Covered entities should be very concerned about the possibility of a major breach of protected health information (PHI) originating from a Business Associate (BA). According to the Health and Human Services’ Wall of Shame, a single breach in 2015 by a BA in Indiana affected more than 3.9 million individuals which is more than all individuals affected by breaches from covered entities and BAs listed to date in 2016.
In order to be prepared, a covered entity must first understand what constitutes a BA. By definition, a BA is an entity or individual who is not part of the covered entity’s workforce and stores, transmits or receives PHI on behalf of the covered entity.
As required by HIPAA, a covered entity must have a written business associate agreement (BAA) in place for any of the following BAs: practice or benefit management, answering service, billing company, collection agency, document shredding company, claims processing, accountant, legal, utilization review, actuarial, healthcare clearing house, medical transcriptionist, electronic health record (EHR) or an e-prescribing gateway. Examples of those not considered to be a BA of a covered entity include: health plans, laboratories, pharmacies, janitorial services or conduits such as a telephone service provider, US Post Office, UPS, or Fed Ex.
Last year’s breach by a Business Associate occurred as a result of hackers gaining unauthorized access into an EHR, compromising PHI at 44 locations in 3 states. This may seem small compared to the largest breach ever reported, the Anthem breach in 2014 affecting over 80 million individuals. Similarly, this incident was the result of a cyber attack on a server such that the full extent of this breach remains under investigation and the actual numbers are still yet to be determined.
What if Anthem had been a large EHR provider instead of a covered entity? Let’s not find out. To this end, healthcare providers need to be ready for any size cyber security incident and this should be reflected in your BAA. The recent April 2016 OCR Cyber-Awareness Monthly Update highlights important measures every covered entity should take when dealing with business associates:
- Defining in their service-level or BAA how and for what purposes PHI shall be used or disclosed in order to report to the covered entity any use of disclosure of PHI not provided for by its contract, including breaches of unsecured PHI, as well as any security incidents.
- Indicating in the service-level or BAA the time frame they expect business associates or subcontractors to report a breach, security incident, or cyber attack to the covered entity or BA, respectively.
- Identifying in the service-level or BAA the type of information that would be required by the BA or subcontractor to provide in a breach or security incident report.
- Finally, covered entities and BAs should train workforce members on incident reporting and may wish to conduct security audits and assessments to evaluate the BAs’ or subcontractors’ security and privacy practices. If not, ePHI or the systems that contains ePHI may be at significant risk.
Keep in mind that not all breaches are related to hacking incidents. For this year, breaches by BAs are overwhelmingly attributed to theft and unauthorized access or disclosure. Fortunately, these types of breaches should be much easier to prevent than trying to avoid a sophisticated cyber attack. Just like covered entities, BAs must have appropriate physical, technical and administrative safeguards in place.
In the event of a breach, the Business Associate must notify the covered entity immediately upon discovery. In addition to the breach notification procedure to alert the covered entity, the BAA should clearly state the BA’s obligations of notification to the individuals, HHS and the media, if applicable, as well as any costs associated with the notification process or costs related to individual identity protection.