February 6, 2024
Hey there, privacy protectors! Abyde here, your friendly neighborhood compliance champion, dropping some serious knowledge about Business Associate (BA) blunders. You know, those slip-ups that land you in hot water with HIPAA? Not a fun time at all. Here are some major lessons that BAs can learn from to ensure they continue to uphold their shared responsibility of protecting patient data.
Proactive security is key: Assuming your company is immune to threats can lead to costly mistakes. Doctors’ Management Services faced this harsh lesson when they were part of a cyber attack and their files, which included protected health information, were infected with ransomware. DMS didn’t realize their files were affected for over a year. This infection isn’t something that can be quickly cured, with hacking organizations demanding money in exchange for access to files.
The DMS’s delayed reactionary response teaches BAs what not to do. The DMS did not have an updated security risk assessment, policies and procedures in place, or security systems in place to be prepared for this ransomware attack. The OCR fined them a pretty penny, $100,000, for their negligence. This lesson was also the first fine based on a ransomware attack.
Secure all servers: All protected health information, or PHI, a Business Associate interacts with, needs to be properly secure. While this seems obvious, BAs have learned this lesson the tough way, like MedEvolve’s $350,000 fine. MedEvolve had PHI online on an easily accessible server. This publicly accessible server included information like patient names, billing addresses, and even social security numbers.
A similar fine also occurred to iHealth Solutions, an IT organization that did not properly secure access to a server that contained the PHI of over 250 patients. This mistake cost the company $75,000.
Set up remote deletion of PHI: When working in a business, numerous devices have access to PHI. It is imperative to ensure data can be quickly wiped if these devices get into the wrong hands. A perfect example of this lesson was one learned by the Catholic Health Care Services of the Archdiocese of Philadelphia, which was fined $650,000. There was a theft of a CHCS employee’s phone that contained PHI. This phone had access to extensive PHI, including, social security numbers, diagnoses and treatments and patients’ families. Due to this stolen device, and no proactive measures to mitigate the detrimental impacts of theft, the CHCS was heavily fined and had to be monitored for two years.
These fines may grab headlines, but the true cost goes beyond money. Breaches erode patient trust, damage reputations, and hinder the security of healthcare. Remember, BAs play a vital role in safeguarding sensitive information, and non-compliance has far-reaching consequences.
While these fines serve as expensive lessons, Abyde is here to simplify compliance for your organization. Learn more about what it means to be a compliant Business Associate by emailing info@abyde.com and scheduling an educational consultation here.