In the wake of an historic, multi-state lawsuit filed against a “Business Associate” earlier this month, it is imperative that companies with business associate agreements (BAA) in place with health care/plan customers review internal data security policies and procedures to ensure they are in compliance with their obligations arising under HIPAA, state privacy laws and the BAAs.
On December 3, 2018, Attorneys General from 12 states filed a lawsuit against Indiana-based health records company, Medical Informatics Engineering, Inc. (MIE), for a data breach in 2015 that compromised the health care data of approximately 3.9 million people. This is the first time that state attorneys general have united to pursue a HIPAA-related data breach case in federal court, signaling a potential new approach by law enforcement to hold Business Associates accountable for such health data breaches.
The lawsuit alleges that during 2 weeks in May 2015, hackers stole electronic Protected Health Information (ePHI) of individuals (such as dates of birth, Social Security numbers, usernames and passwords) which was being maintained in electronic medical records stored on MIE’s computer systems. MIE is accused of violating multiple laws, including state consumer protection, data breach, and personal information laws, as well as federal HIPAA statutes by: (a) failing to take adequate and reasonable measures to ensure their computer systems were protected, (b) failing to take reasonably available steps to prevent the breaches, (c) failing to disclose material facts regarding the inadequacy of their computer systems and security procedures to properly safeguard patients’ personal health information, (d) failure to honor their representations that patients’ PHI would be protected, and (e) failure to provide timely and adequate notice of the incident.
How to Protect Your Company
The responsibility of protecting the privacy and security of your customer’s health care data is significant; and as this lawsuit reveals, failure to do so can have disastrous consequences for your company. To meaningfully reduce the risk of a breach of your customers’ health care data, you should, at a minimum, take the following steps to ensure compliance with your Business Associate obligations:
- Conduct regular and thorough audit/assessments of potential risks and vulnerabilities in your security system.
- Implement security measures sufficient to reduce risks and vulnerabilities identified in such audit/risk assessment, including, but not limited to:
i) implementation of current encryption technology to protect ePHI in both transit and at rest;
ii) implementation of appropriate safeguards to protect ePHI on portable devices; and
iii) implementation and on-going assessment of current access controls (e.g. password controls, 2-step authentication and regular access audits).
- Review breach notification requirements in your existing BAAs (e.g., the process for identifying a breach or security incident, timeliness of reporting to customer, information required for investigating a breach, etc.) and tighten your procedures for discovery, investigation and notification of a HIPAA or state law data privacy breach.
- Implement annual HIPAA training for employees who have access to customers’ ePHI as part of their job function, and to all new employees during orientation.
Our health care team is happy to answer any specific questions you may have about your company’s compliance obligations as a Business Associate. Please feel free to contact Marni Levitt at firstname.lastname@example.org or contact us via our website.
Marni Levitt is a Member of Outside GC's Boston-based team. She brings over twenty years of experience practicing health care and hospital law, with a focus on healthcare regulatory compliance, HIPAA and privacy-related matters, and general contracts review, including Business Associate Agreements. Marni can be reached at email@example.com or 508-561-4306.