Trust but Verify: Don’t Get a False Sense of Security from your Business Associates

Two recent highly publicized data breaches illustrate the need for HIPAA Covered Entities to make sure their Business Associates (and other partners) are really protecting their patient data. In the words of President Ronald Reagan (who was discussing an arms treaty with the Soviet Union) you should Trust but Verify.

The Hospice of North Idaho just paid a $ 50,000 penalty because an outsourced services’ laptop containing 441 patient records was stolen. This news went viral because it was the first time a data breach of fewer than 500 records was cause for a financial penalty.

In November, an employee of Omnicell, a provider of medical dispensing systems, had downloaded over 68,000 patient records to a laptop, which was stolen from his locked car. The laptop was protected with a password but the data was not encrypted. Patients of the University of Michigan Medical System, Sentara Healthcare, and South Jersey Healthcare were affected.

The hospice paid a $ 50,000 penalty, incurred many other costs, and replaced its outsourced provider.  Penalties have yet to be assessed in the Omnicell breach. Both could have been prevented.

The HITECH Act of 2009 requires that Business Associates must comply with HIPAA as if they are Covered Entities. This will be enforced once the new rules are published by the US Department of Health and Human Services (HHS.) According the HHS Office for Civil Rights Director, Leon Rodriguez, Business Associates will have 6 months to comply after the rule is published.

Covered Entities should not wait. The hospice and Omnicell’s clients could have done some simple things to protect themselves— and you can do something now to protect your organization.

According to two of the health systems who worked with Omnicell, their contracts required that all data must be stored on encrypted devices. In a HIPAA statement written when the HIPAA Security Rule came into effect in 2005, Omnicell said it “will comply with applicable legal requirements relating to protected health information to the same extent that its customers would be required to comply with such requirements…” and said it would “Use appropriate safeguards to prevent use or disclosure of health information.” Then they included language in their contracts providing even more specific promises that the devices they use are encrypted.

Lessons Learned

  1. Make sure you have a Business Associate Agreement (BAA) with EVERY business partner that is likely to see patient data in the course of their work. Make sure it reflects recent modifications to HIPAA in the HITECH Act. Remember your EMR provider, your outsourced IT provider, your revenue cycle management/collection company, and your shredding company, at a minimum, all need BAA’s. Also have agreements with your accountant if they see patient info during audits, and your attorney if they have access to patient data for lawsuits or collections.
  2. Make sure your business contracts are written to protect patient data. Beyond the scope of your BAA, your contract listing the services you receive should also have specific information on how your vendors will do things to protect your data.
  3. Commitments in contracts don’t mean anything if the people doing the work are uninformed. Were the outsourced employees assigned to the hospice informed and trained? Did the Omnicell Purchasing and IT staffs know that they were to deploy encrypted devices to their field staff? Was there encryption on the stolen devices but not turned on? An audit performed on behalf of the client could have identified these vulnerabilities.
  4. Consider the risks when you implement ANY new technology. Did the health care providers even realize that their Omnicell medical dispensing system was a vulnerability to their patient data? Remember your Security Risk Analysis for HIPAA and the EHR Incentive Program Core Measure 15? Don’t wait until the end of a MU reporting period or an annual review to update your risks. You may want to work with a trained specialist familiar with HIPAA and risk management, because an experienced auditor would have asked the right questions.
  5. Trust but Verify.  Before the breaches occurred, the health care organizations should have audited their business associates’ compliance with HIPAA and their business agreements. A trained specialist in IT and compliance should have:
    1. reviewed the vendors’ compliance programs;
    2. verified that their employees are trained;
    3. inspected evidence that the compliance policies and procedures are really followed;
    4. tested the technical devices to ensure that the data is properly protected;
    5. followed up with random spot-checks to make sure that compliance is consistently followed.
  6. Make sure your own house is in order. Because of the poor security practices of its partner, the hospice was investigated and found that its own internal security and compliance controls were inadequate. In 2012, the Office for Civil Rights assessed very large penalties to organizations not just for the specific incidents that prompted their investigations, but for ‘willful neglect’ by not having HIPAA Security Rule compliance programs that should have been in place since April, 2005.
  7. Who pays for the audit?  Either party can pay for the audit. However, if the Covered Entity wants to be sure it is really protected, it should either pay for the audits, or require their Business Associates to pay for the audits, and provide them with the reports.
  8. Patient data does not solely reside in your EMR system. With so many new devices that store or transmit patient data, including smart phones and tablets, and in multiple methods such as text messages and email, your risks are higher than ever.

You should work with an experienced compliance and technology specialist to audit your partners and ensure they are protecting your patient data. You need to make sure problems are identified and fixed before they become expensive and embarrassing reportable data breaches. Don’t take chances by waiting-- hope is not a business strategy.

If you have read this far, and are still comfortable just sitting back and trusting everyone, please lend me $10,000. I promise to pay you back next week.

Mike Semel

-------------------

Semel Consulting offers certified HIPAA compliance services and certified business continuity planning, including auditing and management of Business Associates. Its lead consultant has been in IT for over 30 years, including as a hospital Chief Information Officer and owner of a Business Associate. He has performed compliance audits and Security Risk Analyses for Covered Entities and Business Associates since 2003.

For more information contact us.