Business Associate Breaches: Are you secure?

Recent health data breaches once again have business associates (BAs) grabbing headlines, which reinforces the importance of scrutinizing third-parties handling PHI.

Recently North Shore-LIJ Health System reported that they did not learn about a breach at one of their BA’s until eight months later. Shortly thereafter, Medical Informatics Engineering, which offers a Web-hosted electronic health record system as well as personal health records, disclosed that they were the target of a breach that affected its clients and their patients.

Criminals know that the EHR is the single largest repository of patient information and therefore an extremely lucrative target. Software-as-a-service, cloud, or hosting models are likely targets. Due to this, healthcare providers need to be diligent about vetting third-parties before contracting with them, and routinely ensuring that they are compliant with HIPAA requirements and information security best practices.

These two cases highlight critical issues.

1) The need to carefully vet vendors and clearly spell out security and privacy expectations before signing contracts, including the timeframe for notification about breaches.

2) In order to ensure ongoing security, it’s vital to periodically review whether BAs are following the security and privacy requirements outlined in their BA agreements.

3) Assess the cyber-risks to protected health information posed by EHRs and other software hosted by third-party vendors.

Covered entities need to recognize that their privacy and security is only as good as their weakest BA. It’s important to evaluate your confidence level regarding how every BA is addressing the increasing risk environment and changing landscape of healthcare, including confidence levels that the BA will continue to be around in a few years to provide service.