Transcriptionist Breach Affects 15,000Boston Medical Center Fires Business Associate Involved
A breach involving the posting of information about 15,000 Boston Medical Center patients on a transcription firm's unsecured website serves as a reminder of the importance of monitoring the security practices of all business associates.
See Also: HIPAA Audits: A Revised Game Plan
Boston Medical Center was notified on March 4 by another healthcare provider that MDF Transcription Services and its subcontractors "had incorrectly posted BMC physician office visit notes to the MDF website without password protection," a Boston Medical Center spokeswoman tells Information Security Media Group. "We immediately informed MDF and its subcontractors of this error and the website was removed from the Internet on the same day. We take our responsibility to maintain our patients' privacy very seriously and have notified all individuals who were affected by this vendor error."
As a result of the incident, physician notes "could have potentially been accessed by non-authorized individuals," she says. The information potentially exposed on the site includes names, addresses, medical information and medications. "We have no reason to believe that this led to the misuse or inappropriate accessing of any patient information," she says. "At this time, we have no evidence that any patient information was accessed by anyone other than medical personnel and administrative staff."
A number of Boston Medical Center physicians had used the transcription services company for several years, the spokeswoman says. Physicians routinely record audio notes about patient visits and then have these audio notes transcribed so they can be added to electronic medical records, she explains.
"Several physicians at BMC utilized MDF to transcribe their notes. Once transcribed, these notes were made accessible to physicians by MDF through an online site administered by subcontractors of MDF," she says. "Unfortunately in this instance the information was not password protected by MDF and its subcontractors."
The hospital is working with MDF and its subcontractors to determine the duration of the information exposure," the spokeswoman says.
As a result of the incident, Boston Medical Center has terminated its relationship with MDF. "BMC has rigorous contracting standards in place to protect patient privacy and any organization that works with BMC must be in full compliance with those standards," the spokeswoman says. "Failure to meet those standards in any way will result in immediate termination of the contract. "
MDF could not be reached for comment. Boston Medical Center declined to identify the subcontractors involved in the incident.
Business Associate Challenges
Security expert Brian Evans, principal consultant at Tom Walsh Consulting, says that many transcription services firms are aware of HIPAA's requirements but not always effective in carrying them out.
"In working with business associates that include transcription services, I'm finding that they are fully aware of their compliance obligations but lack the funding, staffing and security experience to adequately address them," he says.
"Unfortunately, business associates have not had as much time as covered entities to prepare for and meet their new compliance obligations. As a result, business associates, especially the smaller ones, are woefully behind in meeting their compliance requirements of the HIPAA security and privacy rules which include breach prevention tasks and technologies," he says.
Evans recalls a similar breach involving another transcription service. "I was involved with a data breach incident several years ago where the local transcription services company outsourced work to another company in Tennessee who then outsourced to an individual in India who posted actual patient data on his website," he says.
When covered entities work with transcription services firms, Evans says, they should ask the companies "specifically how they are protecting the confidentiality, integrity and availability of your patient data. I would also ask them to demonstrate their compliance with the HIPAA Security Rule."
Many large healthcare organizations, such as Boston Medical Center - a 496-bed academic medical center - might have hundreds of business associates, so managing these vendors can be difficult, Evans acknowledges.
"Despite greater investments in compliance efforts overall, the Boston Medical Center incident suggests that healthcare organizations have made limited progress in identifying or reducing business associate risk," Evans says. "The primary reason behind this is the sheer volume and diversity of business associates for any one organization."
Every business associate poses some form or level of risk, he says. "As a result, business associate risk is higher than most realize because a majority of this risk is not identified or reported. Consequently, potentially serious and costly compliance issues fly under the radar of senior management."
Under the HIPAA Omnibus Rule which went into effect last year, business associates are directly liable for HIPAA compliance. Like covered entities, business associates are subject to OCR enforcement actions, including penalties ranging up to $1.5 million per HIPAA violation.
Tips for Managing BAs
While managing dozens, if not hundreds, of business associates - including transcription services firms - can be a challenge, Evans says covered entities should take several steps to ensure compliance of their vendors.
"Consider taking a tiered approach to assessing and managing business associate risk to allocate your limited resources to the highest exposure areas," he says. "By employing a tiered risk management model, you can direct the most intensive compliance resources to areas of greatest exposure, allowing for broader coverage without increasing the overall resource investment in risk management.
"When business associates handle sensitive or regulated data, it is imperative that some form of written agreement specifies what is expected. But contracts and agreements alone are weak controls unless compliance can be verified."
The most effective way to reduce the rate of compliance failures at business associates is the combined use of risk assessments; contracts/agreements; due diligence; audit tools and other technologies; and careful oversight monitoring, he says. "Direct compliance with all of the safeguards and documentation requirements of the HIPAA Security Rule is your mandate, and your customers, patients and auditors are going to begin asking you to show them, not just tell them, that you are in good standing," he says.
Additionally, Evans suggests covered entities designate a specific individual or team to coordinate the oversight activities for significant business associate relationships, and, as necessary, involve other operational areas, such as audit and information technology, in the monitoring process. "The extent of oversight of a particular business associate will depend on the potential risks and the scope and magnitude of the relationship," he says. Results of oversight activities should be periodically reported to senior management or a designated committee, he advises. "Identified non-compliance issues or weaknesses should be documented and promptly addressed," he adds.
The revelation of the breach at Boston Medical Center comes on the heels of a distributed-denial-of-service attacks against (see DDoS Assault on Boston Children's Hospital).