- While no healthcare organization can guarantee that they will never fall victim to a data breach or cybersecurity attack, having the right tools in place can help to lessen the likelihood or even assist in recovering from a breach. Having necessary business associate agreements in place is one such area for covered entities to consider.
Business associates will typically handle, transfer, or even store patient PHI on behalf of covered entities. It needs to be clearly established how these third-party contractors are expected to work with their covered entities, and how they are expected to keep sensitive information secure.
The HIPAA omnibus final rule drastically changed how business associates handle PHI. Contractors and subcontractors hired by covered entities not only have increased responsibility, but there is also the potential for penalties HIPAA violations take place.
Covered entities must “obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity,” according to the Department of Health and Human Services (HHS). This must be done in writing, either as a contract or other agreement between the two parties.
“Covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate,” HHS states on its website.
HIPAA also requires business associate agreements to describe how the business associate is permitted and required to use PHI. Furthermore, they must ensure that the business associate will not use or further disclose PHI other than as permitted or required by the contract or as required by law.
Finally, the agreement should explain how the business associate is required to use any appropriate safeguards to prevent inappropriate PHI use or disclosure.
Either a person or an entity that performs certain duties on behalf of a covered entity can be considered a business associate. For example, this includes but is not limited to claims processing or administration, data analysis, processing or administration, and quality assurance.
Recent cases of potential healthcare data breaches
There have been several recent examples of accidental PHI disclosures at third-party entities. While it is not always made clear whether the organization was in fact a business associate, it is still important for covered entities to take note of the situation to ensure the same situation does not happen to them.
R-C Healthcare Management (R-C Healthcare) has been tied to two potential healthcare data breaches.
First, CHI Franciscan Health Highline Medical Center (Highline) was alerted on July 22, 2016 that files with patient information had been accessible online from April 21, 2016 to June 13, 2016.
South Carolina-based Bon Secours Health System, Inc. announced last month that it had discovered the error on June 14, 2016. In that case, patient files available online as R-C Healthcare attempted to adjust its computer network settings from April 18, 2016 to April 21, 2016.
In similar fashion, the Carle Foundation recently started to notify patients of a potential data security incident after certain information was made viewable online due to a vendor error.
Carle explained in a statement it learned of the error on June 14, 2016. A vendor had reportedly placed files containing patient information on a Carle file server on February 17, 2016. This potentially made the files viewable to those who had access to the server via the internet.
“We deeply regret any inconvenience this may cause our patients,” Carle said. “To help prevent this from happening in the future, we are working with all of our vendors to re-enforce education regarding secure transfer of patient information.”
What can happen in the long term?
If the Office for Civil Rights (OCR) determines that HIPAA violations did in fact take place during a data security incident, a business associate or covered entity could be faced with heavy financial penalties.
For example, Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) agreed to pay $650,000 as part of its settlement earlier this year. CHCS had provided management and information technology services as a BA to six skilled nursing facilities.
OCR determined that from the HIPAA Security Rule’s compliance date to the present, CHCS had not conducted “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality integrity, and availability of e-PHI held by CHCS.”
“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said OCR Director Jocelyn Samuels said in a statement.
As North Memorial Healthcare of Minnesota learned, failing to properly identify business associates can also lead to OCR HIPAA settlements.
North Memorial failed to identify Accretive Health, Inc. as a business associate, according to OCR. The relationship between the two organizations allowed Accretive access to North Memorial’s databases, which held PHI. North Memorial agreed to a $1.5 million fine as part of its settlement.
OCR also found that there was a period of time where there was no business associate agreement at all between the two organizations.
“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” Samuels said. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”