“There are so many people who are doing innovations and startups and want to get into healthcare, and are unaware of the rules and regulations,” said David Muntz, former principal deputy director of HHS' Office of the National Coordinator for Health Information Technology. Muntz now heads a Dallas consulting firm. “What I'm hoping it will do is keep people out who are insincere about becoming HIPAA-compliant.”
Some larger healthcare organizations have employed hundreds and in some cases as many as a 1,000 business associates, said Adam Greene, a partner at Davis Wright Tremaine.
Heightened scrutiny on the way vendors handle data could give healthcare organizations more leverage for establishing stronger agreements with them. “It will force greater visibility into what's going on—and greater accountability,” said Michael Overly, a partner at Foley & Lardner, who specializes in cybersecurity law. “In many instances, covered entities don't have the right to go in and audit what a business associate is doing.”
For example, some of the biggest cloud vendors severely restrict access to their data centers, he said.
Upgrades to the HIPAA privacy and security rules in the health-IT provisions of the 2009 stimulus law put business associates on equal legal footing with hospitals, physician practices, health plans and claims clearinghouses. That means vendors that violate the rules are subject to civil monetary penalties of up to $1.5 million a year.
One goal of the new round of audits, Greene said, will be to assemble a directory of business associates. In the first phase, covered entities will be asked to provide basic information about their business associates. “It won't be a complete list,” Greene said, but it will provide a starting point for identifying which business associates to audit.
Just as business associates now share equal legal liability under HIPAA, they have long shared culpability for data breaches, according to federal records.
Of the 1,472 major healthcare data breaches on the OCR's “wall of shame” website, 309 (21%) involved a business associate. Those breaches exposed 32.8 million individuals' records. The wall displays breach information dating to September 2009.
This month the OCR announced a $1.55 million settlement agreement with North Memorial Health Care in Robbinsdale, Minn., over possible HIPAA violations, which included not having a business associate's agreement with Accretive Health, a Chicago-based revenue-cycle management firm.
Last summer, Systema Software, a Larkspur, Calif.-based provider of claims-management software, moved a copy of a database to Amazon Web Services, a major cloud-data storage provider, but without the controls needed to block unauthorized users.
A Texas computer hobbyist downloaded them. Government agencies in California, Kansas and Utah learned about the breach when the hobbyist called and told them that copies of their workers' compensation and liability insurance records on about 1.5 million employees were on his computer hard drive.
Overly said the Systema breach could be a poster child for what can go wrong with covered-entity and business-associate relationships. “That's exactly the thorny problem that's presented to many healthcare providers,” he said. “I know who I'm talking to, but I don't know who they're contracting with.”