Organization fined $418,000 for business associate HIPAA breach

Virtua Medical Group – a physician network –  has been fined $418,000 by the New Jersey Attorney General’s Office for failing to safeguard electronic protected health information (ePHI) belonging to more than 1,650 patients.

The data breach occurred following misconfiguration of a database held by one of Virtua’s business associates, Best Medical Transcription. The third-party vendor had been contracted by Virtua to transcribe sensitive data held within medical notes, reports, and letters.

The transcribed notes containing sensitive data were uploaded to a password-protected website at Best Medical Transcription; however, password protection had accidently been removed in January 2016 during a software update. This slip-up caused patient data to become readily available, without any need for authentication. Worse still, content from the vendor’s server wound up being indexed by search engines and could easily be found by simply searching for any terms contained within the notes online.

Best Medical Transcription became aware of the lapse in password protection and a potential breach, but it did not notify Virtua Medical Group that data had been exposed.

A harsh settlement and a stark reminder

The Attorney General ruled that there had been multiple accounts of non-compliance with Health Insurance Portability and Accountability Act (HIPAA) requirements, subjecting Virtua to the ruling, despite the fact that the breach technically affected one of its business associates.

Virtua was chastised for failing to conduct a thorough risk analysis of its business associate (BA), Best Medical Transcription, and as a result, electronic Protected Healthcare Information (ePHI) was communicated at the cost of patient confidentiality. Furthermore, the medical group was also condemned for implementing inadequate security measures to reduce the risk potential. The investigation also revealed that Virtua didn’t have a security awareness and training program for staff in place, and there had been “unacceptable delays” in identifying and responding to the data breach.

In a statement, the Attorney General said “Electronically stored data is vulnerable to security breaches and doctors must follow strict rules to safeguard it. When they don’t, patients are personally exposed and the trust they have in their doctors can be irrevocably broken”.

In addition to the financial penalty of $418,000, Virtua Medical Group has agreed to undertake a robust corrective action plan which includes hiring a third-party security professional to conduct a comprehensive risk analysis relating to the company’s handling, transmission, and storage of ePHI, and to perform further risk assessments every two years.

This enforcement action should serve as a stark reminder for healthcare providers (known under HIPAA as ‘covered entities’) to thoroughly vet their third-party vendors to ensure security best practices are being followed, and sensitive data remains protected at all times. Failure to comply can result in significant financial and reputational damage. HIPAA covered entities must remain mindful of their vendors and BAs, ensuring they are compliant before giving them any access to sensitive data.

This action may also indicate a trend towards increased enforcement of HIPAA by the states.  Most of the enforcement actions that come to the public’s attention are brought by the federal department of health and human services office of civil rights (HSS-OCR). However, under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA in 2013, state attorney generals now have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected. And some state privacy laws are even stricter than the federal legislation.

3 questions healthcare organizations need to ask their BAs

1. Does the vendor identify themselves as a Business Associate?
   Clarity is key when dealing with third-party organizations. If a vendor is providing services that require exchange of PHI and/or ePHI, it is vital that they recognize themselves as a BA, and be willing to sign a BAA. In the eyes of the regulator, if a third party creates, receives, maintains, or transmits ePHI, they are a BA whether they realize it or not.  HIPAA requires that covered entities enter into agreements with their business associates to ensure they will appropriately safeguard protected health information (see 45 C.F.R. §164.308(b)).  Consequently, if a healthcare provider exchanges ePHI with a BA without first having signed a BAA, they are not in compliance with HIPAA.2. How and where will sensitive data be stored, accessed, and shared?
   It is essential to understand how BAs collect, store, process and transfer ePHI, as well as how they protect that ePHI from unauthorized access.  A signed business associate agreement should be in place for both parties, contractually outlining in detail how sensitive data will be managed.

   Additionally, it is a good idea to understand how a BA goes about vetting, training, and educating its employees – after all, policies and procedures are only as good as the employees who are implementing them. Ultimately, the covered entity is responsible for protecting patient data, and if the BA fails to provide adequate security, it is the covered entity that will be held responsible.

2. Is there an incident response plan in place?
   No organization is immune from a data breach. Therefore, it’s important that the BA has planned ahead and accounted for any potential contingencies with a detailed incident response plan. This should include mandated provisions to notify the covered entity as soon as possible of any potential security gaps or events.

Online faxing service, eFax Corporate helps ensure your online faxing complies with the strictest mandates of HIPAA. Click here to discover how eFax Corporate® helps keep your faxes HIPAA compliant.