HIPAA, Fines and Your Business Associate Agreement

If you work in the health care sector, you’ve likely reviewed a business associate agreement to find that you own the vendor’s errors. The U.S. Department of Health and Human Services’s (HHS) Office for Civil Rights (OCR) received more than 20,000 complaints in 2016 and adjudicated settlements of over $20 million from covered entities, according to FierceHealthcare. This far exceeds the 2015 total of $6.5 million.

The OCR’s Final Omnibus Rule

In 2013, the OCR levied the final Omnibus Rule. This brought business associate agreements into the spotlight, since it expanded the responsibility of securing protected health information (PHI) to the business associate. The OCR noted that many of the most significant breaches reported to HHS involved business associates.

Fast forward to 2016 and the situation remains the same. Often business associate agreements are not aligned with the regulations and technology and PHI is frequently compromised.

Enforcing the Business Associate Agreement

The OCR issued 12 settlements so far in 2016. A recent settlement involved a covered entity whose business associate compromised PHI. The covered entity and the business associate paid a total settlement of $550,000, split between the OCR and a state attorney general office.

For a period of almost a year between September 2014 and August 2015, a hospital granted its business associate access to PHI and permission to transmit it without the assurances required under the Health Insurance Portability and Accountability Act (HIPAA). Furthermore, the hospital did not update its business associate agreement with the implementation specifications required under the regulation.

“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule,” said OCR director Jocelyn Samuels. “The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements, which include provisions for reporting.”

In a separate settlement, PHI was exposed due to poor technological implementation and a lack of risk review and remediation. The hospital in question settled for $2,140,500 and was ordered to “adopt a comprehensive corrective action.” The company failed to adequately evaluate the environmental and operational impact of a new server it implemented in 2011. This oversight potentially compromised the PHI of 31,800 patients.

“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” Samuels said. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”

A Clear Demand for PHI

Intellectually, most health care and cybersecurity professionals understand the need to protect PHI. Yet many fail to consider the resale value of PHI on the criminal market.

“If it is targeted, then that suggests a clear demand; and if there is a demand, then there must be a return on investment,” Raj Samani noted in his introduction to the McAfee report, “Health Warning: Cyberattacks Are Targeting the Health Care Industry.” He’s certainly not wrong about the demand — medical information is worth 10 times more than credit card data on the black market.

Indeed, the report illustrated how PHI is separated from financial records such as credit card details and sold separately, providing cybercriminals a dual stream of income, as well as an opportunity to commit crimes from multiple angles.

Preventive Medicine

The McAfee report also identified the efforts of the criminals targeting PHI to recruit insiders. When an insider enters the mix, much of the security infrastructure in place become moot. Covered entities should closely examine every business associate agreement to ensure that it addresses the insider threat in terms of both technological implementation and user education.

The “2016 HIMSS Cybersecurity Survey” shone a very bright spotlight on the shortcomings of the health care sector when it comes to securing PHI. Perhaps the most glaring issue is the general lack of encryption for data at rest and in transit. As noted in the survey, “the lack of encryption means that data may be tampered in transit — thus, there is little assurance that the sender’s data has fidelity with the receiver’s data.”

Now is the time to bolster the security surrounding PHI, not only within your infrastructure, but also deep into the infrastructure of any entity with which you share a business associate agreement. Protecting the entire infrastructure is paramount. Don’t collect what you can’t protect.

Listen to the podcast: Data Security Insights from a Health Care Insider

Share this Article:
Christopher Burgess

CEO at Prevendra

Christopher Burgess is the CEO of Prevendra, a security, privacy and intelligence company. He is also an author, speaker and advocate for effective security strategies, be they for your company, home or family. Christopher co-authored "Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century" (Syngress, March 2008) and authored the e-book, "Senior Online Safety" (Prevendra, March 2014) and is the voice behind the website, "Senior Online Safety." Prior to the founding of Prevendra, Christopher held a variety of private and public sector positions, which included, chief operating office and chief security officer of a big data analytic company, Atigeo; Senior Security Advisor to the CSO of Cisco, a Fortune 100, and 30+ years within the Central Intelligence Agency. The CIA awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher resides in Woodinville, WA with his family, two dogs and two horses.