Recently, thousands of medical transcripts detailing the medical histories of children and adults, as well as notes made by doctors and psychiatrists, were publicly listed on an Internet search engine. Without proper encryption, confidential and extremely personal information was exposed to anyone who wanted to access it.
GMR Transcription Services was responsible for the data breach. No hacker broke into their system; they simply failed to encrypt data as it was transferred from the client to the transcriptionists at GMR. Their normal business operations exposed patient data to anyone and everyone online. While all of this was happening, GMR proudly advertised they were a “HIPAA compliant transcription service.”
In addition to GMR’s failure to encrypt the data, however, the medical groups that had allowed GMR to upload and download their data had failed to perform due diligence and confirm that proper data security controls were in place. The responsibility for data security did not rest with GMR alone.
To address issues like this, the Department of Health and Human Services included specific requirements to protect patient health information in the 2013 Omnibus Rule. According to the Omnibus Rule, business associates that serve hospitals and clinics, including law firms, accounting firms, data storage companies, health information organizations, and any of their subcontractors, are required to comply with the HIPAA Security Rule.
The regulation is a positive step, but the final responsibility for data security rests with the hospitals and clinics generating patient information. And it may be trickier than you think.
The cloud can be an effective solution to a large organization’s storage needs because it can replace racks of onsite servers and the security risks they pose. Be sure, however, to think about all of the ramifications of cloud solutions. Of course, the provider of your cloud services is considered a business associate and must meet HIPAA requirements, but so is the company your provider may use for primary or backup storage.
With that in mind, I have five tips for ensuring the security of patient information within your organization:
1) Review Existing Business Associate Agreements.
In due diligence reviews, many hospitals and clinics find that their BA agreements are old and have not been updated to include sections on breach notification or other recent security regulations. They also find that some business associates have an unwritten policy to sign any required agreements to secure business, whether or not they can comply with the requirements. This unprofessional behavior is troubling because it renders a hospital’s efforts at due diligence worthless.
2) Conduct a BA Inventory.
After reviewing existing BA agreements, hospitals should perform an inventory to verify that they have a current relationship with each business associate and to determine the volume of data that is being shared. Hospitals should also review the methods by which data is transferred and the level of transmission security that is used. You should flag the highest risks, such as data being transferred using insecure protocols and high volumes of data. Request an SOC or ISO report from your vendors, and ensure the reports include all subcontractors. These reports provide evidence that your business associate has sufficient controls in place to protect both patient information and the hardware on which it resides.
3) Ask for Additional Information.
If a BA cannot provide an SOC or ISO report, ask for evidence that the BA has recently completed a risk assessment. Determine whether it was performed internally or by an external firm. External firms provide additional assurance that the review was proper and thorough. If your BA is unwilling to share evidence of risk assessment, request an attestation-type report or letter.
4) Follow Up When SOC or ISO Reports Don’t Apply.
Some of your business associates may not be required to produce SOC or ISO reports. For example, they might store printed documents without transferring them to electronic form. Though SOC and ISO reports may not be required, these BAs are subject to the data safeguard standards set out by the HIPAA privacy rule. Ask about the physical and access controls in place for the locations where sensitive documents reside. Most of these storage vendors have reports detailing their controls and can provide them to you upon request.
5) Understand It’s Up to You.
The onus for holding business associate organizations responsible for meeting HIPAA Security Rule requirements will likely fall on the hospitals, clinics, and medical groups that provide or share patient health information. The covered entity has to protect its reputation both with patients and in the business world. Though covered entities can’t force a business associate to comply with the HIPAA Security Rule requirements, they can stress the importance of compliance with the BAs. BAs should realize that their reputation could suffer if they don’t make the effort to comply and, if a data breach occurs, could lose business or face lawsuits from the covered entity.
How Can We Help?
HORNE can assist covered entities and their business associates in the performance a risk assessment to meet the requirements of the Security Rule. We can also assist covered entities in performing due diligence reviews of their business associates. We can request and review evidence of proper security controls or even assist in site visits if contracts have a right to inspection. HORNE can also assist in sending inquiry letters to business associates requesting that they provide evidence that an IT risk assessment has been performed.
For weekly insights into healthcare, please sign up here: