According to security research firm Ponemon Institute, nearly 90 percent of healthcare providers have been hit by data breaches in the last two years, with many criminally driven attacks publicized in 2015. With the advent of electronic health record systems and growing role of analytics in healthcare, patient data handled by vendors of healthcare organizations have increased tremendously. This porous flow of patient data being handled by vendors and contractors has resulted in the exposure of nearly 33 million individuals’ medical records since 2009.
According to a recent announcement, in the second round of HIPAA audits by HHS’ Office for Civil Rights, the contractors, also called business associates, will be included as primary audit targets. David Muntz, former principal deputy director of the Office of the National Coordinator on Health Information Technology at HHS, recently said, “There are so many people who are doing innovations and startups and want to get into healthcare and are unaware of the rules and regulations.” Muntz believe this will “keep people out who are insincere about becoming HIPAA-compliant.”
Healthcare organizations have employed as many as a thousand business associates, and by including the BAs, the civil rights office is simply catching up with privacy and security HIPAA rules it issued three years ago. This announcement will result in enforcement of these more stringent rules, enabling healthcare organizations more leverage to get stronger agreements with their contractors.
Michael Overly, a partner at Foley & Lardner, who specializes in cybersecurity law, said “It will force greater visibility into what’s going on—and greater accountability. In many instances, covered entities don’t have the right to go in and audit what a business associate is doing,” particularly some of the biggest cloud vendors, which severely restrict access to their data centers.”
According to the OCR’s “wall of shame” website, out of 1,472 major healthcare data breaches 309 involved a business associate, which exposed 32.8 million individuals’ records.
The new HIPAA privacy and security rules puts BAs on an equal footing with HIPAA covered entities, which mean vendors that violate the rules are also subject to civil monetary penalties of up to $1.5 million a year.