Here’s a scenario I hope you never have to face: your small physical therapy practice hires a third-party billing company to manage your billing operations. Then, that billing company experiences a massive data breach affecting more than 1,000 of your patients. Because the billing company didn’t have an information security or compliance program in place, it was not aware of the breach for more than six months. Unfortunately, the billing company also did not have insurance, so it’s closing its doors, leaving you with insurmountable costs associated with cleaning up the breach—including notifying your patients and offering credit protection services.
You also have to report the breach to the Office for Civil Rights (OCR), and now OCR is investigating your practice. Worse: You are losing patients left and right, because they don’t care that the billing company caused the data breach—they think you are responsible. After all, you gave their protected health information (PHI) to a business that was not equipped to protect it.
So, what could you have done differently to protect your patients’ PHI—and your practice—when hiring that business associate? Include that company in your HIPAA risk assessment. Here’s how to help ensure you’re meeting HIPAA business associate requirements (but first, a little background info):
According to HIPAA, third-party vendors are considered business associates.
A business associate is defined in the HIPAA rules as a person or company that—on behalf of the covered entity (a.k.a. your practice)—creates, receives, maintains, or transmits PHI for the covered entity. Examples include electronic medical record vendors (e.g., WebPT), billing companies, or accountants. When entering into a relationship with a business associate, the covered entity must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI—whether it is held by the covered entity or the business associate.
On May 24, 2019, the Department of Health and Human Services Office for Civil Rights issued a fact sheet outlining the ten circumstances in which HIPAA business associates are directly liable for violations of the law. For a complete list of HIPAA provisions that apply directly to business associates, check out the fact sheet here.
Data breaches have lasting consequences—mostly for providers.
However, large data breaches continue to dominate the press. In 2019, the Ponemon Institute—which conducts independent research on data protection and emerging information technologies released a study showing that the cost of a data breach has far-reaching effects that last for several years after the breach occurred. The study also revealed that small businesses face disproportionately larger costs relative to bigger organizations, which can hamper their ability to recover from such breaches. A 2018 Ponemon study on third-party risks identified vendors as posing significant risk to company data. To address that, this study recommends tracking and auditing all third-party vendors to make sure they have the compliance and information security safeguards required to protect your data.
So, a business associate’s direct liability under HIPAA is cold comfort for any healthcare provider who experiences a data breach due to that business associate’s acts or omissions. You, as the covered entity, have much more to lose if you trust the wrong business associate with your most valuable data: you patients’ confidential health information.
But, there are things providers can do to reduce risk.
How is a small, medium, or even large organization supposed to mitigate the risk associated with a breach? Here are four tactics to assess and audit your business associates:
Tactic #1: Analyze risks to your ePHI.
The HIPAA Security Rule requires you to perform an accurate and thorough assessment of potential risks and vulnerabilities to your ePHI—and that requirement extends to your third-party vendors. Those vendors are also required to conduct this same type of risk assessment; so, ask them for theirs. Perhaps they can’t give you their detailed analysis because it contains highly confidential information, but they can at least provide you with a summary. If they stare at you with big, blank eyes, however, then you can be confident they are not conducting a risk assessment.
Tactic #2: Start thinking of your HIPAA business associates as trusted partners.
Before you hand over access to your PHI, learn more about your business associate. What kind of company is it? Who is the organization’s compliance and security officer? What is the company’s physical address? Does it have HIPAA and information security policies in place? In the event of a security incident or data breach, would you be notified—and if so, within what time frame? Think of this as a first interview. Remember, if you do engage this vendor as your business associate, then it will have your practice’s most valuable information. So, you really need to trust this organization.
Tactic #3: Audit your most critical business associates periodically.
Do you have a business associate that is critical to the success of your operation? Does it have thousands of your patient records—or even hundreds? If so, audit these business associates periodically. Your audit can vary based on your resources and bandwidth. You can send a simple checklist of requested items annually (e.g., the company’s HIPAA policies or training materials). You can even ask to stop by and observe the company’s operations. The most important aspect of periodic auditing is to keep that critical business associate in the forefront of your mind, so that you maintain good communication and transparency.
Tactic #4: Consider asking your business associates to obtain cyber liability insurance.
One scary fact about data breaches is that the cost of a breach has risen to about $150 per record. This cost can add up quickly, and most businesses would not be able to sustain this type of financial punch. So, consider asking your critical business associates to purchase a good cyber liability insurance policy. If they have one, ask them to send you proof in the form of a certificate of insurance. You should also purchase a cyber liability policy of your own.
Have you conducted your HIPAA risk analysis? If not, consider purchasing HIPAA Check™, produced by Sunhawk Consulting. HIPAA Check uses a proprietary algorithm that pulls from OCR settlements, so you can focus your efforts on the high-risk items first. HIPAA Check also provides suggestions for how to assess each assessment item, including what to ask of your business associates. As a bonus, WebPT Members who purchase HIPAA Check in the Marketplace will find that all business associate relevant audit items are answered on behalf of WebPT—and we will provide you with important information about our HIPAA compliance and information