By Carol Amick
As healthcare providers continue to search for ways to cut costs and increase efficiency, many are outsourcing selected services.
One report indicated that 98 percent of the hospitals surveyed were either actively considering outsourcing or had already done so. Outsourcing is expanding beyond non-core functions to clinical areas, as healthcare providers look for ways to decrease costs and increase quality. While outsourcing can be a cost-effective move, failure to properly assess and manage risks related to protected health information (PHI) can create legal and reputational issues for the organization.
However, outsourcing and relying on vendors to perform activities that involve access to PHI increases the risk to a covered entity. Over the past three years, the Health and Human Services Office of Civil Rights (OCR) has issued approximately $6,000,000 in financial penalties, where failure to obtain a signed HIPAA-compliant Business Associate Agreement (BAA) from at least one vendor was either the sole reason for the financial penalty, or contributed to the severity of the penalty.
Story Continues Below Advertisement
Special-Pricing Available on Medical Displays, Patient Monitors, Recorders, Printers, Media, Ultrasound Machines, and Cameras.This includes Top Brands such as SONY, BARCO, NDS, NEC, LG, EDAN, EIZO, ELO, FSN, PANASONIC, MITSUBISHI, OLYMPUS, & WIDE.
The HIMSS 2019 Cybersecurity Report noted that 30 percent of the healthcare vendor respondents had not experienced a significant security incident in the prior 12 months. This means that 70 percent had experienced a significant security incident.
HIPAA requires that covered entities have Business Associate Agreements (BAA) with vendors that have access to PHI to perform duties on behalf of the covered entity, or if electronic PHI (ePHI) passes through their systems. The HITECH omnibus rules require that business associates comply with the Security Rule with regard to ePHI, report breaches of unsecured PHI to the covered entity, comply with applicable requirements of the privacy rule, and ensure their subcontractors agree to the same regulations.
While a BAA does provide a covered entity with some legal assurances, a BAA does not necessarily indemnify a covered entity against financial penalties for a breach if the covered entity failed to obtain “satisfactory assurances” of the vendor's security. Nor will a BAA protect the entity’s reputation. Quest Diagnostics recently experienced a breach by one of their vendors of financial data for approximately 11.9 million patients. While the breach was the fault of the vendor the media focus and public attention is on Quest Diagnostics.
It’s important to consider if the data an organization are entrusting to a vendor are protected. What is the organization doing to ensure that vendors who access ePHI understand their obligations and expectations?