Healthcare’s Gamble with Business Associate Breach Risks

Blog Post by Jay Stewart, Vice President of Sales at CORL Technologies

Security breaches from third-party Business Associates and related regulatory penalties are piling up for healthcare entities this year. In a joint presentation with CORL in June 2020 [1], the US Office for Civil Rights (OCR) reported that a top source of civil monetary penalties for Covered Entities in 2019 was inadequate management and compliance for third-party Business Associates.

Despite the mounting financial penalties and breach costs resulting from third-party breaches, too many healthcare entities continue to gamble with underinvestment in their third-party vendor risk and compliance programs.

This blog summarizes some of the more prominent breaches and regulatory enforcement activities for healthcare entities related to third-party Business Associates.

Recent Healthcare Breaches Involving Third-Party Vendors
Community Health Systems (CHS)
  • CHS operates over 200 hospitals and experienced a breach of PHI and other sensitive information in 2014
  • Hackers accessed systems from CHS's Business Associate organization CHSPSC
  • The Business Associate, CHCPSC, agreed to a settlement with OCR for $2.3m for HIPAA compliance failures in September 2020
  • CHS was required to pay $5m in October 2020 to settle a multi-state lawsuit with 28 states related to the breach and HIPAA compliance failures for the Covered Entity
  • CHS was also required to implement corrective actions including new policies and procedures for Business Associate compliance, awareness training for the workforce, and incident response planning
Babylon Health Telehealth Application
  • A software error in a third-party telehealth app allowed unauthorized access to patient information
  • A patient was able to access the "consultation replays" of 50 other patient encounters
  • Babylon reacted quickly to make configuration changes
Hova Health
  • The telemedicine vendor made a configuration error that allowed their patient database to be accessible on the general Internet without a password
  • The breach exposed over 2.4 million patient records
  • The database contained patient names, personal ID codes for Mexican citizens and residents, insurance policy numbers and expiration dates, dates of birth, and addresses
MedEvolve Practice Management Software
  • 205,000 patient records were left exposed on a misconfigured FTP server
  • The FTP server was exposed to the Internet without password protections for two providers: Pennsylvania-based Premier Urgent Care and Texas-based dermatologist Beverly Held, MD.

This is by no means an exhaustive list of third-party breaches for healthcare, but these examples represent a consistent trend that is likely to continue for years to come if left unchecked.

Recent OCR Settlements Citing Business Associate Management Gaps
  • Athens Orthopedic Clinic ($1.5m) - OCR cited the organization’s failure to secure business associate agreements with multiple Business Associates
  • Touchstone Medical Imaging ($3m) - OCR issued a resolution agreement with a requirement to revise and implement all policies and procedures for handling and maintaining Business Associate compliance and related agreements (BAAs)
  • West Georgia Ambulance ($65k) - OCR cited a lack of policies and procedures implemented to cover third party Business Associates
  • Bay Front Health ($85k) - citied with a lack of training and acknowledgement for the organization’s Business Associates and inadequate reporting of Business Associates who violate related policies and procedures
  • Dr Steven Porter ($100k) - fined in part for lacking executed Business Associate Agreements
OCR Guidance for Business Associate Compliance

OCR provided the following findings, guidance, and recommendations in their June 2020 joint presentation with CORL:

  • OCR issued guidance in 2019 on the direct liability of Business Associates [2]. Business Associates must comply with the HIPAA Security Rule, must provide breach notification to Covered Entities and other Business Associates, and must cooperate with investigations from HHS and OCR
  • Security risk analysis activities by Covered Entities are too often lacking and not inclusive of third-party platforms and systems
  • Some Business Associates have taken a position that if they refuse to sign a Business Associate Agreement (BAA) then they are not liable for HIPAA Security Rule compliance mandates. OCR reiterated that the law specifies that organizations acting as Business Associates are in scope for HIPAA regardless of whether or not a formal BAA was executed
  • Breach reporting is taking longer, and rules are not being interpreted correctly by Covered Entities. For example, OCR indicated that you can’t wait for a full forensics investigation with your Business Associate or internal breach event in order to start the 60 day counter for notification. The 60-day mark starts as soon as you are aware of a potential breach. You must notify OCR “without reasonable delay”; 60 days is the maximum, and you should not wait that long every time out

It remains to be seen if healthcare entities will continue to underinvest in third-party Business Associate compliance and risk management programs. The trend is clear, however, that taking such a position may introduce a high-stakes gamble that could cost organizations more than they bargained for.

Contact our team here at CORL to learn more about our related support, including Business Associate Inventory & Compliance Management and Vendor Risk Management services.

Most Recent Posts
Keep Up with CORL: Vendor Breach Digest, 1/17/22 Read More
Urgent Vendor Risk Alert: Log4j Java/Apache Logging Vulnerability Read More
Keep Up with CORL: Vendor Breach Digest, 12/9/21 Read More