One hacking incident at a vendor under contract with multiple healthcare providers can mushroom fast. By May 5, 2021, when Capture Rx, a San Antonio company and HIPAA business associate notified the Office for Civil Rights (OCR) about a February data breach, the number of individuals had soared to 1,656,569.
Capture Rx is a Texas-based information technology company that assists numerous healthcare providers across the country manage prescription drug costs. Among its customers are Gifford Health Care of Randolph in Vermont, Mohawk Valley Health System affiliate Faxton St. Luke’s Healthcare in New York, UPMC Cole and UPMC Wellsboro in Pennsylvania, Thrifty Drug Stores (Thrift White), and many others.
On May 5 CaptureRx issued a statement that it began investigating IT systems after someone noticed “unusual activity involving certain of its electronic files” on February 6. By February 19, the company had confirmed that patient files, including names, dates of birth, prescription information and medical record numbers, were accessed and stolen. Each is an identifier of protected health information (PHI) under HIPAA.
From March 30 to April 7, the company began notifying its healthcare provider customers that had been breached and worked with them to contact those whose PHI had been stolen. Early reports showed “thousands” of individuals were affected, but the number quickly escalated.
As a Business Associate, Understand and Follow HIPAA
Although business associates usually don’t directly interact with patients, their work is essential to healthcare services. They are required to comply with HIPAA, and are separately liable for compliance. All business associates should conduct a Risk Analysis, do their Risk Management and enter a business associate agreement with covered entity customers.
Know Your Business Associates
Two of the largest breaches in the past two years have occurred at business associates. The AMCA breach in 2019 and the Blackbaud breach in 2020 both affected millions of individuals who had entrusted their protected health information to their healthcare providers.
As a covered entity it’s critical to do your due diligence with all business associates engaged to help you provide healthcare services. It is not a guarantee, but it goes a long way to ensuring HIPAA compliance, which includes the Security Rule Checklist, to meet all requirements of the HIPAA Security Rule.
HIPAA Compliance is the Best Defense
HIPAA compliance is a blueprint for protection against cybercrime. HIPAA Risk Analysis and Risk Management requires a detailed look at your security practices and defenses. Are there daily remote backups? Is malware and adware protection in place? Do you install updates and patches? Is the workforce trained to recognize phishing and other cybercrime tactics, and are there access controls to limit who may see certain data? Risk Management also requires a contingency plan in the event a hacker gets through – if the worst happens, what your next steps?
If you have questions, ask The HIPAA E-Tool®.
