HHS Wall of Shame: Forty Percent of 2013 HIPAA Breaches Involved Business Associates

Of the HIPAA data breaches reported in 2013 so far, nearly 40 percent have involved a business associate. A look at the overall percentage of business associate involvement with data breaches dating back to 2009 reveals that almost 30 percent played a role in the reported cases.

Clearly, the U.S. Dept. of Health and Human Services (HHS) has attempted to address the chronic issue by widening the HIPAA penalty net to include business associates and subcontractors this year, with the drop of the final omnibus rules that went into effect March 26 (with 180 days to be in compliance).

While business associates may have a new vested interest as they can be investigated and penalized directly by the Office for Civil Rights (OCR), covered entities also need to pay closer attention to their vendor contracts and security practices as they can be held liable for business associate and subcontractors as well.

Business associates of covered entities can no longer be overlooked – for every healthcare organization that touches protected health information (PHI), each vendor must undergo scrutiny of their physical, administrative and technical security. When it comes to HIPAA hosting providers, the three tiers of security involve:

  • Physical Security – Physical security adds one layer of security your data center should have in place to not only meet compliance standards, but to keep unauthorized users from accessing physical servers.

  • HIPAA Administrative SecurityAdministrative Security – Administrative security includes the audits, policies, staff training, and, for HIPAA-specific requirements, business associate training. Equally important as ensuring the physical and technical security of your data environment, administrative security addresses the business-facing concerns of partnering with a third-party hosting provider.

  • Technical Security – Secure hosting solutions require a multi-layered approach with the use of several different security tools. Not only do these tools help your company meet various compliance standards, but they also strengthen the security framework of your systems and minimize your overall risk of data loss. From file integrity monitoring (FIM) to web application firewalls (WAF), protect your systems from unauthorized access.

Just ‘HIPAA-Friendly’ or Actually ‘HIPAA Compliant’?
One example of a repeat business associate offender of HIPAA breaches is a case reported in January – a small web design company out of Boston, ClearPoint Design, was responsible for a breach that affected 15,000 individuals at three different healthcare organizations.

As the vendor contracted to host, maintain and monitor an online intake form for patients to request services, ClearPoint leased a dedicated server from Hosting.com to support the system. The Hosting.com server was hacked by an individual that modified the code on the website and diverted unencrypted payment data to a Gmail account. The hacker had gained administrative rights to the server housing PHI.

Hosting.com’s website states they are ‘HIPAA Business Associate Agreement friendly’ and claims they can create a solution to help organizations meet HIPAA compliant requirements. However, they do not mention if they have undergone an independent HIPAA audit of their own facilities, and there is no word if their organization meets the physical, administrative or technical security requirements of HIPAA.

Case in point – to avoid being a statistic on the HHS Wall of Shame, covered entities must do a deep dive into their HIPAA hosting provider’s audit reports. Check that they’ve been audited to the latest OCR HIPAA Audit Program Protocol. Ask them which particular IT services can help them meet HIPAA compliant security standards. Ask about their documented policies and procedures, and ensure their employees are trained. Finally, review their business associate agreement (BAA) carefully, and never partner with a hosting provider that won’t sign one.

References:
Child & Family Psychological Services, Inc. HIPAA Breach Letter (PDF)
Hosting.com: Compliance
HHS: Breaches Affecting 500 or More Individuals
Small Firms, Big HIPAA Troubles?

Related Articles:
HIPAA Breach Lessons Learned: Store PHI in HIPAA Compliant Data Centers; Not Locally
While no records were broken when it comes to number of health records disclosed per data breach, the top HIPAA breaches of last year still come with some hard lessons learned about technical and physical security. Learn from their mistakes … Continue reading →

Interview: HIPAA Rules Effective Starting Today – Is Your HIPAA Hosting Provider Prepared?
The Web Host Industry Review (WHIR) recently featured a Q&A with Online Tech’s Director of Healthcare Vertical discussing the recent regulations that take effect today, March 26. The new HIPAA rules affect HIPAA hosting providers, as they are considered business … Continue reading →

HIPAA in a HITECH World: HIPAA Violations on the Rise, According to Director of OCR
Leon Rodriguez, Director Office for Civil Rights, U.S. Department of Health and Human Services shared unexpected insights from early analysis of breach statistics and the audit pilot at the American Healthcare Lawyers Association conference, HIPAA in a HITECH World, along … Continue reading →

facebooktwittergoogle_pluspinterestlinkedinmail
This entry was posted in HIPAA Compliance and tagged , , , , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>