Boston Business Associate Fired Over 15K HIPAA Breach

A Business Associate of Boston Medical Center, MDF Transcription Services, has been fired after a HIPAA breach that exposed the confidential data of approximately 15,000 individuals when their information was posted on an insecure transcription website.

The HIPAA breach was not discovered by the hospital, but by another healthcare provider who noticed that information had been incorrectly posted on the website. Boston Medical Center was alerted to the error on March 4, 2014 according to a statement provided to Security Media Group.

Once the error was discovered the medical center acted quickly and contacted its Business Associate to secure the data. According to the statement, BMCImmediately informed MDF and its subcontractors of this error and the website was removed from the Internet on the same day. We take our responsibility to maintain our patients’ privacy very seriously and have notified all individuals who were affected by this vendor error.”

It is not clear at this stage how long the data was posted on the website before it was removed, so it is not clear the level of risk that the victims have been exposed to by the incident. The hospital, along with its BA and subcontractors, are now trying to determine the duration of the breach.

MDF is used by a number of physicians at the hospital to transcribe physician notes. The data, which included names, addresses, medical information and prescriptions, was provided to MDF who transcribed the information and posted the transcribed notes on a company website where it could be accessed by physicians.

The company had been used for several years by the hospital without any problems or previous HIPAA breaches. In the past all data was password protected, preventing any unauthorized individual from accessing it. In this instance the data was uploaded to the website without any password protection. Any person accessing the website could therefore have accessed the PHI contained in these transcribed reports.

According to the statement released by Boston Medical Center, “BMC has rigorous contracting standards in place to protect patient privacy and any organization that works with BMC must be in full compliance with those standards;” however, since the company breached those standards, in accordance with the medical center’s Business Associate terms and conditions, it was given no choice but to terminate the relationship with MDF.

HIPAA is a Problem for Many Transcription Companies

One problem faced by transcription services is conducting the work with limited resources and spiraling operational costs. One method used to cut costs is to outsource the work to subcontractors. There is a plethora of individuals not based in the U.S who are able to offer cut price transcription services via online freelancer portals such as Elance and Odesk.

Protected Health Information is shared with these Individuals, who perform the duties as asked, and post the transcribed data on websites or email the data. Unfortunately, these methods of communication are insecure and lack the safeguards required under HIPAA. It is not apparent whether it was MDF that was responsible for the breach, or one of its subcontractors, and whether this was the reason for the breach.

Business Associates Are Accountable for their Actions Under HIPAA

Since the introduction of the Omnibus Rule, Business Associates of healthcare providers can be held accountable for HIPAA violations that result in breaches of Protected Health Information. The Office for Civil Rights can issue financial penalties up to a maximum of $1.5 million for each HIPAA violation category, per year. Boston Medical Center may also be liable to pay a fine if it has not exercised sufficient control over its Business Associates.

HIPAA covered entities must make sure that all of their Business Associates are made aware of their obligations under HIPAA, and must agree to abide by data Privacy and Security Rules. If BMC is discovered not to have informed MDF of its obligations, or if an up to date and correct Business Associate Agreement is not in place, BMC could similarly be fined.

Even with a BAA in place there is no guarantee that HIPAA Rules will be followed, so it is up to the healthcare provider to conduct checks to ensure this is the case and that its Business Associates are HIPAA compliant at all times.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.