debt collection 2

Business Associates Wake Up Call

When you think of HIPAA privacy, is an accounts receivable management firm the first thing you think of? Is it even the second or third thing? Probably not. Most of us focus on doctors, dentists, hospitals and health plans, all of which are covered entities and required to comply with HIPAA. But business associates that support covered entities routinely handle far more patient data and are also required to follow HIPAA.

A massive health data breach at business associate Professional Finance Company, Inc. (PFC) was recently reported to the Office for Civil Rights, the agency that enforces HIPAA. PFC is a debt collection agency, just one category of business associates routinely employed by healthcare providers.

So far it appears the data breach affects more than 650 healthcare providers and an unknown but potentially enormous number of patients. The investigation is ongoing and we will update this blog as more is learned.

Business Associates Handle Staggering Numbers of Patients’ Data

A health data breach at a large business associate can be much more damaging than one at a large covered entity. Large business associates usually have multiple customers, so in healthcare that means that all of the patients at each customer are potentially affected.

As a result, cyber thieves see business associates as attractive targets because of the amount of valuable patient data they hold. One successful hack can reach dozens of covered entities and millions of patients.

A recent example occurred at Eye Care Leaders, an EMR system vendor, where at least twenty-four providers and more than 1.5 million patients were affected, according to the investigation to date. Another massive breach occurred in 2018 at American Medical Collection Agency affecting an astonishing 21 million individuals – the second largest health data breach ever reported, after Anthem (79 million), a health plan.

Other examples of large business associate healthcare data breaches in recent years include Blackbaud (2.7 million) and CaptureRx (1.7 million).

Business Associates and Covered Entities are Both Responsible

Although business associates have been separately liable and responsible for HIPAA compliance since 2013, it appears today that many are not doing enough. Either they don’t know about the HIPAA requirements, or if they know, compliance is not a priority.

This incident should spur all business associates to review their HIPAA compliance programs thoroughly, including an updated Risk Analysis to ensure they have appropriate measures in place to manage their specific risks.

Covered entities also have a responsibility regarding their business associates. They must conduct due diligence before entering an agreement with a business associate – this requires asking basic questions about HIPAA compliance, including whether a HIPAA Risk Analysis was completed. Entrusting protected health information (PHI) to a business associate without due diligence is “willful neglect” with exposure to the highest civil money penalty amounts.

Likewise, business associates should conduct due diligence with their subcontractors. One chink in the armor is all a criminal needs.

HIPAA Compliance Includes Cybersecurity Training

Unsophisticated phishing emails are still the favorite way to infect information systems with malicious software and ransomware. Staff cybersecurity training to detect phishing is essential.

The HIPAA Rules are a Blueprint to Protect Health Information

Whether you are a business associate or a covered entity, this latest massive breach is a reminder that more work might be needed to ensure you’re doing as much as possible to safeguard health information in your care. Review your policies, make sure they are up to date and the workforce is trained. Conduct due diligence with third party vendors and subcontractors. And if you have questions, The HIPAA E-Tool® can help.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2024 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU