Feature: Business associates under fire as security risk
Mac McMillan, CEO of CynergisTek |
“While a covered entity has all the information for the patients it cares for, a BA could have data from 100 covered entities or more. You’re talking magnitudes of data.”
This area is a big problem because, while healthcare providers in general have gotten very little attention, BAs have gotten virtually none, McMillan said. That’s partly because providers and BAs aren’t concerned about it yet. Plus, there’s confusion about what constitutes a BA.
“A lot of BAs don’t really consider themselves BAs even though they are," he said. "Hospitals have companies that perform some third-party service for them and have protected health information (PHI) but they don’t feel that it applies to them because they’re just a hosting service or pass through.”
These companies don’t realize that the way the rule was written, once they take PHI from a covered entity, the provision of access is met. That means that whether they access the data or not, they are a BA. Just because they don’t access the data doesn’t mean they can’t, and that is what makes a company a BA.
McMillan said many covered entities have sent out security questionnaires to their BAs, particularly those who have PHI, and gotten some surprising answers. Some BAs don’t even have the rudiments of a security program. They are almost completely focused on the business service and have not considered the data or HIPAA compliance.
Several factors contribute to the problem: lack of knowledge, lack of concern for enforcement and the general cost of doing business, according to McMillan. For example, if a company has to change its network then it probably has to charge for more services so it becomes harder to keep and get clients. Another aspect of many third-party providers is that they are very small companies just getting started and therefore, are more likely to take risks, he added.
As written, the breach notification rule places responsibility on the covered entity. The BA has to notify just the source of the data, but the covered entity has to make all the required notifications of the breach, which includes notifying patients and the media. “Unless the contract is written smartly, there is nothing in the law that transfers the responsibility for cost,” said McMillan. “It’s really something the covered entity has to pay attention to with their BAs and do a better job of due diligence.”
McMillan said that he is amazed at some hospital experiences in this area. For example, a big hospital in New Jersey had a longstanding BA with access to enormous amounts of data. When the hospital asked the BA some basic security questions, the response was “we don’t have that kind of security on our network, we don’t have those policies and procedures and we can’t afford it.”
This BA was performing a very important function for the covered entity, so it had to decide between continuing to use the BA as is, find another BA or invest in helping the BA become HIPAA compliant. The hospital decided it was in its best interest to help the BA become compliant.
“It was amazing,” said McMillan. “This is a BA doing business with multiple hospitals and nobody had ever looked under the hood. If it’s not in the contract, then they are not responsible for doing it.”
The idea that just because HIPAA is applicable to BAs would affect their behavior is nonsense, he said. He has told BAs they have the same responsibilities as covered entities and he said that nine out of 10 say they are not ready.
Three things could force change, asserted McMillan.
“The absolute, biggest, most effective pressure on BAs is the people they do business with,” said McMillan. “Hospitals must say they’re tired of having to deal with breaches and notifications and then do a better job of putting requirements for security in their contracts.” Having the right language in the contracts provides for clear cases of negligence and breach of contract.
There are lawsuits in progress that allege negligence as opposed to harm that also could force change. “Those lawsuits probably will have the biggest impact in the short run,” said McMillan. “You’ll see much bigger costs associated with that than you will with fines from the government.”
Third, government enforcement will play a role as well. However, “there is no way the government has enough resources to enforce HIPAA proactively and in a manner so dramatic that it would change behavior.” The $1.5 million maximum fine is a “game changer” for small companies but that amount won’t faze bigger companies.
“Companies follow rules because they get audited,” noted McMillan. “If they don’t, there are repercussions. In healthcare there is no active auditing of BAs. Unless the covered entity is monitoring or managing them proactively, basically they’re out there doing whatever they want. Nobody’s checking on them.
"Some companies are doing well with these requirements but unfortunately, a lot of folks are trying to manage costs,” he remarked. “Security is a cost.”
McMillan stated the Office of Civil Rights’ new audit program includes asking questions about BAs, such as: Have you done any due diligence with respect to BAs? Do you know if your BAs have a backup plan with respect to the data you’ve given them? Have they provided evidence they are backing up data or are capable of reconstituting it?
“These questions may cause covered entities to start telling BAs to meet their requirements or lose my business,” he said.