Today, most hospitals count on external outsourcing services for a myriad of essential functions like revenue cycle management, health information management, IT support, data storage and security, housekeeping, and many other clinical and non-clinical functions. Many of these partners are business associates under HIPAA — and therein lies major potential security risks for hospitals. Relationships with diligent, qualified business associates have proven to be a boon to hospitals’ service quality and cost efficiencies. But data security and privacy breaches either caused by business associates or enabled by their deficiencies have exploded in recent years. Every hospital and healthcare organization must protect itself through a well-defined and enforced business associate management program. Here’s what you need to know — plus a great infographic to summarize this critical issue.
Until the Omnibus HIPAA Rule of 2013, business associates (BAs) were not liable for their causing or contributing to breaches of security and patient privacy. The Omnibus Rule changed everything. It made both covered entities and business associates vulnerable to HIPAA penalties. It didn’t take long before the first BA HIPAA penalty was announced in 2015: a $650,000 fine against the Catholic Health Care Service of Philadelphia due to a 2014 theft of a single unencrypted smartphone that wasn’t password protected. CHCS was providing management and IT services to six skilled nursing facilities.
A summary look at 2018 HIPAA breaches related to business associates:
As of late August 2018, 229 breaches have been reported by the Department of Health and Human Services, with the data of 6.1 million patients potentially exposed. At least 40 major breaches by BAs have exposed the information of more than 2 million individuals, a third of all exposed patients this year. The BAs include medical transcription, software, IT support, insurance, waste disposal, staff augmentation, administrative, insurance and many other types of organizations that are under contract with covered entities like hospitals and payors. One example of a BA that was penalized in the last year is Filefax, an Illinois company that provided storage, maintenance, and delivery of medical records for covered entities. It had left over 2000 medical records in an unlocked truck at a shredding and recycling facility. Though the company is now out of business, the liquidating receiver had to pay $100,000 in penalties.
In addition, several covered entities, including hospitals, have been penalized for not having created BA agreements with contractors as required, or not having updated out of date agreements. For example, the Office of Civil Rights (OCR) found that Woman & Infants Hospital of Rhode Island, which had a corporate management contract for IT support and security with Care New England Health System (CNE) had lost unencrypted backup tapes holding ultrasound records of 14,000 individuals. The hospital had a BA agreement with CNE, but hadn’t updated it to incorporate revisions required under the HIPAA Omnibus Final Rule, so its disclosure of those individuals’ health information to CNE was unlawful. The hospital was penalized $400,000.
A HIPAA compliant risk management program addressing outsourcing vendors and other business associates (BAs) has never been more critical.
Which of your hospital’s contractors are business associates under HIPAA?
Business associates include the people and companies that support a HIPAA-covered entity — in this discussion, healthcare providers in particular. Anyone who comes in contact or could potentially come in contact with Protected Health Information (PHI) is a business associate. The Omnibus HIPAA rule of 2013 says “business associates” include all vendors that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity, e.g. a hospital or payor. This includes your EHR vendor, other PHI-touching systems vendors, data storage firms, billing outsourcers, consulting firms, clinical service desks, lawyers, accountants, IT contractors, cloud storage services, email encryption services, web hosts, and more. It can even include your housekeeping and waste disposal outsourcers.
To complicate this scene even more, subcontractors of business associates that perform business associate functions are themselves business associates. As a result, the Omnibus Rule requires a chain of compliance starting with the HIPAA-covered entity, through the business associate, and ending with the lowest-tier subcontractor.
Just as covered entities are held responsible for breaches or violations of their business associates, so, “first level” or primary business associates are held responsible for the compliance of their subcontractors. As with covered entities, business associates are now subject to the same penalties for noncompliance. If a penalty is issued, it can range from $100 to $50,000 per violation (or record) with a maximum penalty of $1.5 million per year of violations of an identical provision.
To learn more about the Omnibus HIPAA rule, and its privacy and security requirements, read a complete summary in our knowledge resources library.
Implementing a business associate risk management program
Bringing any external vendor into your hospital adds significant privacy and security risks. These are greatly compounded if the vendor uses subcontractors that also touch PHI.
Risk management can be divided into two broad stages: due diligence prior to engaging a vendor, and on-going monitoring and reporting. A cautionary note on due diligence: you may have narrowed your choice of vendors to just two or three, but if you haven’t performed a HIPAA risk assessment with finalists, you’re not ready to make a choice. HIPAA requires that you obtain satisfactory assurance of compliance in writing from all of your business associates.
Here are the essentials of a strong risk management program:
- Your chosen vendor and any sub-contractors that will have contact with PHI in your organization should be willing to sign a HIPAA Business Associate (BA) agreement in order to work for you. If they are not willing, you will have to move on to another vendor. Why? Because your hospital, a HIPAA-covered entity, will be held accountable for NOT creating an agreement, especially if it is audited by the Office of Civil Rights (OCR), or is the victim of a breach. In the latter case, you will have to expect financial penalties.
- You should determine the level of access to PHI that the prospective vendor and sub-contractors may have in their relationships with your organization. This will provide a foundation for evaluating the severity of risks presented by contracting with the vendor. Minimal exposure or access means minimal risk. The opposite is also true.
- Now comes the heavy lifting part of due diligence: your hospital must conduct an assessment of the vendor’s compliance with HIPAA regulations, the integrity of the vendor’s data, and its ability to prevent breaches and detect them. The following list of assessment factors is not meant to be comprehensive, so you should enlist your organization’s security/privacy officer (who must be well versed on HIPAA) to manage the assessment. As examples, the process should include ascertaining through documentation and first-hand observation that the vendor meets the following requirements:
- BAs must have an assigned security/privacy officer. This person must know HIPAA and have the authority to step in and make recommendations to the IT department and senior management when necessary.
- BAs are required to have a documented set of privacy and security policies and procedures, which your organization should review as part of the vendor vetting process. The policies should cover the vendor’s employees, volunteers, contractors, and other members of the BA workforce.
- BAs must maintain an active security/privacy program that aligns with HIPAA requirements, at the very least. The program also should align with your organization’s security program. The BA’s program needs to include ongoing security administration activities to assess, monitor, prevent, and mitigate security threats. It must have established systems for discovery of breaches and a formal response plan in such an event. The BA should be providing annual HIPAA training to its workforce and must be able to document that it is doing so.
- If a prospective BA is contracting with downstream business associates on your hospital’s behalf, it must have BA agreements with them and impose the above data security and applicable privacy requirements on them. Their contracts should include documentation of the upstream BA’s right to terminate the downstream vendor for security or privacy violations. If the BA uses several BA subcontractors, your organization’s review process will either go smoothly if the prime vendor has a well-managed HIPAA compliance program, or it will crumble under the weight of too many unanswered questions by an unprepared vendor.
- The vendor should have adequate physical security protections in place, in addition to systems and process protections. You should assess facility access and other physical security measures implemented by the vendor. Ideally, this assessment should occur onsite, particularly if the vendor is to have significant access to your data.
- You should assess the vendor’s ability to perform in the event of a system or process failure or catastrophe. For example, can it show you that it has a current disaster recovery plan? Has it implemented appropriate redundancies to prevent lost data?
- Even if all looks positive in the initial assessment phase, the vendor or a subcontractor may have experienced HIPAA breaches. This doesn’t necessarily present a hard stop in your relationship. Get a report on any HIPAA breaches the organization may have caused or been part of, along with subsequent remedial efforts. Assess the potential impact of the breach history on your organization’s reputation. Hopefully, you will find that the vendor’ has no such record, or if so, its remedial work is sufficient to justify moving to contract.
- The financial stability of the vendor is significant not only for good business reasons, but also to ensure that it is not vulnerable to failures that could jeopardize data privacy and security. Request appropriate financials.
- Within your contracts, you should require vendors to complete privacy/security assessments annually, to be submitted to your organization.
- Your BA vendor contracts should include provisions for terminating the relationship cost-effectively due to privacy or security lapses or breaches.
- Maintaining and managing your BA vendor inventory is a difficult necessity. Many hospitals purchasing departments do a good job of general vendor tracking but their IT leaders may be less tuned in to such old-fashioned record-keeping. BA inventory management, typically the job of the security/privacy officer (often an IT employee), includes maintaining up-to-date copies of contracts, service level agreements (SLAs), BA agreements, and follow-up assessments.
- Due diligence is never “done.” The security/privacy officer should regularly monitor all BA vendors’ SLA performance, and their security and privacy-related activities and performance. If you have required your BAs to complete a privacy/security assessment annually, you should expect to receive a documented update each year. The update should include similar reports provided to the BA by its subcontractors. Create a follow-up calendar to make sure your BAs are held accountable.
- A business associate risk management program can only be effective if your security/privacy officer and/or others are held accountable for all of the above. This component is obvious, but presents a significant problem for many hospitals: in some hospitals, this HIPAA-required role is often part-time for staff members who have other responsibilities, or it is given low priority. While resource constraints are common in hospitals, the fact is that if the compliance officer does not have a mandate to manage the program, it will fail. An outsourced vendor’s performance – or lack thereof – could create financial, reputational and legal consequences for your organization, not to mention data penetration disasters. If you do not monitor your outsourcing vendors’ activity, you could also incur sizable HIPAA penalties and loss of patient confidence.
Many vendor/business associates don’t know that HIPAA covers them or what a BA designation means. This is partially because the covered entity representatives they work with don’t know much more than the vendor, and this aspect of the relationship never came up in the contracting process. It’s also because the covered entities have not established HIPAA-compliant procedures and/or accountabilities for their BA partnerships, and/or those procedures have not made it to the external contracting process. These activities cannot be compartmentalized; in other words, contracts with vendors who have the potential for touching PHI must get a go-ahead from the HIPAA security/privacy officer before they are signed. As OCR continues to audit hospitals and process increasing complaints of potential data mishandling, more hospitals are re-examining their BA management programs and their existing arrangements with external entities to ensure appropriate BA agreements are in place, monitored and enforced.
Our healthcare industry is learning the hard way. Cybercriminals are hammering it because they can. Negligence is way too commonplace, often among vendors that have no clue as to their HIPAA responsibilities. Our security and privacy environment is not yet as robust as industries like finance and manufacturing, but we can greatly strengthen it just by following the rules.
This was a long post, we know. So, to summarize, check out our infographic below on the risks of HIPAA BA relationships…share it with your colleagues AND your business associates!
For more information on HIPAA risk management, please contact us.