Blame for medical data breaches often rests outside physician office

Under a HIPAA rule that will go into effect in March, the entities can be held accountable for breaches of protected health information.

By — Posted March 4, 2013

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

An analysis of large data breaches reported to the Dept. of Health and Human Services finds that personal health information may be most at risk when in the hands of a third-party business associate hired to perform functions that require access to patient data.

Even though the breaches occur outside a physician practice, the impact to the practice can be just as devastating as an in-house breach. Therefore, practices need to be more vigilant in assessing their contractors' ability to handle the data properly, experts say.

An analysis by Redspin, an information technology security company in Carpinteria, Calif., found that of the 538 breaches reported to the HHS from August 2009 to Jan. 17, as required under the Health Information Technology for Economic Clinical Health Act of 2009, 57% involved third-party contractors or, as they are referred to by HHS, business associates. Breaches involving business associates typically impact five times as many patient records as those at covered entities.

Dan Berger, president and CEO of Redspin, said the ways in which the records were breached by business associates were similar to what they see happening at physician practices: lost devices, loss of backup files and lack of encryption. But the difference with business associates, he said, is that the data handled by them tend to be more concentrated. They are more likely to have large data sets not split up or moved around as they would be in a health care organization. In a physician office, for example, some data are needed by schedulers and billers, and the data are separate from those used by clinicians.

Because business associates generally work only with patient data and not actual patients, they are much more removed from HIPAA than a physician practice would be, Berger said, and compliance historically has not been front and center in their minds. That is changing, however, because of the HIPAA omnibus rule that will go into effect March 26. Business associates have until September to fully comply.

Under that rule, business associates have the same level of responsibility as the practice to follow the HIPAA security rules and can be held directly and civilly liable for breaches of protected health information. But if HHS deems the business associate to be an agent of the physician practice, both organizations share the risk of fines, said attorney Christopher Bennington of Bricker & Eckler in West Chester, Ohio.

Given the risk, physician practices must ensure that their business associates are acting appropriately. The cost of not doing so could be staggering.

The Ponemon Institute published its Third Annual Benchmark Study on Patient Privacy and Data Security in December 2012 and found the price tag for dealing with breaches can range from $10,000 to $1 million, with an average cost of $2.4 million over two years. This was up from $2.2 million in 2011 and $2.1 million in 2010. These averages were based on cases reported by 80 organizations interviewed by Ponemon, some of which were stand-alone clinics and hospitals. Others were part of a health care network or integrated delivery system. Of those interviewed, 94% experienced at least one breach in the past two years.

How practices can protect their assets

Berger said he makes several recommendations to physician practices to protect them from disasters created by business associates:

Use the contract to their advantage. Berger said he always recommends that practices have adequate provisions in the contracts with business associates that detail the steps they will take to protect data. He suggests the contract have a clause that mandates a security audit.

“Contractually, covered entities should wield their power a bit and say, 'We would really like to see you, Mr. Business Associate, provide us with an independent security risk audit that you provide us on an annual basis or contract renewal basis,' ” Berger said.

57% of data breaches reported to HHS from 2009 to 2012 involved third-party contractors.

The obligations set under the HITECH Act are only a floor, Bennington said, and the contracts can go above and beyond. For example, business associates have 60 days from the time they discover a breach to report it to the covered entity, but Bennington said his contracts always shorten that period.

Contracts should spell out what responsibilities the business associate will have in the event of a breach, such as costs associated with the notification of patients and credit monitoring.

Security risk assessment. Under the HIPAA security rule, practices must conduct security risk assessments. Under the omnibus rule, business associates must do the same. When contracting with business associates, practices should ask to review their security risk assessment. The law does not specify how frequently the risk assessments must occur. Bennington said the practice can determine that frequency for its business associates on a case-by-case basis, depending on the type and amount of data the business associate will have access to.

Survey all business associates. Berger said this will help practices establish talking points to better understand how associates handle patient data and how they conduct business. Sample questions include how they handle encryption; if data are ever stored on personal devices and, if so, are the devices encrypted; and if and how data are moved from one point to another.

Bennington said the practices should be aware of any subcontractors used by the business associate. Under the omnibus rule, subcontractors are bound by the same regulations.

Berger said he expects the number of breaches associated with business associates to decline during the next year, given the omnibus rule. “The course is now set that this is something that will be addressed, and we're looking forward to seeing that statistic go down over the next few years, that business associates aren't the source of so many of these issues.”

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn