HIPAA, Fines and Your Business Associate Agreement
If you work in the health care sector, you’ve likely reviewed a business associate agreement to find that you own the vendor’s errors. The U.S. Department of Health and Human Services’s (HHS) Office for Civil Rights (OCR) received more than 20,000 complaints in 2016 and adjudicated settlements of over $20 million from covered entities, according to FierceHealthcare. This far exceeds the 2015 total of $6.5 million.
The OCR’s Final Omnibus Rule
In 2013, the OCR levied the final Omnibus Rule. This brought business associate agreements into the spotlight, since it expanded the responsibility of securing protected health information (PHI) to the business associate. The OCR noted that many of the most significant breaches reported to HHS involved business associates.
Fast forward to 2016 and the situation remains the same. Often business associate agreements are not aligned with the regulations and technology and PHI is frequently compromised.
Enforcing the Business Associate Agreement
The OCR issued 12 settlements so far in 2016. A recent settlement involved a covered entity whose business associate compromised PHI. The covered entity and the business associate paid a total settlement of $550,000, split between the OCR and a state attorney general office.
For a period of almost a year between September 2014 and August 2015, a hospital granted its business associate access to PHI and permission to transmit it without the assurances required under the Health Insurance Portability and Accountability Act (HIPAA). Furthermore, the hospital did not update its business associate agreement with the implementation specifications required under the regulation.
“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule,” said OCR director Jocelyn Samuels. “The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements, which include provisions for reporting.”
In a separate settlement, PHI was exposed due to poor technological implementation and a lack of risk review and remediation. The hospital in question settled for $2,140,500 and was ordered to “adopt a comprehensive corrective action.” The company failed to adequately evaluate the environmental and operational impact of a new server it implemented in 2011. This oversight potentially compromised the PHI of 31,800 patients.
“Entities must not only conduct a comprehensive risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI,” Samuels said. “The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information.”
A Clear Demand for PHI
Intellectually, most health care and cybersecurity professionals understand the need to protect PHI. Yet many fail to consider the resale value of PHI on the criminal market.
“If it is targeted, then that suggests a clear demand; and if there is a demand, then there must be a return on investment,” Raj Samani noted in his introduction to the McAfee report, “Health Warning: Cyberattacks Are Targeting the Health Care Industry.” He’s certainly not wrong about the demand — medical information is worth 10 times more than credit card data on the black market.
Indeed, the report illustrated how PHI is separated from financial records such as credit card details and sold separately, providing cybercriminals a dual stream of income, as well as an opportunity to commit crimes from multiple angles.
The McAfee report also identified the efforts of the criminals targeting PHI to recruit insiders. When an insider enters the mix, much of the security infrastructure in place become moot. Covered entities should closely examine every business associate agreement to ensure that it addresses the insider threat in terms of both technological implementation and user education.
The “2016 HIMSS Cybersecurity Survey” shone a very bright spotlight on the shortcomings of the health care sector when it comes to securing PHI. Perhaps the most glaring issue is the general lack of encryption for data at rest and in transit. As noted in the survey, “the lack of encryption means that data may be tampered in transit — thus, there is little assurance that the sender’s data has fidelity with the receiver’s data.”
Now is the time to bolster the security surrounding PHI, not only within your infrastructure, but also deep into the infrastructure of any entity with which you share a business associate agreement. Protecting the entire infrastructure is paramount. Don’t collect what you can’t protect.