As part of the HIPAA Omnibus ruling in 2013 Business Associates (BAs) of Covered Entities are required to comply with HIPAA Privacy and Security guidelines. Not much attention has been focused on BA’s compliance to date, but Health and Human Services Office of Civil Rights (OCR), is beginning their 2nd round of audits and has specifically indicated Business Associates will be included in these random audits.
Historically the focus has been on Cover Entity’s compliance, but now a BA can be pulled into this audit. If during an audit of a Covered Entity it is determined that their Business Associate is not compliant, the Covered Entity and the Business Associate could both receive fines. OCR considers the Business Associates of a Covered Entity to be part of that Covered Entity’s compliance plan. This is called the Common Agency Provision of the HIPAA Omnibus ruling. This means that a Covered Entity could be held liable for breaches that were caused by a Business Associate.
We’ve already seen a case like this in September 2011. Stanford Hospitals contracted with Multi-Specialty Collection Services (MSCS) to do perform a revenue cycle review. MSCS subcontracted the graphics portion of the project to a company called Corcino & Associates, LLC. A workforce member from Corcino posted a copy of a spreadsheet with patient data on a now defunct website called Student of Fortune; a site used by students to find help with school work. The information was left on these servers unencrypted for over a year and was discovered by a patient who reported it to Stanford.
This was a major breach of 20,000 patient’s information, and a few days after Stanford reported the breach, there was a class action lawsuit filed in California against all the offending parties for $20 Million. That was settled in 2013 for $4.125 million with MSCS and Corcino picking up $3.3 million of the settlement and Stanford was stuck with a $500K fine for a program to educate vendors, and $250K fine to cover administrative costs. Needless to say, Stanford promptly terminated their business relationship with MSCS. This proved to be a very costly mistake for MSCS and Corcino.
Luckily, Stanford has been cleared of any HIPAA fines or penalties from HHS and California, but they still are left paying $750k for a breach caused by their Business Associate and Business Associate’s Subcontractor.
You may have adequate security measures in place, but HIPAA is not just about making sure that data is secure. It is a mandate with very specific requirements in order to reach compliance. As audits are now becoming a reality Covered Entities will look for Business Associates that not only claim to be compliant but also can prove their compliance by providing documented answers to the following questions:
- What is your security program?
- How are you educating your workforce?
- How do you manage access to and handling of patient/client information?
- Do you have policies and procedures for both Privacy and Security?
- Have you vetted your Business Associate Subcontractors?
So boost or bust?
That’s up to you. Business Associates who are not HIPAA compliant will likely struggle to retain the confidence of their current clientele, while those that take the time to properly complete their compliance plan stand to gain the business others have lost. Those that are expected to benefit the most are Business Associates who are first to market with a comprehensive HIPAA compliance plan, earning new business while others struggle to catch up.