When you think of HIPAA privacy, is an accounts receivable management firm the first thing you think of? Is it even the second or third thing? Probably not. Most of us focus on doctors, dentists, hospitals and health plans, all of which are covered entities and required to comply with HIPAA. But business associates that support covered entities routinely handle far more patient data and are also required to follow HIPAA.

A massive health data breach at business associate Professional Finance Company, Inc. (PFC) was recently reported to the Office for Civil Rights, the agency that enforces HIPAA. PFC is a debt collection agency, just one category of business associates routinely employed by healthcare providers.

So far it appears the data breach affects more than 650 healthcare providers and an unknown but potentially enormous number of patients. The investigation is ongoing and we will update this blog as more is learned.

Business Associates Handle Staggering Numbers of Patients’ Data

A health data breach at a large business associate can be much more damaging than one at a large covered entity. Large business associates usually have multiple customers, so in healthcare that means that all of the patients at each customer are potentially affected.

As a result, cyber thieves see business associates as attractive targets because of the amount of valuable patient data they hold. One successful hack can reach dozens of covered entities and millions of patients.

A recent example occurred at Eye Care Leaders, an EMR system vendor, where at least twenty-four providers and more than 1.5 million patients were affected, according to the investigation to date. Another massive breach occurred in 2018 at American Medical Collection Agency affecting an astonishing 21 million individuals – the second largest health data breach ever reported, after Anthem (79 million), a health plan.

Other examples of large business associate healthcare data breaches in recent years include Blackbaud (2.7 million) and CaptureRx (1.7 million).

Business Associates and Covered Entities are Both Responsible

Although business associates have been separately liable and responsible for HIPAA compliance since 2013, it appears today that many are not doing enough. Either they don’t know about the HIPAA requirements, or if they know, compliance is not a priority.

This incident should spur all business associates to review their HIPAA compliance programs thoroughly, including an updated Risk Analysis to ensure they have appropriate measures in place to manage their specific risks.

Covered entities also have a responsibility regarding their business associates. They must conduct due diligence before entering an agreement with a business associate – this requires asking basic questions about HIPAA compliance, including whether a HIPAA Risk Analysis was completed. Entrusting protected health information (PHI) to a business associate without due diligence is “willful neglect” with exposure to the highest civil money penalty amounts.

Likewise, business associates should conduct due diligence with their subcontractors. One chink in the armor is all a criminal needs.

HIPAA Compliance Includes Cybersecurity Training

Unsophisticated phishing emails are still the favorite way to infect information systems with malicious software and ransomware. Staff cybersecurity training to detect phishing is essential.

The HIPAA Rules are a Blueprint to Protect Health Information

Whether you are a business associate or a covered entity, this latest massive breach is a reminder that more work might be needed to ensure you’re doing as much as possible to safeguard health information in your care. Review your policies, make sure they are up to date and the workforce is trained. Conduct due diligence with third party vendors and subcontractors. And if you have questions, The HIPAA E-Tool^® can help.