1. Healthcare providers should do the following for BA compliance:
• Screen 100% of current vendors and document process
• Categorize BAs based on risk levels
• Develop assessment and vendor management protocols for each category
• Obtain Business Associate Agreement for each BA
• Set policies and guidelines for consistency
• Oversee and manage BAs for compliance with contracts
• Implement a formal process for managing security/privacy incidents with BAs
The HIPAA Final Omnibus Rule expanded the definition and security responsibility
for Business Associates (BAs). Additional vendors are now classified as BAs:
• Data storage companies
• Health Information Organizations (HIOs)
• Subcontractors of a BA, and meeting the BA definition
• Person or entity that creates, receives, maintains or transmits PHI
• Patient Safety Organizations (PSOs)
• Entities that offer personal health records
BUSINESS ASSOCIATES:
KNOW YOUR RISK?
41% of healthcare data breaches are due to BAs.4
This is less than half of the total number of
healthcare data breaches, yet they impact the most patient records5
:
PERCENTAGE OF TOTAL RECORDS EXPOSED BY ENTITY TYPE
More vendors are touching ePHI, therefore security risk is greater. 90% of covered entities have had
at least one data breach in the past two years.1 Since September 2009, the frequency of these breaches has risen to 46%.8
TOP 3 DATA BREACHES CAUSED BY BUSINESS ASSOCIATES IN 2013:
Common ways non-compliance
to HIPAA data security and
privacy rules are revealed:
hospitals, academic medical centers,
physicians, clearinghouses (covered entities)
38%62%
BAs6
3. TENNESSEE
Patient medical history was
compromised when a BA
stored data on a non-secure
site, affecting 32,000
patients across 48 states.11
2. INDIANA
A program glitch caused by
a vendor compromised
medical and financial
information for up to
187,533 clients, and Social
Security numbers for almost
4,000 of them.10
1. TEXAS
Vendor failed to destroy
microfiche containing patient
records. More than 277,000
records were involved.9
Since 2009, about 30.1M
individuals have been
affected by health data
breaches.2
HHS must post a list of breaches
of unsecured protected health
information affecting 500 or
more individuals.3
This “Wall of
Shame” is a prominent source,
you don’t want your hospital
name here. To date, 1,026
breaches have been reported
involving 500 or more individuals.
AND more than 116,000
breaches have been reported
involving 500 or less individuals.3
116,000
1,026
30.1
MILLION
2 MILLION
GREATER SECURITY RISK INCREASING FREQUENCY
SAFEGUARD YOURSELF—ACT NOW
DATA BREACH SOURCES
• OIG work plan
• CMS audit
• MU Stage 1 attestation
• OCR audit
• OCR breach investigation
For more information on BA management and oversight,
visit https://www.vendormate.com/BA-ActNow.
1
Fourth Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute, March 2014, 2
http://www.ihealthbeat.org/articles/2014/8/20/about-301m-patients-affected-by-health-data-breaches-since-2009,
3
http://www.ihealthbeat.org/articles/2014/6/16/one-in-10-us-residents-affected-by-large-health-data-breaches, 4
2011 Cost of a Data Breach Study: United States, Ponemon Institute, March 2012, 5
Third Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute, December 2012,
6
http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html, 7
2014 Cost of a Data Breach: Global Analysis, Ponemon Institute, May 2014,8
http://hr.blr.com/HR-news/Benefits-Leave/HIPAA-Health-Information-Privacy/Health-privacy-HIPAA-breach-reports-on-sharp-rise#,
9
http://www.hipaasecurenow.com/index.php/another-business-associate-breach-affects-277000-patients,10
http://www.layeredtech.com/blog/top-10hipaa-data-breaches-of-2013, 11
http://www.healthcarebusinesstech.com/vendor-mistake-causes-data-breach
Average cost per breach over the past two years
was approximately $2 million.
(Average cost per record = $316.10)7
WHAT’S THE TOTAL COST TO A PROVIDER OF A BREACH?
ASSOCIATED PENALTIES:
$100Individual did not know
$1,000Reasonable Cause
$10,000Willful neglect, if corrected in
a timely manner
$50,000Willful neglect,
not corrected
Minimum fines
$50,000Non-repeating infraction
$1,500,000Annual repeat
Maximum fines
RECORDS:
277,000
CLIENTS:
187,533
PATIENTS:
32,000
*previously 250 vendors before the expanded definition
• Person or entity that creates, receives, maintains or transmits PHI
• Patient Safety Organizations (PSOs)
• Entities that offer personal health records
*previously 250 vendors before the expanded definition
5,000– 20,000
VENDORS
MIN: 700 –1,500+
BA VENDORS