Breaches: Business Associates' RoleTally Illustrates the Need to Ramp Up Security
In the past month, eight out of 15 breaches added to the Department of Health and Human Services' "wall of shame" tally have involved business associates. And business associates have been implicated in about 21 percent of the 571 breaches affecting 500 or more individuals that HHS has tracked since September 2009.
Plus, business associates have been involved in many of the largest incidents, including, for example:
- A September 2011 breach affecting 4.9 million individuals involving Science Applications International Corp., a business associate of TRICARE, the military health program;
- A December 2010 incident affecting 1.7 million patients involving New York City Health and Hospitals Corp. and it business associate, GRM Information Management;
- A March 2012 breach that compromised data of 780,000 individuals and involved the Utah Department of Health and its business associate, the Utah Department of Technology.
With the enforcement date of Sept. 23 for HIPAA Omnibus less than five months away, it's possible that even more business associate-related breaches will appear on the tally. That's because under HIPAA Omnibus, not only are business associates and their subcontractors for the first time directly liable for HIPAA compliance, but also the definition of business associates has been expanded to include more kinds of vendors, including many cloud service providers (see HIPAA Omnibus: The Liability Chain).
To help prevent breaches involving business associates, covered entities, such as hospitals and physicians groups, should carefully spell out their security requirements in business associate agreements, says Mac McMillan, CEO of IT security consulting firm CynergisTek. In addition, covered entities should have a procedure in place for monitoring those vendors, including a process for terminating contracts when engagements end. "They need to take a lifecycle approach to vendor management," McMillan says.
If a business associate is involved with a breach, it must notify the covered entity that it serves, who then must notify federal authorities as well as the individuals affected, McMillan explains (see: HIPAA Omnibus: Breach Notification Tips). So business associate agreements should spell out that vendors must report breaches immediately to covered entities, he adds.
Breach Tally Update
In the last month, 15 breaches affecting 93,000 individuals were added to the HHS Office for Civil Rights' tally, and eight of those incidents involved business associates.
The largest of the breaches added was a Sept. 21, 2012, unauthorized access incident at the Brookdale University Hospital and Medical Center in New York, which involved business associate Health Plus Amerigroup. That incident affected about 28,000 individuals.
Of the 571 breaches posted on the tally since September 2009, when the breach notification rule took effect, more than half have involved the loss or theft of unencrypted computing devices or storage media (see: Breach Tally: Encryption Still an Issue).
So far, the federal tally lists 12 breaches affecting 49,000 individuals that have occurred in 2013. OCR adds incidents to its tally as it confirms the details.
The tally includes more than 130 breaches in 2012 affecting 2.3 million individuals. By comparison, it lists roughly 160 breaches affecting about 11 million individuals in 2011.
Wider Scope for Scrutiny
The HIPAA Omnibus Rule's expanded definition of business associates will put more vendors under scrutiny in the months ahead. The rule clarifies that business associates who receive, create, transmit or maintain protected health information must be HIPAA compliant.
Under the new rule, the expanded business associate definition includes health information organizations, e-prescribing gateways or others that provide data transmission services for protected health information to a covered entity and that require routine access to the health information. Companies that offer a personal health record to one or more individuals on behalf of a covered entity are also now considered business associates.
Many business associates are smaller companies with limited resources or know-how to conduct a thorough HIPAA risk assessment or to put in place effective breach prevention and response plans, says Mike Bruemmer, vice president of Experian Data Breach Resolution.
Covered entities want their business associates "to be on the ball with enforcing the security and policy standards," Bruemmer says. In some cases, that could require going back to audit the business associate to determine what kind of breach response plan the company has, he says.
Potentially, business associates could find themselves faced with requests for security audits from numerous covered entity clients, Bruemmer acknowledges. "More likely, business associates will have to come up with good answers to questions about their security policies and procedures for covered entities," he adds.