It is no surprise that healthcare data breaches are on the rise. The number of annual health data breaches increased 70% the past seven years, with 75% of the breached, lost or stolen records—132 million—being breached by a “hacking or IT incident.”1
The latest headline grabber involves Quest Diagnostics and LabCorp –two of the largest clinical laboratories in the United States—as well as several other clinical laboratories, including BioReference Laboratories Inc., affecting a combined total of more than 20 million patients. The unauthorized disclosures occurred due to a security breach in the web payments page at American Medical Collection Agency, an external billing collections vendor used by all three laboratory companies. Exposed data included names, home addresses, phone numbers, dates of birth, Social Security numbers, payment card details and bank account information over a period of eight months.
While the Office of Civil Rights (OCR) recently underscored that business associates are directly liable under the Health Insurance Portability and Accountability Act (HIPAA),2 a breach of this magnitude could still result in liability for the covered entity, and certainly results in negative press. This breach has already resulted in significant fallout, including calls for investigation by several members of Congress, as well as several state attorney general investigations. Class action lawsuits also have been filed.
Best Practices Include Four Key Steps
The breach highlights how critical it is for HIPAA covered entities3 not only to maintain strong privacy and data security practices themselves, but also to take steps to ensure that their business associates maintain these same practices. Privacy and security should be top of mind anytime a covered entity is considering entering into an arrangement with a vendor or other third party that will create, receive, maintain or transmit the covered entity’s protected health information (PHI). Best practices in this area can be distilled into four distinct steps which should be undertaken by all covered entities: Evaluate, Document, Contract and Monitor.
Evaluate. Prior to entering into any arrangement with a business associate, the covered entity should carefully evaluate the nature of the proposed arrangement and the capacity of the business associate to adequately maintain and secure PHI. The covered entity should perform due diligence to assess whether the vendor has experienced significant breaches previously. In addition, the covered entity should determine whether the business associate provides a mechanism for conducting and completing mandatory HIPAA audits, confirm that the business associate has training and procedures in place to handle PHI properly, and review the business associate’s security specifications. A risk questionnaire can be a key tool in the evaluation process. An unwillingness by a vendor to share its security specifications or the results of its most recent security assessment should constitute an immediate red flag. Depending on the nature of the arrangement, a covered entity may want to send its security officer to the vendor’s facility to do a site inspection or conduct his or her own assessment.
Document. Developing detailed and thorough documentation of a covered entity’s evaluation of a potential vendor is almost as important as conducting the evaluation itself. Remember that old healthcare adage: “If it isn’t documented, it didn’t happen.” In the event that the vendor does experience a HIPAA breach, the covered entity can demonstrate to the OCR that it acted in good faith and based on a reasonable belief that its PHI would be protected when it contracted with the vendor.
Contract. When engaging a vendor, a covered entity should ensure that the contracting process reflects the uniqueness of that vendor and the PHI that would potentially be at risk. A Business Associate Agreement (BAA) should not be viewed as a “one size fits all” document. In addition to establishing the privacy and security obligations of the parties to a contract, a BAA should set forth the parties’ respective obligations in the event of a breach—including who is responsible for determining whether a breach actually occurred, the time frame for the business associate to notify the covered entity of the breach, who is responsible for notifying individuals (and the Department of Health & Human Services, if necessary) of a breach, and who is responsible for the costs of a breach. For business associates that are large organizations, the BAA should also identify the individual within the business associate’s organization that the covered entity should contact in the event of a breach. Finally, a BAA should specify whether or not PHI may be stored offshore. In addition, a Service Level Agreement (SLA) can be used to address more specific business terms that may also be relevant to HIPAA compliance. For example, an SLA can address HIPAA concerns such as system availability and reliability, backup and data recovery, and the manner in which PHI will be returned to the covered entity after termination. Careful and comprehensive contracting will not only help reduce the risk of a breach in the first place, but will also clearly delineate the respective obligations of the parties in the event that a breach does occur.
Monitor. A covered entity’s obligations with respect to its business associates don’t end once a contract is signed. Ongoing monitoring is key. Covered entities should include their business associates in their annual risk assessments, as well as require business associates to provide copies of their own risk assessments on an annual basis. Covered entities also should consider conducting routine audits of business associates that perform services that might be high risk, and should be diligent in following up on any reported incident that could be deemed a security incident.
1 Tindera, Michela. "Government Data Says Millions Of Health Records Are Breached Every Year." Forbes, September 25, 2018. Accessed June 24, 2019. Article cites to Journal of American Medical Association.
2 HHS Office of the Secretary, Office for Civil Rights. "Direct Liability of Business Associates." HHS.gov. May 24, 2019. Accessed June 24, 2019. https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/factsheet/index.html.
3 Covered entities include healthcare providers who electronically transmit any health information in connected with certain health care transactions; health plans; and health care clearinghouses.