In an article titled “Updating the Breach Scorecard,” Howard Anderson notes that in more than 20% of cases, Business Associates (BA) were at the center of data breaches involving 500 or more patients (since the HHS started publicizing such incidents in 2010). The use of laptop encryption software and other data protection solutions provides safe harbor from reporting requirements…but then, a BA is not directly responsible for PHI data breach.
Not only were Business Associates involved in more than 20% of all PHI data breaches, the top three breaches involved BAs as well. These three incidents — Tricare (5M+ affected, SEP 2011), Health Net (1.9M, JAN 2011), and New York City Hospitals Corp (1.7M, DEC 2010) — also represent more than 45% of all individuals affected since covered health entities started reporting breaches to the HHS, the Department of Health and Human Services.
And yet, BAs are not responsible for data breaches. If a breach were to occur, they contact and alert the “owner” of the data, namely the health organization that collected, retained, and outsourced the information. The data owner in turn contacts the affected patients, the HHS, and other bodies that oversee such incidences.
Why would anyone outsource this information? The reasons are myriad: lawsuits, collections, research, you name it. In the Tricare breach, for example, a backup tape was being transferred to an off-site location for safekeeping (yes, quite ironic).
Outsourcing is a part of a hospital’s operations: the medical world is too complex for it not to happen. Outsourcing, for better or worse, is part of life.
One could also say the same about data breaches. As most (if not all) data security experts point out, there is no way to completely prevent a breach from happening. It’s also “part of life.” The thing is, though, that you can minimize its chances of happening even if you can’t uproot them.
For example, all top three breaches listed above could have been prevented via the use of encryption software. The data that was stolen is data at rest, meaning it can be secured using disk encryption or file encryption, you take your pick. There’s really no reason why those three breaches should be listed as the top three: they were completely preventable.
Moral Hazard? Not So, and Yet…
As noted near the beginning of this post, Business Associates are not directly responsible for a data breach of protected health information (PHI). If BAs trigger a breach, they don’t need to notify patients or the HHS. Most states with breach notification laws make exceptions where federal rules (like HIPAA) are in place, so state AGs and other authorities or organizations need not be notified by the BA, either.
It’s almost as if a “moral hazard card” (a “get out of jail free” card) is built-in, giving BAs free rein to do what they want. Almost.
The idea is that BAs that are lax in their data security duties are put into place by the covered entities that hired them: lawsuits, ending contracts, what have you. It’s the trickle-down theory of data security, meaning that the people who cause the breach eventually do end up holding the bag in one way or another. It doesn’t seem to work very well, though.
Also, it’s weird because it puts the hospitals in a position where they have to monitor their BAs. I mean, it sounds like the kind of stuff that a covered entity would outsource…oh, wait.
Related Articles and Sites: