In a recent Bookings Institution paper, published by Niam Yaraghi, researchers found that in spite of government efforts, privacy breaches, specifically electronic breaches, are on the rise in all health care practices.
When detailing their findings, Yaraghi wrote: “… the frequency and magnitude of privacy breaches have been on an upward trend … and data breaches are more likely to happen in the health care industry than any other sector.” Yaraghi attributed a large amount of these breaches to Internet hacking and phishing. He listed multiple reasons for the health care industry being at a greater risk for privacy attacks, and hackers were at the top of the list.
In the publication, Yaraghi wrote:
“Recent leaps in technology toward health care digitization have resulted in unprecedented amounts of personal health data being collected, shared, and analyzed on an everyday basis. Due to this proliferation in data, there are now more reasons to be concerned about patient privacy than ever.”
This leaves all health care organizations much more vulnerable.
Before the Omnibus Ruling that went into effect in September 2013, many Covered Entities shifted their burden to Business Associates because the Business Associates were not held as accountable for breaches. They were attempting to pass off the risks knowing that the Business Associates would not be audited. Consequently, many Covered Entities have a significant number of Business Associates, which can now mean an increased risk for breaches and problems for the Covered Entities, if they don’t regularly monitor their associates.
When addressing the complexity in the collaboration between health care entities – Covered Entities and Business Associates – Yaraghi wrote:
“Consider a simple office visit: in addition to the physician who sees the patient, it may involve an independent entity that facilitates the scheduling of the visit, an electronic medical records (EMR) vendor that provides software and cloud storage for saving the doctor’s notes, a [sic] health information exchange (HIE) platform that shares this data with other physicians, another party that creates the bill, the insurance company that pays for it, and sometimes a collecting agency that manages the patient’s late payments.”
Each step in the process could be a different associate.
Even though the Omnibus Ruling now holds Business Associates responsible for breaches, the Covered Entity can still be held responsible as well. If the Covered Entity is not checking to ensure the Business Associate is HIPAA compliant, then the Covered Entity is not doing everything possible to protect patient information and could be held partially responsible if one of their associates experiences a breach.
Also, many Business Associate employees are viewed as Covered Entity employees if they work onsite for the Covered Entity, adding another risk for breach consequences to the Covered Entity. If a breach occurs by one of these onsite Business Associate employees patients could lose trust in the Covered Entity, which can result in business losses.
To collect the data, Yaraghi and his fellow researchers interviewed various health care Covered Entities, like insurance companies and doctor offices, and Business Associates, like electronic-medical-record (EMR) vendors and labs. The interviewed organizations are all listed on the OCR website for having a breach in 2014 or 2015.
Are you protecting your organization from the increasing risks that come with technology and Business Associates? If not, then starting using HIPAAgps’s simple, compliance system to get your organization on the right track today. Plus, to be sure your Business Associates are HIPAA compliant, you can require that they also use HIPAAgps and provide you annual print-outs of their risk assessments.