Business associates beware

© onephoto - stock.adobe.com

Ever since January 25, 2013 when the HIPAA Final Omnibus Rule was published (78 Fed. Reg. 5566), there has been no room for doubt that business associates are not only required to meet the same standards as covered entities, especially in relation to the Security Rule’s technical, administrative, and physical safeguards – they can also be subject to enforcement actions and penalties for failing to protect the privacy and security of health information.

Although not the first U.S. Department of Health and Human Services – Office for Civil Rights’ (HHS-OCR) enforcement action involving a business associate, the May 16, 2023 settlement of $350,000 for unlawful disclosures of protected health information (PHI) on an unsecured server. The key items from HHS-OCR’s press release are as follows:

• Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement of potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Rules with MedEvolve, Inc., a business associate that provides practice management, revenue cycle management, and practice analytics software services to covered health care entities.
• The settlement concludes OCR’s investigation of a data breach, where a server containing the protected health information of 230,572 individuals was left unsecure and accessible on the internet.
• In July 2018, OCR initiated an investigation of MedEvolve following the receipt of a breach notification report stating that an FTP server containing electronic protected health information was openly accessible to the internet. The information included patient names, billing addresses, telephone numbers, primary health insurer and doctor's office account numbers, and in some cases Social Security numbers. OCR investigates every report we receive of breaches of unsecured protected health information affecting 500 or more people. Hacking/IT incidents was the most frequent (79%) type of large breach that was reported to OCR in 2022. Network servers are the largest category by location for breaches involving 500 or more individuals.
• The potential HIPAA violations in this case include the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, and the failure to enter into a business associate agreement with a subcontractor. (emphasis added).

As I have been telling my own clients for years, as well as audiences to whom I present on a regular basis, there are five (5) areas that HHS-OCR has continuously highlighted as being “low hanging fruit.” In order to be the subject of a potential breach and adverse government agency investigation and/or law suit, it is imperative that organizations do the following:

1. Conduct an annual risk analysis and correct the gaps that are identified
2. Maintain records that all workforce members undergo HIPAA training at least annually
3. Create and update comprehensive policies and procedures
4. Encrypt data both at rest and in transit
5. Ensure that business associate agreements are executed and logged.

Had Evolve cultivated a culture of compliance, it could have potentially avoided a fine all together or mitigated it under HR 7898, which was signed into law on Jan. 5, 2021 and amended the HITECH Act.

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.