What happens if your business associate has a patient data breach?

December 4, 2014

Here’s a cautionary tale: A medical practice comes to us in a panic. It turns out the physician had received a letter from the Office of Civil Rights (OCR) ordering an investigation related to a patient data breach – not his own.

Here’s a cautionary tale: A medical practice comes to us in a panic. It turns out the physician had received a letter from the Office of Civil Rights (OCR) ordering an investigation related to a patient data breach – not his own. 

In this instance, the practice’s business associate (BA), a web hosting company, had committed the breach and exposed patient information, part of which ended up in a Google search. The web hosting company was investigated and is awaiting a final determination from OCR. But the medical practice was also being investigated because it had contracted the services of its provider.

 

RELATED content from Medical EconomicsPatient data security risks climb with ACA rollout 

Impact to the physician

This particular medical practice, an oral surgeon with a staff of six, had 20 days to answer 15 questions all pointing to electronic security measures it should have taken to protect the thousands of patients stored in its systems (the investigation came after the initial 60 days that they had to notify patients). The workload in response to an OCR investigation could be enough to make a physician want to shutter his practice. Here is just a taste of the OCR’s questions:

  • Copies of any notes, documents and reports relating to any internal investigation, including any forensic analysis conducted by the covered entity, or its designated contractor or agent of the alleged incident. Please detail any corrective measures taken as a result of this alleged incident.

  • Please indicate whether you conducted a breach risk assessment for the alleged incident. If so, please provide a copy of the breach risk assessment.
  • If you determined that a breach of patients’ PHI occurred as a result of this incident, please indicate, as applicable, whether you notified the affected individuals, the media, and the HHS Secretary.

  • If you notified the affected individuals, the media, and the HHS Secretary, please provide OCR with documentation of said notifications.

You can view the remaining 13 questions on our website.

If the OCR determines that the medical practice is in willful neglect of HIPAA regulations it could be looking at a fine of $50,000 per incident, up to $1.5 million.

NEXT: BAs do not have to disclose a breach in a timely manner

 

It’s all in the Business Associate Agreement

While HIPAA requires covered entities (CEs) to get signed agreements from BAs stating they will protect patient information, the agreement may not indemnify the CE in the event of an OCR investigation because of its BA’s breach. Moreover, unless it’s stated in the agreement a BA is under no obligation to disclose the breach to his client in a timely manner. 

Conversely, the CE could state in the agreement that if the BA has a breach it has to pay the CE’s fine and indemnify it against any liability. An ironclad agreement like that could make the BA jittery and reluctant to sign on the dotted line.  But without a BA Agreement the CE won’t be able to grant permission to IT companies, medical billers, attorneys, insurance carriers, etc. to handle its clients’ health information, virtually cutting off the blood supply to the practice’s operation. 

To make the agreement fair both parties need to come to the table, openly discuss the terms of the agreement and have it reviewed by legal counsel. For starters, the BAA should

a) have proof that the BA is protecting ePHI;

b) get a breach report to the CE within a reasonable timeframe, i.e., 10 days.  The report should explain what happened, and who, how, and what was accessed.  The BA may need time to bring in a forensic IT expert to figure out how the breach happened; on what servers; etc.;  And, 

c) if the BA caused the breach it should indemnify and pay agreed-upon expenses to the CE.

Likewise if the CE gets investigated because his BA was fined, but the practice didn’t take the proper steps to comply with HIPAA, it can’t use the Agreement to demand that the BA pay the fine.  BAs are not responsible for making sure their CE is HIPAA compliant. 

My take-aways:

a) if your BA commits a breach the OCR could investigate your practice;

b) be prepared - perform a HIPAA risk assessment; plan and implement security safeguards and provide backup documentation; don’t put it off and be caught off guard;

c) provide a BA Agreement that protects your practice but is fair to your BA.