I recently presented the case for covered entities to be more proactive in regard to their business associate’s IT security posture. The audience included over 50 healthcare CISOs. Most of them agreed that the risk of PHI breach among their business associates was “an unknown,” or “very hard to measure” or even “likely to be very high.”
After my talk, one CISO said to me “My organization has dozens of business associates. What is the ROI of conducting a risk analysis on our exposure in relation to them?” This is the essence of the issue. Put another way, how does a covered entity justify spending time, money, and resources on evaluating its third-party vendors IT security?
First, let’s establish some facts. This is no small problem. From September 2009 to the end of 2011, 59% of all large breaches involved a business associate. Large breaches are defined under the Breach Rule as those affecting 500 or more patient records and some of more egregious single incidents involved hundreds of thousands and even millions of individuals.
HIPAA regulations require a covered entity (CE) to have business associate agreements (BAAs) in place before they disclose any protected health information. So, right off the bat, I can tell you one thing – as a covered entity, if one of your business associates has a PHI data breach and you did not have a BAA in place, the legal and financial consequences will be very severe. Even with a BAA, you are likely to feel some pain but at least you won’t be accused of “willful neglect.”
Second, it should be obvious that maintaining all business associate agreements in a centralized location is good business practice. If, and more likely, when a business associate reports a PHI data breach, you shouldn’t have to scramble just to find a copy of their contract. Yet, a surprising number of hospitals don’t do this, particularly if different functional groups or business units within the covered entity have the autonomy to sign their own vendor contracts. This is often another point of lax oversight in and of itself – if different groups can sign vendor agreements, who then determines whether a BAA should be required as opposed to some other type of contract?
Third, covered entities should use the BAA as an opportunity to set specific ground rules and conditions for establishing who investigates the cause of the breach and who bears the costs of the investigation and response. Having these provisions specified and agreed upon beforehand can save an enormous amount of time, money, and aggravation. I’d call that ROI.
Lastly, the OCR has been empowered to enforce HIPAA through resolution agreements and civil monetary penalties. These penalties can run as high as $1.5 million in any calendar year – a high cost under any circumstances and particularly painful if the breach actually resulted from poor IT security at a business associate.
But it’s not just the costs of investigations, brand damage, and financial penalties that justify proactive business associate risk management. There are also the costs (often hidden) of the operational disruption to your organization. By their very nature, business associates perform significant functions for a covered entity including claims processing, administration, data analysis, billing, benefits management, etc. Immediately following a report of a BA breach, the CE is forbidden from continuing to disclose PHI to the BA until the issue has been investigated and resolved. This may mean transferring the particular function performed by that BA to another partner or temporarily bringing it in-house.
Redspin now offers a Business Associate Risk Analysis service that helps hospitals and other covered entities understand where their highest BA risk lies so that they can take preventive measures and/or implement contingency plans to mitigate that risk. Here are some of the areas that our expert security and compliance analysts guide you through:
- Is there a central repository of all BA agreements?
- Are they updated? Is there a master schedule for renewals?
- How critical is the BA to the CE? Are there operational contingencies should the BA no longer be able to perform their service? Risk to the operational disruption should always be a factor.
- Are BAs prioritized by the amount of PHI data that is typically stored, transmitted, or in use by that BA? PHI data sets vary in quantity, scope, and depth, and thus some present a greater degree of risk than others.
- Has the BA provided any evidence of IT security protections, testing, audits, etc.?
And here’s an example of one of the sections from our assessment report:
Safeguarding PHI data is an important responsibility and all relevant parties must take their stewardship seriously. The HITECH Act raised the stakes for business associates by directly requiring them to be HIPAA compliant. Direct civil liability and penalties will also be levied directly on offending BAs in 2013. Redspin’s Business Associate IT Security Risk Assessment is an effective, mutually-beneficial process that will enable more fruitful discussions between CEs and BAs, and ultimately result in lower risk for both parties.