By Doug Pollack, CIPP/US, chief strategy officer, ID Experts
This is part 3 of a 3-part series on healthcare business associates risks. The first part is Business Associates 101: Are We a Business Associate?; the second part is The Art of the Possible: Risk-Based Compliance for Business Associates.
If your business works with healthcare organizations, and if those organizations are on the ball, chances are you have already faced some questions about how you will comply with the data security provisions of the HIPAA Final Rule. Not only does the Final Rule hold HIPAA “covered entities” (CEs) responsible for the ability of their BAs to safeguard protected health information (PHI), the Rule also holds their business associates (BAs) directly responsible, and the Department of Health and Human Services Office for Civil Rights (HHS OCR) is still in the early stages of performing security audits on randomly chosen BAs. In this article, I’ll look at the business reasons why you need to move swiftly to implement your security program.
With all of the new scrutiny, BAs have a lot on the line. CEs assessing their own privacy and security postures are asking hard questions about what BAs are doing to protect PHI that is entrusted to them in the course of business. If they are found not to be in compliance, either through the CE’s own inquiries, through an OCR audit, or as a result of a security incident or data breach, they can lose major business partners and revenue. BAs are now also held directly responsible by the government for meeting the security provisions of the Final Rule, and they can face regulatory penalties of up to $1.5 million per violation if they are found not to be in compliance. With fourteen states now permitting cause of action by private individuals, if a BA is found to be responsible for a data breach that causes harm, they can also face lawsuits from consumers, and could also face action from business partner facing suits themselves.
Compliance Awareness is on the Rise
Business associates are becoming more aware of compliance issues, but how many see themselves as prime targets for a data breach? For BAs as much as CEs, it’s not a question of if they will be breached but when, according to the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. The study’s findings indicate that 90 percent of all healthcare organizations and almost 60 percent of BAs reported having at least one data breach involving PHI in the last 24 months. (Since BAs are less likely to have formal monitoring and auditing programs, it may be that they have had more incidents than have yet been discovered.) And while cyber-attacks on BAs haven’t made headlines like Anthem, Premera, and Excellus BlueCross BlueShield, they are happening all the time: 90 percent of breaches reported by BAs involved social engineering (spear phishing), and 82 percent involved web-born malware, a slightly higher percentage than reported by CEs. Cyber-criminals are well aware that BAs who are small or mid-size companies tend to have lower budgets for privacy and security, making them easier targets for PHI theft.
The Ponemon study found that the average cost for a BA to recover from a data breach was $1 million, yet only half of BAs believe their policies, procedures, and personnel are adequate to prevent or to quickly identify and resolve unauthorized access, loss, or theft of patient data, and less than half believe they have adequate technology or resources to meet the challenge. There’s an old saying about gambling: “Only bet what you can afford to lose.” So far, some BAs have gambled that they can delay spending on privacy and security programs and technologies. Today, given the millions of dollars in potential penalties, legal actions, lost business, and costs to clean up after a data breach, procrastinating on data security spending is a risky, high-stakes game, with the business itself potentially hanging in the balance.
[bctt tweet=”Risk By Association: Business Associates Face High Stakes in Healthcare Data Security @SCCE” via=”no”]