A Covered Entity could be doing everything right with their HIPAA compliance. Performing their Risk Assessments, training their staff on a regular basis, and have their computer security locked up tight only to have an outside party, a Business Associate, cause a breach. This is can be very frustrating and costly to a practice. The unexpected nature is hard to plan for and reduce the risk it presents. In this week’s Case Study, this is exactly what happened. An outside collection company that handles very large national accounts itself was breached. This will lead to a large investigation and so far, has affected over 20 million patients.
A security research firm, Gemini Advisory, was performing Dark Web monitoring and discovered that an unknown individual or group was selling a batch of 200,000 credit card numbers. Upon further investigation, it was found this batch of data came from a company in Elmsford, New York. The company, American Medical Collection Agency (AMCA), is a billing collection service that acts as a Business Associate for many large Covered Entities nationwide. In this case, the data belong to patients of Quest Diagnostics. AMCA performed its services for Optum360 which is owned by UnitedHealth Group. Optum360 is a Business Associate for Quest. Gemini Advisory contacted AMCA to alert them of the breach and then contacted law enforcement. AMCA then notified both Quest and Optum360 of the breach.
A computer forensics team was brought in to determine the scope of the breach. It found that the breach had occurred from August 2018 until March 2019 and affected far more than just the Quest patients. The investigation is ongoing but also discovered were patients of LabCorp.
What was the result?
At the time of writing, 11.9 million Quest patients and nearly 8 million LabCorp patients have had their records improperly accessed. It appears that the records were stolen from the computers of AMCA. This information included patient names, addresses, phone numbers, Social Security numbers, billing and payment information, and medical information. However, as AMCA was a billing collection company, they had no access to the laboratory results of patients and this data wasn’t compromised.
Quest has stated that they are working with their Business Associate Optum360 and will notify the patients that were affected soon once the full scope is known.
The LabCorp data that was compromised didn’t include Social Security numbers but other information such as dates of birth, dates of service, referring provider details, and banking/credit card information was exposed.
According to the website of AMCA, they handle billing and collection services for laboratories, hospitals, physicians, and other healthcare related entities nationwide. Its very likely other entities were involved in this breach and as the investigation continues, more information will be released.
Protect your practice from a Business Associate Breach
When using third parties that perform services for your practice, it’s your responsibility to ensure they will protect your Protected Health Information. Each third party, or Business Associate, require a Business Associate Agreement. This document outlines what the Business Associate will do to protect your PHI and when they will notify you of a breach. HIPAA regulations require that for any Business Associate that you engage, you must have a Business Associate Agreement in place (45 CFR 164.504(e))
A sample Business Associate Agreement provided by HHS can be found here.
However, before engaging with a Business Associate, it would be best to discuss with the entity their practices for protecting PHI. Here are some sample questions you could ask to gauge their understanding of HIPAA and their legal obligations:
- When did you last perform your Risk Assessment?
- May I see your latest Risk Assessment?
- Who is your Security Officer?
- How will the PHI of my practice be used by your organization?
- How will that PHI be stored at your location?
- Who in your company will have access to this PHI?
- Do you audit access to the PHI?
- Do you have a Disaster and Recovery Plan?
The answers to these questions will give you a very good idea of the potential liability you will have by working with this Business Associate. If you get answers like, “HIPAA doesn’t apply to us” or they won’t sign a Business Associate Agreement, then its best to look for a new vendor. We recommend creating a new vendor questionnaire and keeping the completed document with all of your HIPAA documentation for all vendors you do business with. This and their Business Associate Agreement will show that you did your part to ensure HIPAA compliance.
Business Associates can be a big help to Covered Entities but can also introduce the potential for a breach. Practices need to perform their due diligence on potential Business Associates to ensure that their PHI will be protected. By doing this, the Covered Entity reduces the risk of a breach at the Business Associate and also covers their own liability should one happen.
You can read the information directly from the HHS website on Business Associates here.