Updated September 8, 2022

Did you realize that IT consultants and printing companies might need to comply with HIPAA? If they are providing services to the healthcare industry and handling protected health information they must.

The damage caused by hacks into third party vendors in healthcare can be astronomical. These third party vendors are HIPAA business associates and they typically maintain and transmit huge amounts of patient data for multiple covered entity customers. A data breach caused by one hack at a business associate is much larger than an attack on one single covered entity.

Two recent cyber attacks on HIPAA business associates continue the pattern in 2022 so far, where business associates are responsible for the largest healthcare data breaches affecting millions of patients. The first incident occurred at Avamere Health Services LLC, (Avamere) a business associate providing IT services to healthcare entities. The other happened at OneTouchPoint, a company providing printing and mailing services to health insurers.

Other massive breaches this year have been reported at Shields Health Care Group (Shields) in Quincy, MA and Eye Care Leaders of Durham, NC. Both are business associates under contract to hundreds of covered entities. Combined, the cyberattacks at these two business associates have affected over 5 million individuals, so far.

Avamere Incident Affects Dozens of Entities

Avamere Family of Companies

Avamere Health Services LLC in Wilsonville, OR is both a covered entity and a business associate serving other covered entities. It is comprised of a family of companies that operate senior living facilities, home rehab, imaging services and after care consultation.

Avamere reported the breach on July 13 to the Office for Civil Rights (OCR) describing a hacking incident involving a network server operated by a subcontractor business associate. Its breach notification includes a list of about 80 affected clients to which Avamere provides IT services as a business associate. The affected covered entities include senior living and healthcare facilities, such as hospices and assisted living facilities.

Avamere reported that the hacking incident resulted in:

“files and folders that were potentially removed from our system contained identifiable protected health information such as full names, addresses, dates of birth, driver’s license or state identification numbers, Social Security numbers, claims information, financial account numbers, medications information, lab results, and medical diagnosis/conditions information.”

In addition to Avamere, so far at least one of Avamere’s covered entity clients – Oregon-based Premere Rehab, LLC, doing business as Infinity Rehab – has separately reported the incident to OCR as affecting another 183,000 individuals. Infinity’s breach notification statement, lists about 15 of its own covered entities clients affected by the Avamere hack.

Printing and Mailing Company Can be a Business Associate

OneTouchPoint (OTP) is a Wisconsin company that provides printing and mailing services for health insurer customers. It reported an apparent ransomware incident to Maine’s attorney general on July 27. The incident affects more than three dozen of OTP’s customers – and nearly 1.1 million individuals so far, but the numbers may grow as the investigation continues.

As of August 26, 2022, the numbers affected by the breach had grown to over 2.6 million individuals. OTP sent a revised notice to the Maine Attorney General’s office that day.

Once all the covered entities (that are customers of OTP) have reported their breaches on the OCR HIPAA Breach Reporting Tool, the OTP breach will rank as the largest health data breach of 2022, so far.

OTP posted a notice on its website, explaining that it discovered encrypted files on certain computer systems on April 28. OTP believes that an unauthorized intruder gained access to OTP servers on April 27. The company says the affected systems contained protected health information provided by its health insurer customers, but is unable to determine definitively what personal information was accessed. The type of information potentially affected by the incident includes name, member ID, and information that may have been provided during a health assessment. OTP lists 38 health insurer clients affected by the incident on its notice.

Business Associate Chain of Trust

HIPAA requires a documented ‘chain of trust’ running from covered entities to business associates to subcontractor business associates. A breach at any weak link in the chain can cause a breach and chances of a breach increase as the chain gets longer. Due diligence and an effective HIPAA compliance program is essential for each link.

Large business associates often rely on generic IT security procedures that meet some, but not all HIPAA requirements, resulting in self-assured complacency. Common failures include inadequate risk analysis, risk management and regular technical and nontechnical security evaluations.

The HIPAA E-Tool^®  has a business associate edition, designed specifically for third party vendors in healthcare. Included in its risk analysis module is the Security Rule Checklist, essential for a complete risk analysis – it’s up-to-date with HIPAA requirements and covers everything needed for both covered entities and business associates.

If you believe you need help catching up with HIPAA, no matter what type or size of organization you are, The HIPAA E-Tool^® is the logical answer.