Blame for medical data breaches often rests outside physician office

An analysis of large data breaches reported to the Dept. of Health and Human Services finds that personal health information may be most at risk when in the hands of a third-party business associate hired to perform functions that require access to patient data.

Even though the breaches occur outside a physician practice, the impact to the practice can be just as devastating as an in-house breach. Therefore, practices need to be more vigilant in assessing their contractors' ability to handle the data properly, experts say.

An analysis by Redspin, an information technology security company in Carpinteria, Calif., found that of the 538 breaches reported to the HHS from August 2009 to Jan. 17, as required under the Health Information Technology for Economic Clinical Health Act of 2009, 57% involved third-party contractors or, as they are referred to by HHS, business associates. Breaches involving business associates typically impact five times as many patient records as those at covered entities.

Dan Berger, president and CEO of Redspin, said the ways in which the records were breached by business associates were similar to what they see happening at physician practices: lost devices, loss of backup files and lack of encryption. But the difference with business associates, he said, is that the data handled by them tend to be more concentrated. They are more likely to have large data sets not split up or moved around as they would be in a health care organization. In a physician office, for example, some data are needed by schedulers and billers, and the data are separate from those used by clinicians.

Because business associates generally work only with patient data and not actual patients, they are much more removed from HIPAA than a physician practice would be, Berger said, and compliance historically has not been front and center in their minds. That is changing, however, because of the HIPAA omnibus rule that will go into effect March 26. Business associates have until September to fully comply.

Under that rule, business associates have the same level of responsibility as the practice to follow the HIPAA security rules and can be held directly and civilly liable for breaches of protected health information. But if HHS deems the business associate to be an agent of the physician practice, both organizations share the risk of fines, said attorney Christopher Bennington of Bricker & Eckler in West Chester, Ohio.

Given the risk, physician practices must ensure that their business associates are acting appropriately. The cost of not doing so could be staggering.

The Ponemon Institute published its Third Annual Benchmark Study on Patient Privacy and Data Security in December 2012 and found the price tag for dealing with breaches can range from $10,000 to $1 million, with an average cost of $2.4 million over two years. This was up from $2.2 million in 2011 and $2.1 million in 2010. These averages were based on cases reported by 80 organizations interviewed by Ponemon, some of which were stand-alone clinics and hospitals. Others were part of a health care network or integrated delivery system. Of those interviewed, 94% experienced at least one breach in the past two years.

How practices can protect their assets

Berger said he makes several recommendations to physician practices to protect them from disasters created by business associates:

Use the contract to their advantage. Berger said he always recommends that practices have adequate provisions in the contracts with business associates that detail the steps they will take to protect data. He suggests the contract have a clause that mandates a security audit.

“Contractually, covered entities should wield their power a bit and say, 'We would really like to see you, Mr. Business Associate, provide us with an independent security risk audit that you provide us on an annual basis or contract renewal basis,' ” Berger said.

The obligations set under the HITECH Act are only a floor, Bennington said, and the contracts can go above and beyond. For example, business associates have 60 days from the time they discover a breach to report it to the covered entity, but Bennington said his contracts always shorten that period.

Contracts should spell out what responsibilities the business associate will have in the event of a breach, such as costs associated with the notification of patients and credit monitoring.

Security risk assessment. Under the HIPAA security rule, practices must conduct security risk assessments. Under the omnibus rule, business associates must do the same. When contracting with business associates, practices should ask to review their security risk assessment. The law does not specify how frequently the risk assessments must occur. Bennington said the practice can determine that frequency for its business associates on a case-by-case basis, depending on the type and amount of data the business associate will have access to.

Survey all business associates. Berger said this will help practices establish talking points to better understand how associates handle patient data and how they conduct business. Sample questions include how they handle encryption; if data are ever stored on personal devices and, if so, are the devices encrypted; and if and how data are moved from one point to another.

Bennington said the practices should be aware of any subcontractors used by the business associate. Under the omnibus rule, subcontractors are bound by the same regulations.

Berger said he expects the number of breaches associated with business associates to decline during the next year, given the omnibus rule. “The course is now set that this is something that will be addressed, and we're looking forward to seeing that statistic go down over the next few years, that business associates aren't the source of so many of these issues.”