The worst phone call you might ever receive is one that tells you all your patient health records have been deleted. You are busy caring for patients and managing your own office, and your EHR system was supposed to be secure, or at least that’s what the EHR vendor pledged to you when you selected them. How could this have happened? What more might have been done?
A healthcare provider complying with HIPAA follows policies and procedures to maintain the privacy and security of protected health information (PHI) in its care. An annual Risk Analysis and year round Risk Management is second nature. But healthcare providers also rely on third parties, like electronic health records (EHR) vendors, and those vendors are business associates, also required to follow HIPAA.
A major hacking incident occurred at an EHR vendor to eye care practices. The total number of eye care providers affected is not yet known, but the list has been growing rapidly in recent weeks, as reports are filed with the Office for Civil Rights (OCR). Eye Care Leaders, the vendor that was hacked, serves over 9,000 ophthalmologists and optometrists nationwide.
If a breach occurs at the business associate and the healthcare provider’s data is compromised or lost, both parties face consequences – investigation costs, downtime, loss of goodwill, investigation by OCR or state enforcement agencies, legal fees and public relations costs. If a large number of patients are affected, a class action lawsuit may follow.
Eye care providers are not the only ones who face this risk. All healthcare providers use business associates to carry out their work, whether for billing and coding, cloud storage, IT support, EHR/EMR programs, or other services.
Who is Responsible, Ultimately?
Sorting out legal liability in this incident will take time because it depends on a web of contracts and business associate agreements connecting all parties.
Unfortunately, the biggest losers, besides affected patients, may be the eye care practices. Each affected practice will be subject to scrutiny by HHS OCR and may face private legal action rooted in state law. As covered entities, they are responsible to patients for HIPAA compliance, and this includes vetting business associate EHR vendors.
Optometrists and ophthalmologists generally practice in small groups. Usually a business associate serving their needs is a much larger company, set up to serve many similar customers. The balance of power, contractually, often weighs in the larger company’s favor. A larger national company has sophisticated marketing skills, appealing websites and persuasive reasons to purchase their specialized products. Smaller providers typically do not have a large legal or IT staff to navigate managing their vendors. Nonetheless, they are still required to conduct due diligence regarding business associate HIPAA compliance.
Review of Business Associate Due Diligence
Key questions to start:
- Do you follow HIPAA?
- Do you have HIPAA polices and procedure that comply with the Privacy, Security and Breach Notification Rules?
- Do you have a designated HIPAA compliance person?
- When did you last perform a Risk Analysis?
More detailed questions from the HIPAA Security Rule, might include how and where data is backed up, how frequently, whether data is encrypted, etc. Document everything – your questions, the answers, and dates, so that you can later prove you did your part.
Business Associate Agreements are Key
Healthcare providers should evaluate the business associate agreement and make sure their interests are protected. Take care not to simply execute the contract prepared by the vendor’s lawyer to protect the vendor.
Those contracts may include limitations of liability, mandatory mediation, choice of venue and other damage limiting provisions. Who is ultimately responsible isn’t yet known. However it plays out, it most certainly will be lengthy and expensive for all parties.
Avoid Becoming a Victim
Business associates are attractive targets for cyber criminals because of the amount of valuable patient data they hold, so it’s important to look closely at a business associate’s HIPAA compliance. Ask questions, look beneath the surface and don’t accept marketing materials at face value.
If you need help with managing business associates and want to learn more about how to limit your exposure, The HIPAA E-Tool® can help.