Business associates: Understanding the true risks

How to keep on top of HIPAAs latest requirements.

New Health Insurance Portability and Accountability Act (HIPAA) rules put in place to safeguard patient data are putting hospitals' business associate relationships and policies front and center. The stepped-up regulations greatly expand the number of vendors that fall into the business associate (BA) category, and all agreements between hospitals and BAs must be in compliance with the new rules by September 22, 2014.

In truth, however, the rules are not the central reason hospitals should be concerned about how their BAs handle patient data. Equally important is the fact that BA data breaches are high-impact, high-probability events that can dramatically affect a hospital's reputation as a trusted provider.

Breaches are also expensive, costing an average $316 per patient record, according to the Ponemon Institute ("2014 Cost of Data Breach Study: Global Analysis"). The penalties for HIPAA violations can be steep, with fines ranging from $ 100 to $50,000 per violation. For example, New York Presbyterian Hospital and Columbia University recently agreed to a $4.8 million settlement with the U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) for a breach that caused the protected health information of 6,800 individuals to be publically accessible via Internet search engines.

Hospitals are also on the hook for costs associated with not attaining Meaningful Use Stage 1, which requires them to have strong data security policies and procedures in place to oversee BA vendors (Core Measure 15). AIS Health reports that the Centers for Medicare & Medicaid Services (CMS) is taking an all-or-nothing approach - hospitals must return their entire Meaningful Use incentive payment if an audit turns up even a minor error in a core measure ("CMS Recoups All Meaningful Use Money From Providers if Audits Turn Up Errors," Nina Youngstrom, September 9, 2013).

Tracking breaches

The OCR tracks all reported patient data breaches, both accidental and malicious. This year, for instance, more than 931 breaches involving more than 500 patients already have been posted, affecting more than 31 million patients overall. OCR does not always indicate BA involvement, so the numbers vary.

A significant percentage - around 35 percent - of BA breaches involve theft, in part because health records are attractive to identity thieves. An April 2014 report from the FBI's Cyber Division said cyber criminals regularly sell partial EHRs for $50 each on the black market, compared to $1 each for stolen social security numbers or credit card numbers. Nor are attacks on healthcare systems likely to abate. The report predicts that lax cyber-security standards, the mandatory transition to EHRs and the high financial payout for medical records will likely lead to an increase in cyber intrusions.

Hospitals earn low marks in pilot audit

The Health Information Technology for Economic and Clinical Health Act (HITECH) requires periodic audits of providers and business associates. In April 2013, OCR released the findings of its 2011 pilot audit program, which measured the efforts of 115 covered entities.

OCR found that most evaluated entities did not meet HIPAA standards for breach notification, privacy and security. It found that two-thirds failed to perform a comprehensive, accurate security risk assessment and that the most common cause of noncompliance was ignorance of the requirement.

Many experts predict that the next round of audits will focus on timely and thorough security risk assessments, effective and ongoing risk mitigation plans, breach notification procedures, encryption, training, and policies and procedures.

"What typically happens is you sign on a new vendor and get the BA agreement [BAA] signed. But then a year goes by, and they fail to keep their documentation up to date and no one realizes it," says Jane Girling, Assistant Vice President of Corporate Materials Management of CentraState Hospital in Freehold, NJ. "For us, it's been critical to tie our vendor and managed care contract requirements to the compliance piece."

Without at least partial automation of the process, getting these policies in place can be overwhelming. "The Deficit Reduction Act is being very stringently administered in New Jersey, so I had to get notices out to vendors concerning state and federal compliance laws on an annual basis, which would have been a total nightmare without a vendor management system. Now, that system is helping us with BAA audits," says Alice Guttler, Sr. Vice President & Corporate Counsel at CentraState.

Hospitals underestimate BA numbers

Correctly identifying all BAs is the biggest problem hospitals encounter as they work to comply with HIPAA Omnibus (which expands the definition of a BA vendor). Assessing a hospital's entire vendor list is a major undertaking. The majority of hospitals have 5,000 or more total vendors, and a significant number of them meet the definition of BA under Omnibus. Every unidentified BA is an unmanaged BA, adding to a hospital's degree of risk.

"Until you start the BAA audit process, you don't realize how many vendors you're actually dealing with," says Guttler. "We have about 2,500 employees and 283 beds, but we're dealing with hundreds of vendors. Initially, the Office of Civil Rights will be [playing an educational role], but they'll start assessing penalties, and that may become pretty costly."

Often, BA risk assessment and oversight is done by the compliance or legal department without coordination with supply chain/purchasing. Because purchasing agents are responsible for vendor selection, managing the relationship and contractual fulfillment, this lack of synchronization can lead to serious challenges. It's not unusual for the number of BAs identified in an initial assessment to be around 250, when the actual number obtained through a complete vendor analysis is closer to 750 or more.

Furthermore, individuals in charge of identifying BAs and overseeing their health information policies often are so laser focused on getting vendors to sign a business associate agreement that other policy omissions result. For each BA, for example, hospitals should have breach notification policies on file.

Best practices for trustee oversight and governance

Effective board oversight of BAs begins with an understanding of HIPAA Omnibus, Meaningful Use Stage 1 and the risks related to noncompliance. To ensure a hospital is taking necessary steps, trustees should ask senior managers the following:

1. How many BA vendors does the hospital have? How many have an up-to-date (compliant) BAA?

2. How often is a report on BA/BAA status distributed, and to whom?

3. Does the hospital have a single, up-to-date vendor master file, or is the data stored in multiple files?

4. What percentage of the hospital's vendors have been screened for BA risk?

5. How many patient data breaches have occurred in the last two years? What was the nature of the breaches? What steps have been taken to prevent similar breaches?

6. How many of the patient data breaches that occurred in the last two years have involved a vendor?

7. What is the status of the hospital's compliance with all the requirements needed to fulfill Core Measure 15 of Meaningful Use Stage 1?

8. Which individuals will be in charge of preparing for an OCR audit? How many days do they estimate they will need to prepare?

With these basics established, board focus should turn to investigating whether or not the organization is adequately preparing for an audit. HHS has specifically stated that covered entities must take dual responsibility for patient data protection by obtaining satisfactory assurances from each BA.

Armed with a full understanding of the challenges of breach prevention - as well as the financial and reputation-related consequences of not meeting the new HIPAA standards - board members can successfully assist senior management with proper planning and budgeting for best practices.

Every unidentified BA is an unmanaged BA, adding to a hospital's degree of risk.

Gary Johnson, Chief Marketing Officer, Vendormate