year.

There is a simple reason for these seemingly harsh penalties: Patients’ information must be protected. Business associates have been involved in about 23 percent of the 647 breaches reported on the Department of Health and Human Services website from Sept. 2009 through Aug. 2013, and breaches during that time period have affected a total of about 22.5 million individuals and 137 covered entities. Theft at a business associate was the biggest threat to the safety of patients’ health records and covered entities. Thirty-seven percent of breaches involved theft, 29 percent involved unauthorized access, 10 percent involved hacking/IT incident, 16 percent involved loss, 5 percent involved other or unknown causes and 3 percent involved improper disposal.

Earlier this year, a Texas hospital learned that a vendor hired for secure handling and destruction of documents failed to destroy the patient records in accordance with their contract, putting their patients’ information at risk, creating unexpected costs and headaches to manage the data breach and exposing the hospital, the vendor to financial penalties and generating negative press. Not a great way of using the hospital’s limited resources.

Hospitals rely on business associates to provide healthcare-related products and services to their patients, but hospital administrators need to realize that they are responsible for a business associate’s misuse or unauthorized disclosure of PHI. Therefore, hospitals should ensure that business associates safeguard PHI in accordance with HIPAA/HITECH.

Continue reading this health data breach article at beckershospitalreview.com.

Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.