Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

Be Aware of Business Associate HIPAA Breach Risk Issues.

Providers Should Guard Against a Business Associate HIPAA Breach.(August 10, 2012): As you may know, HIPAA applies to “covered entities.” Under the HITECH Act of 2009, HIPAA was expanded to also include “business associates” of those covered entities. But what about subcontractors of those business associates? What happens if the improper conduct of an outside consultant results in a business associate HIPAA breach? Who is ultimately responsible for a HIPAA breach? Nowadays, particularly with the rise of electronic communications, data storage, and other e-tools, business associates may send out a  substantial percentage of their work to subcontractors, sometimes unbeknownst to the primary covered entity. Nevertheless, the covered entity may still be liable for any improper business associate HIPAA breach or wrongful disclosure of protected health information (PHI), or other compliance failures related to HIPAA and/or HITECH.

I.  Business Associate HIPAA Breach Environment:

This very thing recently happened at a major hospital in Hartford, CT. In fact, the HIPAA breach involved nearly 10,000 patients of the hospital and its associated hospice/home health agency, caused (as you may have guessed) by the loss of a company laptop. The hospital/hospice had contracted with a quality improvement company (the business associate) who had then sent out much of its data analysis work to a subsidiary. An employee of this subcontractor took an unencrypted company laptop home to continue work, but the laptop was later stolen from his home by a thief. The information contained on the stolen laptop included patient names, addresses, dates of birth, marital status, Social Security numbers, Medicare and/or Medicaid numbers, medical record numbers and certain diagnoses and treatment information.

As you can imagine, this represents a major HIPAA breach and a virtual goldmine for a criminal engaged in identity theft or Medicare billing fraud. HIPAA breaches like this, involving substantial numbers of patients and resulting from improperly secured electronics, are becoming more frequent everyday. And more often than not, these HIPAA breaches don’t necessarily involve the primary covered entity, but are instead caused by a business associate or their subcontractor, who may be less familiar or less concerned with the potential for HIPAA breaches. This is why it is always important to have a Business Associate Agreement with any business associate and to obtain “adequate assurances” from the business associate that they will hold their subcontractors to the same standards they must follow as a business associate. In any regard, if you believe that your organization, its business associate or a subcontractor has wrongfully disclosed PHI or has had a PHI breach, you should speak with legal counsel immediately.  Time is of the essence in reporting a HIPAA breach or wrongful disclosure.

II. Responding to an Identified Business Associate HIPAA Breach:

So what steps did the hospital take after discovering the HIPAA breach? Under the law, the hospital had to disclose the breach to the Secretary of the Department of Health and Human Services, the patients themselves, and the local news media, since the breach involved more (way more) than 500 individuals. In addition, this particular hospital:

  • Offered two years of free credit monitoring to affected patients
  • Established a call center to response to patient questions
  • Is Providing information to patients on obtaining credit reports and other indicia of fraud
  • Is ensuring that all PHI used by contractors is encrypted
  • Securely destroyed all data in the possession of its business associate (likely terminating the relationship)

On top of the costs of implementing these protective measures, the hospital likely faces a huge penalty imposed by the Office for Civil Rights (OCR) and could end up costing millions. The cost of ensuring that all PHI is properly encrypted and all premises are securely locked down is much less.

III.  Is Your Compliance Program Designed to Prevent a HIPAA Breach?

While HIPAA breaches are likely to occur even when an organization is actively attempting to enforce compliance, having an effective compliance plan is a powerful tool to show the government that your organization is trying to do the right thing. While penalties may still be imposed, they may be reduced from Tier D or Tier C to Tier B,  which could cap an organization’s liability at $100,000 a year (as opposed to $1.5 million a year for Tier D). As a result, if your organization does not have a robust compliance plan, or your compliance plan is not specific to your practice, actively updated, or actively enforced, you should consider having legal counsel assist in implementing an effective compliance plan. This will help to reduce the likelihood of a HIPAA breach, and possibly help to reduce the penalties associated with a HIPAA breach.

Robert LilesHealthcare Lawyer counsels providers on HIPAA breach notification and implementing effective compliance plans.  In addition, Robert performs gap analyses and internal reviews, trains healthcare professionals on compliance issues, and represents providers in Medicaid and Medicare post-payment audits and appeals. For a free consultation, call Robert today at 1 (800) 475-1906.

  • Advertisement

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.