HIPAA Regulatory Alert

Data breaches attributed to business associates increase

Covered entities review responsibility for monitoring BAs

Three scenarios that no hospital security or privacy officer wants to experience:

• A hospital billing spreadsheet with details about patient identities and payment information posted on a public homework review web site for over a year (Stanford [CA] Hospital and Clinics);

• A computer maintenance vendor who forgot to enable security controls, which enabled a virus to breach a database and transmit data to an unknown location (Beth Israel Deaconess Medical Center, Boston);

• An unencrypted hard drive stolen from the back seat of an employee's car that affected two health systems in two states (Saint Barnabas Health Care System in New Jersey and Cook County Health & Hospitals System in Chicago).

All of the hospitals affected by these three situations in the past year were not responsible for these data breaches. Their business associates (BAs) were responsible. A study conducted by the Ponemon Institute in Traverse City, MI, shows that 46% of the data breaches that occurred at respondents' organizations were the result of third parties, including BA, mistakes.1

Although HITECH rules increase the business associate's responsibility for protection of patient data and reporting breaches, these situations raise the question: To what extent should covered entities actively monitor their BA's privacy and security programs?

"Even if the data breach is the result of a business associate's action, the liability for the breach affects the covered entity because it affects the relationship between the covered entity and the individual," says Andrew Martin, an attorney with Scott & Scott, an intellectual and technology law firm in Southlake, TX. Although the business associate agreement should require specific policies and activities related to privacy and security of data, it is important that the covered entity also include a program to monitor the BA's program, he recommends.If the BA is not in compliance with privacy and security regulations, it might face fines as a result of the breach, Martin points out. If the covered entity can demonstrate that it has taken steps to require and monitor compliance, it is not at risk for non-compliance fines, he adds. The BA and covered entity, however, are liable for other costs related to the breach, including notification costs, he warns.

Before determining how often and in what manner you'll monitor a business associate's privacy and security program as it relates to your data, start with a risk assessment that will help you determine the details you must address in the agreement, suggests Christine Leyden, RN, MSN, senior vice president of client services and chief accreditation officer at URAC, a Washington D.C.-based nonprofit accreditation, education, and quality measurement organization. "Understand the flow of protected health information from your organization to the business associate and from the business associate to others," Leyden says. "The risk assessment should also address physical safety of the data."

Although data might be encrypted, or access to electronic data is limited to specific people, be sure you know if there are paper records handled by mail room personnel, fax machines that receive information in unsecured areas, or backup tapes or hard drives that are taken off site by employees, she suggests. By identifying all of the points at which a breach can occur, the covered entity and the business associate can take steps to reduce the risk of a breach and determine how often the covered entity should audit the program, she adds.

The idea of monitoring or auditing business associates' programs can seem overwhelming for hospitals and health systems due to the large number of business associates, admits Anupam Sahai, president of eGestalt Technologies, an information security company in Santa Clara, CA. A covered entity can ask some basic questions of every BA and use the responses to prioritize the list of associates that should be monitored, Sahai suggests. Evaluate the amount and type of data the BAs will handle as well as their development of policies that address privacy and security; training programs for employees; and methods of storing, accessing, and destroying data, he suggests. "Business associates should also be asked if they conduct employee background checks, use subcontractors, require subcontractors to meet same privacy and security standards as the business associate, and will agree to an onsite review of their privacy and security processes," Sahai says.

Once a covered entity has reviewed the information about data that business associates handle and the answers to questions about the privacy and security program, a list of the business associates that prioritizes the organizations that represent the highest risk can be developed. "These high risk relationships are the ones that a covered entity should monitor," says Sahai. Because a covered entity should limit data shared with a business associate to only the information needed to perform the job for which they are contracted, organizations that receive limited data or data that will be used for a short, specific timeframe subsequently pose less risk, he points out. Efforts to monitor and audit a BA's privacy and security program should focus upon organizations that receive a high volume of protected patient information on a regular, ongoing basis, he suggests.

Monitoring a business associate can be handled differently for each BA, says Martin. "The review can be yearly or quarterly and can be an onsite evaluation, a paper audit, or an evaluation by a third party evaluator," he says. "It is a good idea to review all business associates' policies and procedures related to privacy and security annually."

A quality management committee also can be used to monitor BAs' performance, suggests Leyden. "The risk assessments of business associate relationships can be reviewed by the committee prior to signing a business associate agreement," she says. "It helps to have an extra set of eyes that can look for vulnerabilities in the process."

The quality management committee also should receive quarterly updates on privacy and security indicators identified by the privacy and security officers of the covered entity, recommends Leyden. In addition to collecting information that is obviously related to privacy and security and business associates, be sure to include items such as patient complaints about not receiving bills, she says.

"When patients don't receive their bills, it may indicate that they are being sent to the wrong address, which means patient information is disclosed to someone who should not have it," Leyden says.


1. Poneman Institute. 2011 Benchmark Study on Patient Privacy and Data Security. Traverse City, MI; 2011.


For more information about monitoring business associates, contact:

• Christine Leyden, RN, MSN, Senior Vice President of Client Services and Chief Accreditation Officer, URAC, 1220 L St. NW, Washington D.C. 20005. Telephone: (202) 216-9010.

• Andrew Martin, Attorney, Scott & Scott, 1256 Main St., Suite 200, Southlake, TX 76092. Telephone: (214) 999-2918. E-mail: amartin@scottandscottllp.com.

• Anupam Sahai, President, eGestalt Technologies, 3080 Olcott St., Suite No. 200-B, Santa Clara, CA 95054. Telephone: (408) 689-2586.