Without vendor risk management, suppliers are one of the most loosely managed assets in healthcare

Today, an increasing number of HIPAA violations and data breaches make their way into healthcare organizations through the open doors presented by their business associates. This is because a hospital’s network of third-party suppliers is one of the most loosely managed assets in any healthcare organization. CISOs, CSOs, and other security executives are too often focused on higher-profile priorities and don’t fully appreciate the importance of vendor risk management to their own security and compliance.

Healthcare Leads in U.S. Data Breaches

For more than a decade, the healthcare industry has topped all other industries in experiencing the greatest number of data breaches in the U.S. each year. Here are a few disturbing facts.

• Healthcare data breaches due to employee, contractor, or other insider negligence occur twice as often as malicious breaches.
• 95% of identity theft results from stolen healthcare data. That’s 25 times higher than identity theft resulting from stolen credit card data, to put it in perspective.
• According to IBM’s annual Cost of a Data Breach Report, in 2022 the average cost of a healthcare data breach exceeded $10 million, up from $9.2 million in 2021.
• Healthcare organizations have a longer breach cycle than any other industry, requiring nearly 11 months to discover and contain a data breach.
• In spite of this abysmal record, the healthcare industry invests less than 6% of its annual budget on cybersecurity, according to Healthcare IT News.

HIPAA Violations and Data Breaches Involving Business Associates

Using third-party vendors is risky, especially if you do not have a proper, documented business associate agreement with each one and a weak vendor risk management program. Too many business associates have substandard cybersecurity and too many security programs lack structure and organization. Resulting data breaches and HIPAA violations can be disastrous for patients and other individuals as well as for covered entities and business associates, especially when the HHS Office for Civil Rights (OCR) gets involved. Following are just a few of the consequences.

• A ransomware attack on a printing and mailing vendor, OneTouchPoint, affected more than 30 health plans and 4.1 million individuals in 2022. In the same year, a provider of pediatric EMR and practice management software, Connexin Software, experienced a network hack and theft of data that affected more than 100 practices and 2.2 million patients. The scale of impact made headlines far beyond the healthcare industry.
• In a HIPAA Privacy Rule violation, Raleigh Orthopaedic Clinic, P.A. of North Carolina made the mistake of transferring the PHI of more than 17,000 patients to a potential business partner without executing a business associate agreement. Covered entities cannot disclose PHI to unauthorized persons, and absence of a BAA left this sensitive health information unprotected and vulnerable to misuse or improper disclosure, according to the OCR. The settlement imposed a financial penalty of $750,000 and a corrective action plan with five separate requirements. As is often the case, missing or outdated policies and procedures were emphasized.
• Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) serves six skilled nursing facilities, providing management and IT services as their business associate. The theft of a CHCS mobile device compromised an extensive digital collection of protected health information (PHI) for 412 nursing home residents. The settlement with OCR required a monetary payment of $650,000. Along with a corrective action plan mandating an enterprise-wide risk analysis and corresponding risk management plan, as per the HIPAA Security Rule.

As an aid to covered entities and their business associates, HHS offers model business associate agreement language on its website at no charge.

How the OCR Learns of Breaches and Violations

HIPAA violations and breaches can be communicated to the HHS OCR in several ways.

• Healthcare organizations are required by the HIPAA Breach Notification Rule to inform HHS OCR of any potential security breach or exposure of data that may affect more than 500 individuals.
• Patients, employees, and other individuals may submit complaints about potential violations directly through the portal provided on the OCR website.
• The OCR conducts random audits throughout the year for the purpose of validating HIPAA compliance.

In rare cases, the OCR may learn of a breach through the media, which is never a desirable communications source for such information.

Regulatory Requirements for Business Associates are Clear, Specific, and Mandatory

In 2009, the HITECH Act made business associates of covered entities directly liable for compliance with certain requirements of the HIPAA Rules. In 2013, the final Omnibus Rule identified specific provisions of the HIPAA Rules that apply to business associates and for which business associates are directly liable. Both initiatives give the OCR authority to take enforcement action against business associates for violating these HIPAA requirements.

Business associates are directly liable for HIPAA violations as follows: 

• Failure to provide HHS with records and compliance reports, to cooperate with complaint investigations and compliance reviews, or to permit access by HHS to information, including protected health information (PHI), pertinent in determining compliance.
• Taking any retaliatory action against an individual or other person for filing a HIPAA complaint, participating in an investigation or other enforcement process, or opposing an act or practice that is unlawful under the HIPAA Rules.
• Failure to comply with the requirements of the Security Rule.
• Failure to provide breach notification to a covered entity or another business associate.
• Impermissible uses and disclosures of PHI.
• Failure to disclose a copy of electronic PHI (ePHI) to either (1) the covered entity or (2) the individual or the individual’s designee (whichever is specified in the business associate agreement) to satisfy a covered entity's obligations under 45 CFR 164.524(c)(2)(ii) and 3(ii) with respect to an individual’s request for an electronic copy of PHI.
• Failure to make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
• Failure, in certain circumstances, to provide an accounting of disclosures.
• Failure to enter into Business Associate Agreements with subcontractors who create or receive PHI on their behalf, and failure to comply with the implementation specifications for such agreements.
• Failure to take reasonable steps to address a material breach or violation of the subcontractor’s BAA.

As just one example, let’s say that a business associate has an agreement with a covered entity that requires the business associate to provide an individual with an electronic copy of his or her ePHI upon the individual’s request. If the business associate fails to do so, the OCR has enforcement authority directly over the business associate for that failure.

The HHS OCR is serious about enforcing compliance among business associates, has the authority to do so, and has been actively doing so for more than a decade.

The Importance of Vendor Risk Assessments

Many hospitals have thousands of business associates. Even small practices outsource some of their services to several business associates. Billing, practice management, patient intake, data processing, data storage, and countless other necessary activities find their way to third-party vendors. HIPAA requires that a business associate agreement be executed for every vendor. Among the many provisions that should be included in your BAAs is the ability to audit

your vendors to ensure they are properly safeguarding your data.

Before executing any detailed business associate agreements, conducting a vendor risk assessment of each is strongly recommended. The primary objective of vendor risk management in the healthcare industry is to enable covered entities to reduce the risk from third parties in order to ensure more effective protection of patient data as required by HIPAA Security and Privacy Rules.

A vendor risk assessment is a high-level evaluation consisting of approximately 30 targeted questions. An experienced security consultant can efficiently conduct assessments and assign a risk rating to each vendor to enable you to prioritize vendors and determine which are acceptable, for example.

The bottom line is that you are ultimately responsible for protecting your patients’ PHI and ePHI, and that includes actively managing your business associates. Learn more about vendor risk management from our webinar on Hospital Cybersecurity.

Summary

Today, an increasing number of cyberthreats make their way into healthcare organizations through their business associates. A hospital’s network of third-party suppliers is one of the most loosely managed assets in any healthcare organization, and security levels differ substantially from one vendor to another.

Outsourcing work to third-party vendors is inherently risky, but even more so if you haven’t conducted vendor risk assessments before executing detailed business associate agreements. In the same way that your organization is required to conduct regular risk assessments for security and compliance, it is equally important to understand your vendors’ security and compliance postures.

The HITECH Act made business associates directly liable for HIPAA compliance and the Omnibus Rule identified the specific HIPAA requirements. They also gave the OCR authority to take enforcement action against business associates for violating the requirements. HIPAA violations on vendor premises, or resulting from vendor actions or inactions, are actively investigated by the OCR, who also collects financial penalties and imposes corrective action plans. Enforcement of business associate compliance appears to be accelerating in response to ongoing data breaches across the healthcare landscape.