Small Firms, Big HIPAA Troubles?Business Associates Need to Get Serious About Security
The time has come for business associates of all sizes, as well as their subcontractors, to get their HIPAA compliance act together.
Here's why: When the new HIPAA omnibus rule takes effect in the months ahead, business associates and their subcontractors will be on the hook, along with the covered entities they serve, for health data breaches and HIPAA non-compliance issues. They now must comply or face investigations and potentially hefty financial penalties from the Department of Health and Human Services.
For the first time, business associates will have some absolute obligations for how they can use and disclose the protected health information.
Oh sure, business associates have long had privacy and security obligations under their contractual agreements with covered entities. But under the HIPAA omnibus rule, "for the first time, business associates will have some absolute obligations for how they can use and disclose the protected health information on behalf of a covered entity," says Susan McAndrew, deputy director of HHS' Office for Civil Rights, which enforces HIPAA. The new rule is "not so much an obligation change, but ... business associates can now be called for misuse or failure to safeguard this information," McAndrew explains(see: HHS Official Explains HIPAA Omnibus).
"If there is a HIPAA non-compliance complaint or breach, OCR can now directly investigate the business associate," McAndrew stresses. "If they violate the rule, they could face penalties as the covered entity does." Under the new regulations, penalties can range up to $1.5 million per violation.
While business associates and subcontractors of any size that have access to protected health information from covered entities will be subject to new HIPAA scrutiny, my gut tells me that smaller firms could have the biggest headaches in complying with the new rule.
I'm not picking on small businesses. But I suspect that many that provide services to healthcare organizations find themselves facing the same challenges as thousands of smaller clinics with limited resources that are struggling to complete risk assessments and implement security plans.
Keep this in mind: Business associates of all sizes have been involved in about 21 percent of the major breaches listed on the HHS "wall of shame" site (see: Breach List: Business Associate Update).
But if you start picking through some of the more recent breaches involving business associates - including incidents in the news that have not yet made it to the HHS tally - you'll see several smaller firms pop up.
For example, one vendor - Clearpoint Design, a small Boston-area web design company - was listed on the HHS breach tally for October 2012 incidents affecting about 15,000 patients at three local healthcare organizations.
Clearpoint executives declined to comment about the incident. But a letter about the breach posted on the website of Child and Family Psychological Services, one of the three Clearpoint clients affected, notes that the incident involved the hacking of a dedicated server that Clearpoint leased from a subcontractor, Hosting.com.
In another recent incident - which is not yet listed on the HHS site - a small Augusta, Maine-based healthcare management company, Goold Health Systems, was responsible for a breach affecting 6,000 Medicaid beneficiaries of the Utah Department of Health. In that incident, an unencrypted thumb drive was lost by the Goold Health System employee while traveling.
The incident is particularly unfortunate for the Utah Department of Health, because it was already in the headlines when it experienced a much larger security incident last year. That breach involved hackers from Eastern Europe who downloaded personal health information about 780,000 individuals from a state server.
Utah had also done a good job in reaching out to those affected by the first breach. Gov. Gary Herbert last May appointed long-time consumer healthcare advocate Sheila Walsh-McDonald to the newly created position of health data security ombudsman. She spearheads the state's aggressive outreach program, which included a series of informational workshops for the public last summer (see: Assessing Utah's Post-Breach Efforts).
It must be frustrating for the folks at the health department to deal with an incident that involved an employee of a company they trusted. "We sent out notification letters on January 17 to the Medicaid clients with the identified elements of their personal information," says Walsh-McDonald, whose name and phone number was listed on the note. Since then, "my phone has been ringing constantly," she says.
No More Procrastination
The bottom line in all this is that business associates and their subcontractors of all sizes have to re-examine how they're safeguarding their healthcare clients' data.If they don't, they could find themselves coping with a federal investigation that could culminate with a fine big enough to hurt their profits - or even their long-term viability.
If smaller firms that only dabble in providing services to healthcare organizations are not prepared to meet their HIPAA privacy and security obligations, perhaps they should stick with courting the business of local restaurants, florists and hair salons and steer clear of serving the local clinic or hospital.