Breach List: Business Associate UpdateHealthcare Tally Shows How Common BA Breaches Are
The recently released HIPAA omnibus final rule clarifies that business associates and their subcontractors must comply with many HIPAA provisions. And the latest additions to the federal health data breach tally highlight why some business associates need to do a better job of protecting patient information.
A third of the 25 major breaches added to the Department of Health and Human Services' "wall of shame" tally since Dec. 17 involved business associates. And since 2009, when the interim final version of the HIPAA breach notification rule went into effect, about 21 percent of major breaches have involved business associates, the ongoing tally shows. A final version of the breach rule, which provides new guidance on how to determine whether to report a breach, is included in the omnibus rule (see: HIPAA Omnibus Rule Released).
"The final rule makes clear that covered entities are now going to have to go beyond simply signing a business associate agreement," says consultant Rebecca Herold, CEO of The Privacy Professor and partner at Compliance Helper. "They must make sure their business associates have appropriate safeguards implemented and are following the covered entities' security policies because a covered entity will be liable for violations of their business associates and could share in potentially high sanctions under the new guidelines."
Breach Statistics Update
Since September 2009, 537 major breaches affecting a combined total of nearly 21.5 million individuals have been verified on the federal tally. Major breaches are defined as those affecting 500 or more individuals.
So far, 125 breaches that occurred in 2012, affecting a total of 2.3 million individuals, are on the federal list. By comparison, the tally for 2011 breaches now stands at about 149 incidents affecting 10.8 million.
The HHS Office for Civil Rights continually adds breaches to its list as it confirms details, so many more 2012 incidents still could be added.
Of eight incidents recently added to the federal tally that involved business associates, three involved the same company - Clearpoint, a Boston-area Web design company that suffered a network server hacking incident on Oct. 18, 2012. That incident affected more than 15,000 patients at three Massachusetts healthcare providers: Child and Family Psychological Services, Harbor Medical Associates and South Shore Medical Center.
Two other breaches reported by two emergency medical service providers in Texas involved the theft of a desktop computer from a business associate, Advanced Data Processing. The two incidents affected a combined total of about 2,300 patients.
Also added to the list was the theft of an unencrypted laptop computer of an employee of Omnicell, a business associate to University of Michigan Health System. That breach affected about 4,000 patients. However, two other Omnicell clients were also affected by the stolen laptop incident, but those organizations - Sentara Healthcare and South Jersey Healthcare - aren't yet on the federal breach tally (see: Lessons from Business Associate Breach).
The other newly added business associate-related breach affected Cabinet for Health & Family Services, the agency that administers Medicaid for Kentucky. Data on about 1,000 Medicaid clients was inappropriately accessed when an employee of Carewise Health, a subcontractor of business associate HP Enterprise Services, responded to a telephone computer scam.
Business Associate Challenges
Now that the HIPAA omnibus final rule brings business associates and subcontractors into a brighter spotlight, many of those organizations will need to step up their breach prevention efforts.
However, Lisa Gallagher, senior director of privacy and security of the Healthcare Information Management Systems Society, believes that some business associates are better prepared to handle the HIPAA compliance demands than some covered entities. That's because the financial viability of many business associates, including some technology services providers, is tied to handling and managing data. As a result, some technology vendors have better practices in place for securing and protecting data than some healthcare organizations whose focus is delivering care, she contends.
Stephen Wu, a partner at law firm Cooke Kubrick & Wu LLP, says some of his clients "are not clear if they are considered a business associate or not."
Under HIPAA omnibus, the definition of a business associate was expanded to include, for example, organizations that provide data transmission services and have routine access to PHI.
"Covered entities want to put the risk on business associates, and business associates don't want that. It's a tug of war," he says. Wu says the rule "is very imprecise: and lacks enough guidance in determining whether an organization qualifies as a business associate that must be HIPAA compliant.
The final omnibus rule will be effective on March 26, but covered entities and business associates have until Sept. 23 to comply. The new rule, however, includes up to a one-year extension for revising HIPAA-compliant business associate agreements that were entered into as of Jan. 25, the expected date of formal publication of the new rule in the Federal Register, according to a blog by Adam Greene and Rebecca Williams, partners at the law firm Davis Wright Tremaine LLP.
In addition to business associates and subcontractors being added to the mix of those who must comply to many HIPAA provisions, the omnibus rule changes the standard of what constitutes a reportable breach (see: HIPAA Omnibus: Impact on Breach Notices).
Under a final version of the HIPAA breach notification rule, the standard for reporting a breach changes from assessing whether the incident is likely to cause financial, reputational or other harm to an individual, to a new, less subjective standard. The new rule calls for covered entities, as well as business associates and their subcontractors, to use at least four factors in assessing the probability that the protected health information has been compromised:
- The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
- The unauthorized person who used the protected health information or to whom the disclosure was made;
- Whether the protected health information was actually acquired or viewed; and
- The extent to which the risk to the protected health information has been mitigated.
Whether the new, more precise notification standard will result in a decrease or increase in the number of major breaches that make it to the federal tally remains to be seen.
Deven McGraw, director of the health privacy project at the Center for Democracy and Technology, a consumer advocacy group, believes that under the old "harm standard," healthcare entities may have been more inclined to notify individuals of breaches because the standard was so subjective. She also says that as the use of encryption, especially on mobile devices, becomes more widespread, the number of breaches could drop.
Gallagher of HIMSS says that under the harm standard in the interim final breach notification rule, some organizations, out of caution, reported incidents in which no data was potentially compromised, "such as one covered entity faxing the wrong information to another covered entity, who then immediately destroyed it."
But under the new rule, such incidents likely won't be reported, she contends. "I think this is the right approach," she says. "The goal is to notify when individuals need to know."