The volume of data security breaches occurring in health care has captured hospital and system trustees’ attention and forced them to investigate their respective organization’s plans and policies to protect patient information. While directing senior leaders to shore up vulnerabilities, boards also need to be aware of the vendors who support hospital operations, such as consultants, information technology companies, and clearinghouses that translate transactions. These business associates represent another risk area that requires board oversight.

Patient data breaches via business associates are high-probability, high-impact events that damage a hospital’s or system’s reputation as a trusted provider. A PricewaterhouseCoopers study concluded that around 55 percent of the data breaches reported since September 2009 involve business associates. What’s more, the repercussions can have a significant negative impact on an organization’s finances. Fines for HIPAA violations range from $100 to $50,000 per violation — a single patient record is one violation — and they add up quickly. A large integrated delivery network in the Northeast recently agreed to a $4.8 million settlement with the Health & Human Services Office for Civil Rights for a breach that caused the protected health information of 6,800 individuals to be accessible publicly via Internet search engines. Fines and penalties usually are not covered by insurance — they represent a direct hit to a health system’s bottom line.

HHS tracks all reported patient data breaches involving 500 or more individuals, both accidental and malicious, and posts them on the Breach Portal, a public website. According to the Center for Health Reporting, as of July 2014, more than 1,000 breaches have been posted, affecting more than 32 million patients.

These four questions provide a closer look at the regulations governing security breaches by business associates.

Q What laws exist to improve patient data security with regard to business associates?

A The HIPAA Omnibus Final Rule, passed in 2013, expands the definition of a business associate and states that breaches involving protected health information must be reported to the OCR for investigation. This expanded definition includes the vendor with which the health system has contracted and any subcontractor of that vendor who also handles protected health information. Civil monetary penalties can exceed $2.5 million per breach and can include criminal prosecution by state attorneys general. While the cost of legal defense may be covered under the health system’s insurance policy, fines and penalties are not.

Q What is the enforcement plan for the new law?

A The OCR investigates breaches involving more than 500 records within a few weeks of the breach report being filed. Additionally, the OCR audits health care providers. In both cases, the OCR provides only a 20-day advance notice, which makes it difficult for a provider to become compliant between notification and investigation or audit.

Q Are there other business risks associated with oversight of business associate vendors?

A Yes. Meaningful use Stage 1 attestation requires the covered entity to have the required HIPAA data security policies and procedures in place to oversee business associates. If an audit reveals that the provider’s attestation is not accurate, the Centers for Medicare & Medicaid Services can recoup the incentive payment.

Q Where do hospitals and health systems fall short of compliance with HIPAA security and business associate oversight?

A The biggest challenge is identifying all of an organization’s business associates. It’s not unusual for a hospital or system to identify around 250 business associates in its initial assessments. However, after a more complete analysis, the actual number may be 750 or more business associates.

Additionally, business associate risk assessment and oversight often are performed by the compliance or legal department with minimal coordination with two other major players: purchasing and information technology. Because purchasing agents are responsible for vendor selection, relationship management and contractual fulfillment, this lack of synchronization can lead to data breaches, fines and a damaged reputation. Many IT vendors handle, transmit or store protected health information and thus require special scrutiny. Legal firms, accountants, auditors and consultants for financial, clinical reimbursement or patient safety projects also are overlooked frequently.

Hospitals and systems need to be especially mindful that business associate agreements and policies are detailed and complete. For example, hospitals should have breach notification policies on file for each business associate. Rushing to get vendors on board and up to speed can lead to poor oversight and policy omissions.

Finally, HHS states that covered entities must take dual responsibility for patient data protection by obtaining satisfactory assurances in writing from each business associate that it will appropriately safeguard the information it receives or creates on behalf of the covered entity. 

Chris Luoma (cluoma@ghx.com) is the vice president of product at Vendormate, a GHX company in Atlanta.


The Board's Role

Effective board oversight of business associates begins with an understanding of HIPAA Omnibus, meaningful use Stage 1 and the risks related to noncompliance. Trustees should ask executive leaders the following questions:

  1. How many business associates does the hospital have? How many have a compliant business associate agreement? Has the hospital had its vendor list analyzed by an outside organization to help identify missing business associates?
  2. How often is a report on business associates and agreement status distributed and to whom?
  3. Does the hospital have a single, current vendor master file, or are the data stored in multiple files?
  4. What percentage of the hospital’s vendors have been screened for business- associate risk?
  5. How many patient data breaches of any size have occurred in the last two years? What was the nature of each breach? What steps have been taken to prevent similar breaches?
  6. How many of the patient data breaches that occurred in the last two years have involved a vendor?
  7. What is the status of the hospital’s compliance with all the requirements needed to attest for meaningful use Stage 1?
  8. Who will be in charge of preparing for an Office for Civil Rights audit? How many days of preparation do these individuals estimate they will need?
— C.L.