IT Provider Business Associate Fined $650,000
Posted by Amy Wood on Jul 6 2016, 11:57 PM
Last week HHS fined an IT Provider $650,000 for failing to properly safeguard PHI. They themselves didn't cause the breach -- intentionally, but their failure to properly secure it and prevent a breach allowed the series of events that caused the breach.
A company issued iPhone had 412 patient records on it. I have no idea why an IT person would have patient records on their cell phone, but the phone was not encrypted and it was stolen, which is a reportable breach.
The interesting part of this story is that the fine was steep for such a low number of records. Based on the report, this is due to the lack of compliance on the part of the Business Associate. The Omnibus Final Rule of 2013 mandates that Business Associates do many things that Covered Entities (Dr's) do, such as a Risk Assessment, Employee Training, Policies & Procedures and Contingency Plans. Despite this law being in place for 3 years, many Business Associates, including IT providers, do not have the basics in place. Most don't even know this applies to them!
So what can you do to protect yourself?
Ask lot's of uncomfortable questions. Nothing makes a non-compliant Business Associate squirm like asking if they do HIPAA training and can prove they have policies and insurance. These answers are a good indication of the risk the business poses to your practice. For IT Providers, easy questions are: Do you have Cyberliability/Data Breach Insurance? Do you provide proactive security services or just fix problems reactively? Do you train your staff on HIPAA? Do you do a Risk Assessment, Policies & Procedures or Contingency Plans? It's ok to ask these questions - in fact you should. They are able to interact with your patient data after all.
Make them financially responsible. A Business Associate Agreement is required under HIPAA and is your best asset when making your Business Associate's responsible for their action (or inaction). Many vendors will provide their own Business Associate Agreement that outlines their specific responsibilities. For example, an IT provider has a wider scope of risks and responsibilities than an email provider and that should be outlined in a BAA. It is important to review these BAA's because there are many that don't offer the protections you expect. Some are very simple and don't address the specific risks the BA poses to a practice, while others shift responsibility for their actions back onto you.
Be willing to walk away. There will inevitably come a point when you have to ask yourself if you are willing to accept the level of risk a vendor poses to your practice. If the answer is no, you need to be willing to find another vendor that is willing to properly secure patient information. If you are willing to accept the risk, then you must find a way to offset the risk they pose to you in other ways.
OCR is increasing scrutiny of smaller practices and Business Associates -- especially IT Providers. This fine is just the beginning.