Cowden Associates CEO Elliot Dinkin discusses the liability health care organizations assume when enlisting the services of a “business associate” and shares a couple of cautionary tales that make clear why third-party due diligence is so critical.
Businesses with access to patient health data risk Health Insurance Portability and Accountability Act (HIPAA) violations that can lead to steep federal and state penalties.
The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) recently announced:
- $3 million in fines against Touchstone Medical Imaging for violating numerous HIPPA policies.
- A $100,000 settlement against Medical Informatics Engineering, Inc., plus an additional $900,000 penalty on the same breach from 18 state attorneys general for a data breach that took place at MEI’s subsidiary No More Clipboards, where hackers were able to gain access to the protected health information of 3.5 million individuals.
OCR has investigated and resolved 27,109 cases by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA-covered entities and their business associates. Corrective actions obtained by OCR from these entities have resulted in change that is systemic and that affects all the individuals they serve.
HIPAA privacy and security regulations apply only to certain covered entities: health plans, health care clearinghouses and some health care providers. The law recognizes that many entities do not carry out all health care activities themselves. HIPAA permits covered entities to share protected health information (PHI) with third-party vendors such as claims processors, consultants, independent medical transcriptionists, pharmacy benefits managers and other organizations that will have access to protected medical records, called business associates (BAs).
The number of vendors utilized by hospitals on average is 1,300 according to a report from Ponemon. This makes the risk management of vendors very time-consuming and costly. According to the report, the following are some of the reasons third-party risk management programs fail in health care:
- The lack of automation and reliance upon manual risk management processes make it difficult to keep pace with cyber threats and the proliferation of digital applications and medical devices.
- Vendor risk assessments are time-consuming and costly; few organizations are conducting risk assessments of all their vendors. Currently, an average of 3.21 full-time employees are fully dedicated to completing vendor risk assessments, and they spend an average of 513 hours monthly to complete these assessments. This represents approximately 10 percent of the total hours expended on third-party supply chain activities.
- The indirect and direct costs of third-party risk management for the health care industry averages $23.7 billion annually.
- Critical vendor management controls and processes are often only partially deployed or not deployed at all. If controls and processes are deployed, they are not considered very effective in reducing third-party risks.
Yet the majority of health care organizations have had one or more data breaches caused by one of their vendors, and the average cost of these vendor-related breaches is $2.9 million, according to the report.
It is the responsibility of the covered entity to vet thoroughly all potential business associates to assess the possible risks of sharing PHI. Reviewing a business associate’s security risk audits and HIPAA policies and procedures is a good way to evaluate a business associate’s HIPAA compliance program. Other considerations during the due diligence assessment include:
- Are policies and procedures in place for privacy and security?
- What is the process for determining internal access to PHI?
- How is PHI handled by the BA?
- What are the internal training policies of the BA?
- Has the BA disclosed and appropriately vetted their subcontractors?
- What are the policies and procedures should a breach occur?
- What is the entity’s knowledge of HIPAA/HITech regulations?
- Has the entity disclosed all risk potentials of PHI?
Covered entities with business associates must have a written contract called a business associate agreement (BAA) that requires the business associate to comply with certain requirements under HIPAA related to the permitted and nonpermitted uses of PHI. A business associate must agree to comply with HIPAA rules and is responsible for ensuring the confidentiality, integrity and availability of PHI in its possession.
It is the responsibility of a covered entity to ensure that all business associates are complying with HIPAA rules. If a business associate fails to comply, it is the responsibility of the covered entity to take action to ensure noncompliance is corrected or the contract with the business associate is terminated. A HIPAA BAA does not exempt the covered entity from the diligence of conducting a risk assessment before signing a contract. According to the HHS:
“A Business Associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of Protected Health Information that are not authorized by its contract or required by law. A Business Associate/Subcontractor also is directly liable and subject to civil penalties for failing to safeguard electronic Protected Health Information in accordance with the HIPAA Security Rule.”1
During an audit, if it is determined that their business associate is not compliant, the covered entity and the business associate could both receive penalties, which range from $100 per violation to a $1.5 million annual maximum.
The risk of exposure of PHI will not go away. Covered entities should minimize risks by making BAs accountable for PHI security.