ADVERTISEMENT
What to Do When HIPAA Breaches Happen to Business Associates
Health information is sensitive, and patients expect it to be kept confidential. The law, specifically the Health Improvement Portability and Accountability Act (“HIPAA”) and many similar state laws, require it as well. The HIPAA rules can get a bit complex, but they boil down to the need to keep patient health information away from prying eyes. If you have safeguards in place, train your staff, and store patient data where it cannot be accessed by anyone who does not need to view it, then you can accomplish that goal. But sometimes your data is outside of your control, and you cannot implement the safeguards and training as you would inside your organization. This happens more often than you might think, primarily through your business partners such as software vendors and billing companies. These companies may need access to your data and are allowed to have that access as long as you have a Business Associate Agreement (or “BAA”) with them, however, you are still legally responsible for your health information even while it is in their hands.
The Threat of a Breach is Real
Once upon a time, the idea of a breach of health information in EMS was limited to a hospital face-sheet falling off a stretcher on the way to the ambulance, or maybe a crew member talking about a patient to someone to whom they should not disclose information. Those are still concerns, but that is not the main threat facing the EMS industry today. As cyber criminals continue to focus on accessing healthcare records, which have an abundance of valuable information, the chance of a breach occurring at your agency increases every year. Recently we have seen breaches of patient information which have affected EMS agencies as well as their billing company and software vendors. These breaches were not caused by negligence or intentional misconduct on the part of these companies or their employees but were the result of cyber attacks on their data. Examples include an EMS agency that was subjected to a class action lawsuit filed on behalf of over 600,000 patients whose records were accessed by a hacker; a billing company that moved patient information from ambulance service customers to their billing company via an application that was the victim of a cyber-attack which successfully accessed hundreds of thousands of patient records; and a software company who provides electronic patient care reporting to EMS agencies across the country.
A breach of health information is possible for any EMS agency, either directly or through one of our many vendors, even with the best efforts to prevent it. A breach can also have tremendous financial consequences, however, there are things you can do to help limit the impact.
Getting Your HIPAA House in Order
Before a breach ever occurs, you should make sure that you have a BAA with all vendors who create, move, store, or access your data. It may take some time and effort to analyze your entire organization and how it handles patient information to identify all of these third parties, however, this process should already be a part of your ongoing “risk analysis” which is required by HIPAA. If you do not have an up-to-date risk analysis, accompanied by HIPAA Privacy and Security policies, training, and safeguard measures, then you must start there. In the event of a breach, the Office of Civil Rights (“OCR”), which investigates HIPAA complaints and compliance, will first ask you for your risk analysis and current policies; if you do not have those, you may be facing a fine even if the underlying breach does not turn out to be significant. Once you have completed a thorough and current risk analysis, you should have a comprehensive list of the vendors that you should have a BAA in place with. Now double-check and make sure that you do!
You should also make sure that your BAA has a provision that discusses what happens in the event of a breach. Too many of us attach a BAA to an agreement with our vendors, or worse yet expect them to attach one for us, the origin of which no one in your organization knows, and the details of which no one has read in the last ten years. Before you sign a new agreement, or renew a current one, take some time to review the language of your BAA. Your agreement should have provisions that discuss what happens in the event any vendor with whom you share protected health information experiences a breach. This should include duties to prevent breaches, investigate potential breaches, mitigate loss in the event of a breach, and give timely notice to your agency in the event of an actual breach. The agreement may also outline who is responsible for the reporting requirements and associated costs or penalties caused by the breach. These costs can be significant, so it may be worthwhile to get into details in your agreement, including which party will be responsible for the costs of creating written notices to patients, postage, newspaper publication, credit monitoring, OCR fines, state fines, and individual patient damages.
Proactive Responses to a Breach
After the breach occurs and it comes to your attention, even if you have not yet formally received notice of the breach from a vendor, you should take action. Take systems offline until you can determine what happened and whether it is safe to operate again. Conduct data analysis to determine what has been accessed, whether it has been taken or encrypted in place and whether there is anything you can do to mitigate the loss of data, such as remotely wiping data on a portable device. Taking steps to limit the impact of a breach will be appreciated by the OCR and any affected patients.
Cybercriminals are getting more clever with the tactics they use to get access to your information. Data breaches in the healthcare industry occur daily, and they can be extremely difficult to entirely prevent. Take some time to review your current policies and practices, educate your staff on the vulnerabilities of your agency, update your security measures, and make a plan to react to any potential breach to mitigate the damages. Taking those steps is your best defense in the war against data theft and holding data for ransom.
Christopher Kelly is General Counsel for Amerimed Medical Solutions and the Managing Attorney at Mobile Healthcare Law, LLC, a law firm dedicated to providers of EMS, ambulance, mobile integrated healthcare (“MIH”), non-emergency medical transportation (“NEMT”), telehealth, and the software and billing companies that support these industries. This article is not intended as legal advice. For more information or assistance, he can be reached at (404) 934-8999 or by email at ckelly@mobilehealthcarelaw.com.
