Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

OCR Cracking Down On Business Associate Security

Posted on May 13, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For most patients, a data breach is a data breach. While it may make a big difference to a healthcare organization whether the source of a security vulnerability was outside its direct control, most consumers aren’t as picky. Once you have to disclose to them that the data has been hacked, they aren’t likely be more forgiving if one of your business associates served as the leak.

Just as importantly, federal regulators seem to be growing increasingly frustrated that healthcare organizations aren’t doing a good job of managing business associate security. It’s little wonder, given that about 20% of the 1,542 healthcare data breaches affecting 500 more individuals reported since 2009 involve business associates. (This is probably a conservative estimate, as reports to OCR by covered entities don’t always mention the involvement of a business associate.)

To this point, the HHS Office for Civil Rights has recently issued a cyber-alert stressing the urgency of addressing these issues. The alert, which was issued by OCR earlier this month, noted that a “large percentage” of covered entities assume they will not be notified of security breaches or cyberattacks experienced by the business associates. That, folks, is pretty weak sauce.

Healthcare organizations also believe that it’s difficult to manage security incidents involving business associates, and impossible to determine whether data safeguards and security policies and procedures at the business associates are adequate. Instead, it seems, many covered entities operate on the “keeping our fingers crossed” system, providing little or no business associate security oversight.

However, that is more than unwise, given that the number of major breaches have taken place because of an oversight by business associates. For example, in 2011 information on 4.9 million individuals was exposed when unencrypted backup computer tapes are stolen from the car of a Science Applications International Corp. employee, who was transporting tapes on behalf of military health program, TRICARE.

The solution to this problem is straightforward, if complex to implement, the alert suggests. “Covered entities and business associates should consider how they will confront a breach at their business associates or subcontractors,” and make detailed plans as to how they’ll address and report on security incidents among these group, OCR suggests.

Of course, in theory business associates are required to put their own policies and procedures in place to prevent, detect, contain and correct security violations under HIPAA regs. But that will be no consolation if your data is exposed because they weren’t holding their feet to the fire.

Besides, OCR isn’t just sending out vaguely threatening emails. In March, OCR began Phase 2 of its HIPAA privacy and security audits of covered entities and business associates. These audits will “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standard interpretation specifications of the Privacy, Security, and Breach Notification Rules,” OCR said at the time.

Guest Post: HIPAA Responsibility – Whether You Want It or Not

Posted on March 21, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

John Lynn’s post “Covered Entity is Only One with Egg on Their Face” is good warning to healthcare providers: as HIPAA enforcement gains teeth, you are responsible for breaches caused by your business associates. The increase in HIPAA enforcement, penalties and current ONC audits make it clear that ignorance of adherence to HIPAA by your business associates (BA) is not a valid strategy.

In fact, the Poneman Institute Study cites 46 percent of breaches as caused by BAs, yet the covered entity (CE) is responsible for 100 percent of them from a legal prospective.

The time for inaction regarding your BAs is over. Now is the time to confront the issue head-on. The good news is that it costs less in the long run to prevent breaches than it does to pay for breaches committed by your BAs. Here’s how to get started.

It’s Time to Act

The same policies and procedures that you have implemented for yourself are applicable to your BAs. Of course, since the BAs do not report through your organization, the best way to assume compliance is through your contracting process.

It is not enough to just put it in the contract. In the old “trust but verify” school of management, your contract must also contain avenues of verification. That can include surveys, reports, audits, policy and procedure manuals, etc. This due diligence at contracting time pays off in many ways when ONC auditors knock on your door.

The due diligence must be a continual process, not just “once and done”. The laws are changing and Health and Human Services (HHS)’s Office of Civil Rights (OCR) is implementing new risk audits in 2012 to test your readiness. New breach notification and accounting of disclosure rules are imminent and will further tighten the laws. Also, many institutions focus on the Privacy Rules, while paying less attention to the Security Rules. The privacy rules focus on the “what,” while the security rules focus on the “how” of compliance.

To protect yourself, you should be doing self assessments using both internal and external auditors. Anything you do for yourself should be considered for your business associates.

Simple Encryption Goes a Long Way

Most accidental large-scale breaches are caused by lost or stolen electronic devices. The small one or two patient breaches are much less of a publicity problem but still require a risk assessment. The small breaches are going to happen; it is inevitable. The large breaches carry a higher degree of severity.

To prevent large breaches, it is essential that BAs which use electronics have the same tight policies and procedures in place that you do (or should). They can go beyond the HIPAA-mandated policies. One practice that should be implemented is encryption.

Remember, a lost electronic device that contains encrypted data is not considered a reportable breach. Encryption is a logical first step that, while not yet HIPAA mandated, will save considerable pain and expense over time. Notice it is only a first step. There are other security technologies available that will call a central location to pinpoint a device’s location. Further, they can wipe themselves clean if not accessed properly or in a given timeframe.

Paper Breaches Also a Concern

And providers shouldn’t lose sight of paper medical records and how BAs are using them. In fact, many breaches to date have involved paper. Understand how your BAs use paper records and patient information. Is it going off site? If so, there should be established policies and procedures.

Any access to paper records and appropriate destruction of those records must be HIPAA compliant. Locked bins for disposal and state-of-the-art shredders are a must at the provider’s site and the BA’s office. Do not let paper records lay around on desks and make sure all personnel are trained in the handling of paper records.

Training and Education for All

Training and educating are the foundation of any compliance program. BAs should have an in-depth training and education program that is as robust as that of the covered entity. Best practices make training an ongoing, living process with regular updates and mandatory attendance at classes.

Making the effort to fend off unauthorized disclosures will go a long way toward mitigating risk. Staying in front of the threat curve is difficult but not impossible. Remember to apply lessons learned to your BAs so you aren’t the only one with egg on your face!

Covered Entity Is the Only One with “Egg on their Face”

Posted on February 28, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

When I first started writing this blog about six years ago, I named it EMR and HIPAA. I was working to implement an EMR at that time (this was well before EHR became in vogue) and I knew that HIPAA was a major talking point in healthcare.

Over time I’ve learned that doctors care enough about HIPAA to make sure that they don’t hear about it again. Up until now, that’s worked pretty well for most doctors. There haven’t been many HIPAA lawsuits and the government has mostly only investigated reported incidents.

We started to see a shift in this with the passing of the HITECH act which many described as giving “teeth” to HIPAA. I think we’re just now starting to see some of those teeth coming to bear with things like the OCR audits that 150 HIPAA covered entities will experience this year. That’s still a pretty small number, but the experience of those 150 is teaching us and the government a lot about areas where healthcare institutions have done a good job with privacy and security and where they likely are weak.

While at HIMSS I had the pleasure to have a brief conversation with CynergisTek CEO and chair of the HIMSS Privacy and Security Policy Task Force, Mac McMillan. I love talking with people like Mac since he is an absolute domain expert in the areas of privacy and security in healthcare. You just start him talking and from memory he’s pouring out his knowledge about these important and often overlooked topics. I loved what he had to say so much that I asked him if he’d do a series of blog posts on the OCR audits which I could publish on EMR and HIPAA. He said he was interested and so I hope we’re able to make it happen.

One simple thing that Mac McMillan taught me in our admittedly brief conversation was the changing role of the business associate in healthcare. In the past, most covered entities kind of hid behind their business associates. Many did little to verify or keep track of the policies and procedures employed by their business associates. With the new HITECH rules for disclosure of breaches and the OCR audits, covered entities are going to have to keep a much better eye on their business associates.

Mac then pointed out to me that the reason covered entities have to take on more responsibility is that they’re the ones that are going to be held responsible and take the blunt of the problem if their business associate has a privacy or security issue. I see it as the Covered Entity will be the one with Egg on their Face.

I don’t think we have to take this to an extreme. However, there’s little doubt that covered entities could do a much better job evaluating the privacy and security of their business associates and hold them to a much higher standard. If they aren’t, I wouldn’t want to be there for the OCR audit with them.

Guest Post: Small Breaches Still Reportable – Current State of HIPAA Breach Notification

Posted on November 3, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules. Here’s a link to read all of the HIPAA Breach Notification Rules guest posts.

In the world of release of information (ROI), we see the breach of one or two records much more frequently than the massive, over-500 events. Smaller, one- or two-record breaches do not require immediate notification to HHS. The HITECH Act says they should be aggregated and sent to HHS at the end of each year. In 2010, the agency received more than 25,000 reports of smaller breaches affecting more than 50,000 individuals. The complete Annual Report to Congress (PDF) from HHS for 2009 and 2010 is available online.

The most common, inadvertent breaches within the ROI process involve sending the wrong record to the wrong person or third party. It is usually human error that produces these breaches. For example, the CE gets a written request from an insurance company, attorney or patient for medical record #12345. Someone pulls the wrong medical record either paper-based or electronic, say medical record #12344 and sends it. The result—a breach!

Training, education, skilled staff and solid procedures are the best approach to minimizing human error-based breaches, but they are inevitable. If and when it happens, the CE must evaluate sending a notification to the patient.

Another observation about breaches is that reactions to them seem to be very polarizing. Sometimes we see “breach fatigue” by patients. They hear so much about breaches that any leakage of their information is considered “no big deal” and simply a reality of modern, high-tech times. “After all, who really cares about the appendectomy I had ten years ago?” The opposite pole is that some patients become very upset and exhibit a sense of great concern.

Ultimately, the balance between a patient’s right of confidentiality and the provider’s needs for workflow consistency will continue to evolve. In the meantime, until a final breach notification rule is released, every CE must determine for itself how patient notices are analyzed and handled.

Guest Post: Over-Notifying Also Carries Risk – Current State of Breach Notification

Posted on October 13, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

Some hospitals feel that, since the risk analysis only produces subjective results, why bother? They believe that the effort and expense incurred derives no real benefit for CE or patient, and they just notify the potentially affected patient in every instance.

In my opinion, notifying the patient for each breach is a little risky in itself. Patients often have no context in which to view a breach.

For example, losing a flash drive containing unencrypted PHI on 1,000 patients entails obvious risks – the risk of someone finding and misuing the information, for example. The law rightfully requires patient notification in such cases. However, if a patient’s record is inadvertently mailed to a house number that does not exist (perhaps due to a typo which transposed two digits), chances are good that the post office will either return the records to the sender or else the package will go undelivered.

If the records are not accounted for, it is generally accepted that it should be considered a breach; however, telling the patient this may raise an alarm about something that probably will not happen. A thorough risk analysis, although subjective, might conclude that such a breach did NOT have a “substantial risk of reputational or financial harm” to the patient. This was apparently HHS’s thinking when it required the risk analysis to be conducted.

In next week’s post, we’ll cover the possible changes to the breach notification rules.

Guest Post: Current State of HIPAA Breach Notification – Notify Patients…or Not?

Posted on I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


Guest Blogger: Jan McDavid is General Counsel and Compliance Officer at HealthPort, a Release of Information and Audit Management Technology company. You can read more of Jan’s posts on the HealthPort blog.

The following is a 4 part series of blog posts on the HIPAA Breach Notification Rules.

Eight thousand providers. One question. When do we notify patients of a breach? I hear this question several times a week from all types of covered entities; hospitals, clinics and physician offices. Many are confused or misinformed about the answer. Furthermore, real world experience varies dramatically. Some providers notify everyone. Others notify only when necessary. What’s the answer?

First and foremost, you do not have to notify the patient each and every time there is a breach of protected health information (PHI). The law requires notification only if you meet one of two conditions:
1) When 500 or more records have been breached at the same time, you must notify the patients involved, OR
2) When you as the covered entity (CE) have conducted the required “risk analysis” and determined the patient (or patients) could suffer substantial financial or reputational harm.

The issue with the second requirement is the term “substantial”. It is very subjective and not fully defined within the rules. Conducting a risk analysis and determining the extent would appear to be a classic case of the fox guarding the hen house. As such, many observers expected hospitals NOT to notify, or perhaps under-notify, as the cost of a breach can be very high — both direct costs and the soft cost of reputational harm to the CE. However, we see providers taking a “better safe than sorry” approach and over-notifying.

In next week’s post, we’ll cover the risks of over-notifying after a breach.