Business Associates Account for 40 Percent of HIPAA Breaches

During the first quarter of 2013, 40% of all HIPAA breaches involving the exposure of PHI that affected more than 500 individuals were the result of the actions of business associates of HIPAA–covered entities. The problem appears to be growing, as over the previous four years BA’s caused 30% of all reported HIPPA security breaches.

This fact has not been missed by the Department of Health and Human Services. New legislation has been introduced which makes business associates accountable for their actions – or lack of them – to maintain the security of Protected Health Information. Business associates and their subcontractors are now covered by the latest amendment to HIPAA; the Omnibus Rule.

Under the new rule, the Office for Civil Rights has the power to investigate business associates for HIPAA compliance issues and BA’s are expected to be included in the upcoming HIPAA audits. If the OCR discovers HIPAA compliance issues, business associates will be held accountable regardless of whether or not there has been a data breach and fines will be issued directly by the OCR. Before the Omnibus Rule came into effect, it would be the HIPAA covered entity that would be held accountable and forced to negotiate a settlement with the OCR.

While Business Associates can be held liable for non-compliance issues, a HIPAA-covered entity must also fulfill its obligations to protect PHI and this extends to ensuring that the companies or individuals granted access to PHI – or who touches the data in some form – employs the necessary physical, technical and administrative safeguards to keep PHI private and confidential. The OCR can still fine healthcare organizations for HIPPA compliance issues relating to their business associates.

Safeguards demanded under HIPPA include securing the data centre, servers and computers on which the data is stored. It is essential that no unauthorized individuals can gain access to the physical devices where the data is stored.

Administrative measures must also be employed, which include conducting staff training on data security and HIPPA regulations, implementing data protection policies, conducting risk assessments and auditing procedures.

Technical safeguards need to be used on servers and networks, including the installation of firewalls, data encryption services, file integrity monitoring and implementing a multi-layered security system to protect data stored on terminals, networks and mobile devices. This extends to physical and cloud hosting, which is often outsourced to IT companies.

A failure to implement the appropriate data security measures, either by a HIPAA covered entity or its business associates and subcontractors, can see substantial fines issued. It is therefore in the best interest of any entity covered by HIPAA to perform a thorough risk analysis and to take the appropriate actions to protect the privacy of patients. They must also make sure that any business associate that is contracted to conduct work or provide a service also agrees to comply with HIPAA regulations and signs a document to that effect.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.