NJ Physician Group Fined $417,000 for HIPAA Security Breach Part I: Business Associates
Physician practices are considered “Covered Entities” (CE) under the Health Insurance Portability and Accountability Act (HIPAA) Law and Regulation, which requires a formal, written Business Associate Agreement (BAA) with 3rd party vendors. But, now the NJ Division of Consumer Affairs has indicated that medical practices must also have stricter vendor oversight by ‘fully vetting’ the HIPAA compliance of their business associates or risk hefty fines. Virtua Medical Group (VMG), a network of greater than 50 physicians in South Jersey, agreed to pay $417, 816 and improve data security practices to settle allegations it failed to properly protect the privacy of more than 1,650 patients whose medical records were made viewable on the internet due to a server misconfiguration by a private vendor. The Office of the Attorney General and the NJ Division of Consumer Affairs issued a news release and statement about it on April 4, 2018. Sharon M. Joyce, the Division’s Acting Director, said, “This enforcement action sends a message to medical practices that having a good handle on your own cybersecurity is not enough…You must fully vet your vendors for their security as well.” So, what happened? And, what does this mean to you and how can you protect your practice?
Best Medical Transcription, a Georgia-based vendor hired to transcribe dictation, updated software on a password-protected File Transfer Protocol website (“FTP site”) used to transfer and store files containing ePHI to and from VMG. The vendor unintentionally misconfigured the web server during the update, allowing the FTP Site to be accessed without a password. After the FTP site became unsecured, anyone who searched Google using terms contained within the dictated information could access and download the documents on the FTP site. Best Medical Transcription restored the password protection, but Google retained the cached indexes of files, which remained publicly accessible on the internet. Unfortunately, VMG was not notified of the breach by the 3rd party vendor and only became aware of it when a patient’s mother contacted them that she found portions of her daughter’s medical record online. VMG investigated to see where the breach occurred, notified law enforcement 2 weeks later, and individually removed each patient’s information from Google’s cache.
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) provisions make Bas directly liable for most HIPAA requirements. However, the Privacy Rule requires that a covered entity obtain reasonable and satisfactory assurances in writing (i.e. “Business Associate Agreement”) from its BAs that they will appropriately safeguard PHI (Protected Health Information) received on behalf of the covered entity. In this case, the Attorney General alleged that both HIPAA and the NJ Consumer Fraud Act were violated, which constitutes ‘separate and additional unconscionable commercial practices.’ At the federal level, the Office of Civil Rights (OCR) may also be expecting a greater level of vendor due diligence under HIPAA. And, Sharon Joyce of the NJ Division of Consumer Affairs indicated that “although it was a third -party vendor that caused the data breach, VMG is being held accountable because it was their patient data and it was their responsibility to protect it. The Division cited VMG for the following violations:
Failure to implement a security awareness and training program for all members of its workforce, including management.
Delay in identifying and responding to the security incident; mitigating its harmful effects; and documenting the incident and its outcome.
Failure to establish and implement procedures to create and maintain retrievable exact copies of ePHI maintained on the FTP site.
Improper disclosure of protected health information (PHI) of its patients.
Failure to maintain a written or electronic log of the number of times the FTP site was accessed. The HIPAA Regulation requires that an audit log/trail of when/who accessed which files.
There are several major implications for physician practices based on these findings. “HIPAA Security Breach Part I” will focus on Business Associates.
Who is a Business Associate?
A Business Associate (BA) is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a Covered Entity (CE). A member of the CE’s workforce is not a business Associate. BA functions and activities include: claims processing or administration; billing; data analysis; quality assurance; utilization review; benefits management; practice management; and repricing. BA services include: consulting, data aggregation; management; administrative; accreditation; and financial. Independent medical transcription services and billing companies would also be considered BAs. See the full definition of “business associate” at CFR 160.103.
What are the Responsibilities of a Business Associate and the Covered Entity?
BAs are obligated to comply with the HIPAA Security Rule under the HITECH Act. The BA can be held directly liable for any unauthorized disclosures or breaches, including its subcontractors, which can subject it to civil and criminal penalties. BAs are obligated to comply with the HIPAA Security Rule even if no HIPAA Business Associate Agreement (BAA) exists. However, it is the CE’s responsibility to obtain “satisfactory assurance” that a BA is HIPAA compliant. If the CE fails to do so and a breach occurs, the CE may be held liable for the BA’s and/or subcontractor’s breach. HIPAA violation fines can be very hefty, and violator names are posted on the HIPAA Wall of Shame, resulting in further negative publicity. Therefore, it is imperative that CEs perform their due diligence obligations to obtain “satisfactory assurance” for all BAs, not just those that are perceived to be “higher risk.”
How Should A Covered Entity Monitor a Business Associate?
Although a CE has not been required to monitor the BA or its subcontractors for HIPAA compliance, it can still be held responsible for the BA’s breaches. Therefore, it’s the CE’s responsibility to ensure compliance with the Rules, which require administrative (i.e., policies/procedures), physical (i.e., physical access and data storage controls), and technical safeguards (i.e., protection of PHI electronically over networks). To accomplish this, it is recommended that a CE do the following:
Obtain an updated Business Associate Agreement (BAA), which specifies who has access to the CE’s data.
Request and review the BA’s:
Security Risk Analysis and Risk Assessments for the last 3 years, as well as corresponding Management Plans
Policies and procedures for the HIPAA Privacy and Security Rule, breach notification, notice of privacy practices, and employee training
Security audits and incident logs
Engage a HIPAA expert to review BA materials to better assure relevant safeguards are in place. Conventus members have access to HIPAA experts at discounted rates through strategic partner alliances. For more information, contact the Practice Resources Department at 877-444-0484, x7466.
Require the BA to notify the CE when system updates and configuration changes will occur with their software/product.
Test the upgraded software/product to identify and address any security issues.
For FTP sites:
Maintain a written or electronic log of the number of times the FTP site has been accessed.
Establish and implement procedures to create and/or maintain exact copies of the e-PHI maintained on the FTP site or ensure that the BA is sending you regular back-ups of stored data in a standard format.
Business Associate Agreements: What should be in a Business Associate Agreement?
A HIPAA Business Associate Agreement (BAA) is a contract between a CE and a BA, or between a BA and a sub-contractor, indicating how PHI can be used. It sets out the terms of permissible use based on the relationship between the parties and the activities or services provided by the BA and/or sub-contractor. The HIPAA rules require that a CE and a BA enter into a BAA. Click here for full information on required BAA provisions, as well as a sample agreement. It is a prudent practice to regularly review your vendors, and ensure BAAs are in place that comply with the law. In addition to the required items, it is recommended that BAAs also include the following:
Require that the BA notifies the CE within 3 – 5 days of a breach as defined in HIPAA, so that the CE can report “without unreasonable delay.”
If feasible, require the BA to indemnify the CE from all liabilities arising from lost, stolen, destroyed, or breached data.
Guarantee availability of data in a standard format once it is transferred to and controlled by the vendor.
Provision for a termination clause if the CE experiences any issues, such as a breach.
Specify that the BA does not own the CE’s data, but has a limited license to use the data for the purposes prescribed in the contract. The license should expire when the agreement terminates.
The BA must abide by HIPAA Privacy and Security Rule requirements. If the BA carries out any of the CE’s obligations under the Privacy Rule, the BAA must require that the BA agree to abide by the Privacy Rule.
Conventus members can contact the Practice Resources Department at 877-444-0484, x7466, for additional resources and questions about HIPAA and BAs. An expert member of the Department would be happy to speak with you.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.