January 30, 2012
Playing the Data Breach Blame Game
By Selena Chavis
For The Record
Vol. 24 No. 2 P. 14
HIPAA’s “chain of trust” puts the onus on covered entities to take a strong approach to business associate agreements.
Last September, Science Applications International Corporation (SAIC) caused a data breach that affected the protected health information (PHI) of 4.9 million military clinic and hospital patients. The breach involved backup tapes from the military health system’s EHR and was thought to have included Social Security numbers, addresses, phone numbers, and personal health information included in clinical notes, laboratory tests, and prescriptions.
While blame for the mishap would seemingly lie with SAIC, the buck doesn’t stop there. As the covered entity (CE) contracting with the organization, TRICARE Management Activity is ultimately responsible for following the breach notification laws outlined by HIPAA and the HITECH Act.
And that’s just the beginning.
As a result of the breach, TRICARE has been hit with a class action lawsuit seeking $4.9 billion in damages resulting from the exposed confidential information. TRICARE will also appear on a designated Health and Human Services’ (HHS) website that many industry professionals have coined the “Wall of Shame,” a provision of the HITECH Act that requires a public list to be maintained of all CEs that have experienced a data breach.
The stakes are high for ensuring the privacy of personal health information, and TRICARE is not alone in its current challenge. According to Bob Chaput, CISSP, CEO and founder of Clearwater Compliance, LLC and an expert on HIPAA and HITECH regulatory compliance, there are more than 370 CEs listed on the HHS website, more than 80 of which landed there due to a data breach caused by a business associate (BA). In fact, the five largest data breaches were caused by BAs.
“What the government did initially was to create a ‘chain of trust’ as it relates to the relationship between organizations and how they handle health information between them,” he says, noting that the HITECH Act extended the focus of the chain, placing more responsibility on the BA. While that levels the playing field somewhat, the reality is that the CE is the entity that ultimately appears on the Wall of Shame and receives the most attention and publicity.
“Ultimately, in the patients’ and media’s eyes, they only see the hospital,” says Carolyn Jones, JD, CHC, director of compliance analysis with Harris County Hospital District (HCHD) in Texas. “It becomes a reflection on the hospital.”
It’s the Law
According to Scott Edelstein, JD, partner with Squire Sanders international law firm in Washington, DC, BA agreements were enacted under HIPAA to “ensure continuity in the privacy of PHI.” By definition, a BA is a person or an entity providing functions or services to a CE (encompassing health plans, health clearinghouses, and healthcare providers that transmit any health information in electronic form) that acts on behalf of that organization or provides services to or for the organization in a legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial capacity.
According to Chaput, the HITECH Act recently extended the BA’s responsibilities as they relate to the chain of trust. “The BA now has a reciprocal responsibility to look upstream when a breach occurs. I have responsibilities as a BA to remedy the situation and report it to HHS,” he notes.
Edelstein echoes this assertion, adding that “anyone in the chain of custody is responsible. There could be penalties imposed on a CE or BA if they don’t comply with breach requirements.”
In their most basic form, BA agreements should address the following areas:
• HIPAA compliance: Contracts should outline appropriate uses and disclosures of personal health information.
• Safeguards: BAs must agree to implement specific policies and protocols, including physical, administrative, and technical safeguards, to protect PHI in accordance with HIPAA privacy and security laws. They must protect personal health information from misuse by having a plan of action in place to assess, monitor, prevent, and mitigate security threats. There should be a system in place to identify breaches when they occur followed by a formal response plan.
• Training: The BA is responsible for training all employees on HIPAA and BA requirements laid out in the agreement. The training must focus on the strongest protections to medical data.
• Notification: BAs must agree to comply with notification requirements if a breach occurs. This entails notifying the CE and possibly patients if information is compromised or lost.
• Subcontractor extensions: BAs must extend the same terms of agreement to subcontractors that have access to personal health data.
Breach notification requirements deem that healthcare providers and other HIPAA-covered CEs must promptly notify the HHS secretary and affected individuals of a breach without unreasonable delay and within 60 days. When a breach affects more than 500 individuals, the media must also be notified. The regulations require BAs to promptly notify a CE of a breach.
The fallout for delaying notification should be taken seriously, says Chaput, citing the potential for heavy fines if requirements are not met. Connecticut-based Health Net paid the state $375,000 in penalties for failing to safeguard PHI from misuse by third parties. Specifically, the fine stemmed from the untimely notification of the 2009 loss of a disk drive resulting in a PHI breach involving approximately 500,000 members.
While breach notification compliance is a shared responsibility between the CE, the BA, and other subcontracted entities, the bulk of the burden falls on the CE as the primary custodian of the information, according to Jones. After all, “The breach notification letters go out on hospital letterhead,” she says, pointing to the potential for long-term damage to the facility’s reputation.
For this reason, many CEs, such as HCHD, are going beyond the basic requirements for BA agreements to minimize their liability. “Everyone is posturing to cover their butt,” Chaput says.
Upping the Ante
Even though it has received some pushback regarding its stance, HCHD has made the strategic decision to take an aggressive approach to privacy breaches that may occur as the result of a BA error. “We have gone above and beyond HIPAA,” Jones notes, adding that the organization’s BA agreement clearly spells out the administrative and financial obligations of a BA if a breach occurs. “Our position is that the BA should be solely responsible for damages if the fault lies solely with the BA.”
Specifically, the agreement reads as follows:
Indemnification. VENDOR agrees to indemnify and hold harmless, to the extent allowed by law, the District and its Board of Managers, officers, employees, and agents (individually and collectively “Indemnitees”) against any and all losses, liabilities, judgments, penalties, awards, and costs (including costs of investigations, legal fees, and expenses) arising out of or related to:
A breach of this BAA (business associate agreement) relating to the Privacy and Security Requirements by VENDOR; or
Any negligent or wrongful acts or omissions of VENDOR or its employees, directors, officers, subcontractors, or agents, relating to the Privacy and Security Requirements, including failure to perform their obligations under the Privacy and Security Requirements.
A fully integrated healthcare system composed of three hospitals, three community health centers, school-based clinics, and at-home services, HCHD currently has 1.4 million patients in its database. It contracts with approximately 300 BAs, opening the door for more chances that PHI beyond the organization’s reach will be exposed.
To appropriately manage contracts, any agreement for services must go through the compliance department to determine whether the relationship is such that a BA agreement would be required. There is essentially a central repository for contract negotiations and the drafting of agreements.
Jones notes that HCHD tries to keep all BA activity regarding PHI centralized in order to properly manage information. Under HITECH, CEs and BAs must be able to provide an accounting of disclosures of PHI for anyone who accessed electronic health information—both uses and disclosures—regardless of purpose. The rule extends the burden to BAs and also encompasses disclosure for treatment, payment, and healthcare operations dating back three years from such a request.
HCHD’s BA contract requires that any requests for an accounting of disclosures made directly to a BA be directed back to the hospital. It also requires that the BA provide written notification within three days that a request has been made by an individual.
“It gets back to centralized accounting of disclosures from our location,” Jones says.
Mitigating the Risk
A recent benchmark study conducted by the Ponemon Institute found that the frequency of data breaches in healthcare organizations has increased 32% since 2010. It estimates the annual cost of these breaches to be between $4.2 billion and $8.1 billion. The study also found that 50% of the breaches involving more than 1 million records were caused by BAs while 44.8% of the breaches between 30,000 and 999,999 records were deemed the fault of a BA.
Chaput points out the risk is real, and healthcare organizations need to do their due diligence to minimize the potential fallout. “At the end of the day, this is about business risk management,” he says. “Some healthcare organizations safeguard that information better than others.”
As a consultant to healthcare organizations and BAs for HIPAA and HITECH compliance, Chaput says there are four approaches to preventing data breaches. First, CEs can accept the risk and do nothing to mitigate it. Second, they can avoid risk by eliminating business elements that increase the potential for a breach, such as the use of mobile devices and laptops.
Since the latter is not a realistic proposal in today’s healthcare climate, Chaput notes that most healthcare organizations are taking the approach of mitigating risk, although on different levels. To tackle breach prevention head-on, CEs can employ strategies that include the use of security technology, the implementation of policies and procedures, and regular training of staff and BAs.
Encryption software and tools should be at the forefront of any strategy, according to Chaput. In its BA contract, HCHD requires third parties working with PHI to use encryption software in information storage and transmission. The organization also mandates the use of up-to-date antivirus software, the adoption of contingency plans for data backup and disaster recovery, and the implementation of strong access controls, including physical locks, firewalls, and strong passwords.
The final approach healthcare organizations can take to respond to risk associated with data breaches is to “transfer” it. In this case, Chaput recommends cyber insurance as an important element within a broader risk management program.
As a self-insured entity, Jones notes that HCHD does not have cyber insurance, but she would recommend the option to other providers. “Any risk that you can insure … there’s a benefit to doing that,” she says.
— Selena Chavis is a Florida-based freelance journalist whose writing appears regularly in various trade and consumer publications covering everything from corporate and managerial topics to healthcare and travel.
The BA/CE Conundrum
The ability to operate in today’s healthcare climate of lean budgets and outsourcing would be nearly impossible without business associate (BA) relationships. This reality complicates the efforts of hospitals and other covered entities (CEs) in their quest to protect personal health information.
TRICARE Management Activity is currently facing a $4.9 billion class action lawsuit due to a security breach caused by one of its BAs. However, TRICARE is certainly not alone. Consider these recent data breach cases and the resulting CE liability:
• Last September, Stanford Hospital & Clinics was hit with a $20 million lawsuit related to a security breach that exposed the personal data of 20,000 patients. The organization disclosed that a spreadsheet being handled by a third-party billing contractor, Multi Specialties Collection Services, was somehow posted on Student of Fortune, a website that allows students to solicit homework help for a fee.
• The personal information of more than 8,000 patients from Kansas-based Lawrence Memorial Hospital was exposed due to an error with its online bill pay service provided by Mid Continent Credit Services and hosted on a website by Brick Wire. The incident, which occurred last November, could result in the hospital facing a federal investigation and fines.
• In 2010, KPMG, the Office for Civil Rights’ auditor for HIPAA privacy and security compliance, discovered a breach that affected more than 4,500 patient records. The breach involved personal health information from two CEs in New Jersey: 3,630 patients at Saint Barnabas Medical Center in Livingston and 956 patients at Newark Beth Israel Medical Center in Newark.