GUEST BLOG: Who’s Responsible for BAA Data Breaches?
Being a consultant often affords me a bird’s eye view of complex security and compliance issues in healthcare. Lately, I’ve observed many providers, payers and clearinghouses (aka, readers of Healthcare Informatics) being overly confident that their executed business associate agreements will protect them in the event a client’s PHI (personal health information) is mishandled or compromised by outside parties.
This confidence is critically ill-founded. The HITECH Act’s HIPAA security changes firmly hold covered entities liable for security breaches by their business associates (BAs) and the subcontractors of those BAs. The Act's changes impose stiffer penalties and breach notification requirements.
Under the HITECTH Act, the onus is on covered entities to act to ensure that the security processes of BAs and subcontractors align with their own internal standards. Why? Well, the reasons are self-evident: either way, you will not escape the PR nightmare and hefty fine resulting from breaches occurring downstream from BAs.
To mitigate the risks, you and your team need to thoroughly evaluate potential and existing business associates. This can be achieved through a series of questions. For starters, ask business associates if they have business associate agreements (BAAs) with other covered entities, and if so, with whom. The answers will gauge their capabilities and the type and level of PHI being handled. If companies are reluctant or barred from disclosing clients’ identities, demand general information.
In addition, you need to question BAs as to whether they have a security compliance officer and how many employees report to that person. Find out if service providers have undergone HIPAA, SAS 70 Type II, International Organization for Standardization, and other audits. If the answer is yes, what were the results? Because security compliance is challenging and will continue to be so, covered entities must determine if BAs understand the seriousness of complying with the new rules along with yours including data exchange, and if resources and skills are there to meet responsibilities.
A question covered entities should but frequently fail to voice to spare vendors embarrassment is whether BAs ever had a security breach. While their reluctance is understandable, it’s foolish not to broach this topic, given the high stakes involved. If a BA’s answer is affirmative, request details and the steps taken to prevent reoccurrences, and if an audit was performed to verify that new policies and procedures were implemented and adhered to properly. That way you can make an informed decision to engage or retain the company.
Other methods to protect your organization include finding out if your business associates have executed BAAs with their subcontractors. If the answer is negative, sever the relationship as it reveals negligence.
It’s also recommended to engage security officers and attorneys on both sides in jointly drafting BAAs and then reviewing every six months to keep current with changing circumstances and regulations. Too often those tasks are assigned only to lawyers who likely will not be as versed on the nuances of security rules. As a final point, audit the security practices of BAs and their subcontractors every six to 12 months.
In the past, organizations could elect to ignore the security practices of BAs or trust assurances that their PHI was secure. But new regulations, increasing fines and rising consumer anger over a steady stream of high profile data breaches make that impractical. Covered entities that tightly vet, monitor and oversee BAs and their subcontractors will win in the end: they will retain the trust of patients and clients along with their reputation – and those who don’t will pay a heavy price.
-Eric Mueller, Services President, WPC
Eric Mueller has 20 years of diversified experience spanning IT strategic planning and execution, revenue cycle optimization, security and compliance, new product and technology launch, organizational design and re-structuring, P&L management, and mergers and acquisitions.
Prior to joining WPC, Mueller served as CEO to a privately-held healthcare services and technology provider of revenue cycle technology where he grew revenue by 65 percent and increased sales significantly.