Monitor business associates to help prevent breaches

As health care organizations rely ever more heavily on business associates, they are accepting not only essential assistance but also significant cybersecurity risk.

Business associates are unquestionably valuable to health care organizations. They perform functions and activities involving the use or disclosure of protected health information on behalf of an organization, which in this setting is called a covered entity. They are critical in both contributions and potential risk.

Monitor business associates to help prevent breachesBusiness associates fall into a broad category of professionals — accountants, attorneys, consultants, or electronic health record/IT specialists — billing, data storage or transmission, or management companies; or subcontractors of any kind. They are not other providers, members of an organized health care arrangement, insurance companies, delivery services such as a courier or U.S. postal carrier, building maintenance, or the organization’s employees.

Business associates’ HIPAA responsibilities are meant to provide securitySome measure of prevention is provided through required compliance with HIPAA. Business associates are responsible for identifying, assessing and monitoring any support or subcontracting business associate, and providing regular updates to the covered entity. They must establish and define their security requirements, the covered entity’s right to audit, and incident reporting to service providers. Business associates must also implement an effective monitoring and assessment process based on the nature of the data exchanged with service providers. And they have to be able to show due diligence and care in monitoring their suppliers’ security compliance.  

These are the requirements, but too often adherence is minimal.

Covered entities can be liable for business associates’ actionsCovered entities include all health plans and certain health care providers — those that electronically transmit health information related to transactions subject to U.S. Department of Health & Human Services (HHS) standards. A covered entity is liable for a business associate’s noncompliance when it is aware that the associate is violating HIPAA and fails to act. It is also liable if the business associate is an agent of the entity rather than an independent contractor.

To avoid risking liability, report any suspicious activity and obtain a signed agreement confirming the associate’s independent contractor status. Acknowledge the independence by not controlling the associate’s methods and functions.

Business associates have moved to the center of breach activityBusiness associates and health care organizations alike suffer security breaches due to a number of causes, with a major and growing source being criminal activity. Medical information is worth 10 times more than credit card information on the black market, according to Reuters.1 Criminals use the data in scams, and business associates are a common target for their billing and insurance information. These areas present the most-breached data within these companies.  

Criminal activity is on the rise, but it is not always the biggest threat; employee negligence tops the list of security worries for business associates. Slippage due to use of cloud services and mobile devices are next, followed by other causes.

Business associates are experiencing alarming numbers of breaches. According to a Ponemon study, over half (59%) of surveyed business associates said they’d experienced a breach involving patient data in the previous two years, and over one-quarter (29%) reported more than two such breaches.2

A significant reason for their vulnerability is that they are often small or midsized. Companies in this category tend to share some unfortunate characteristics:

  • Lower budgets for privacy and security
  • Less formal monitoring and auditing programs

Half of business associates self-report that policies, procedures, technology and personnel are inadequate to prevent or quickly identify and resolve unauthorized access, loss or theft. The majority do not perform the federally required risk assessment for security incidents.3

In all cases, the issue is insufficient control to protect the company’s and customer’s information from unauthorized access, disclosure, modification or destruction. This state of affairs can spell serious trouble for the many health care organizations that engage the services of business associates.

Establish a foundation of security Start with a security risk assessment as required by HHS. This assessment is intended to protect both covered entities and patients by reducing the potential for a breach. It can also help protect your organization from liability related to your business associates, and it facilitates receiving Centers for Medicare & Medicaid Services electronic health record incentives.

Build a solid foundation for your engagement with business associates. While covered entities cannot control their business associates’ methods and functions, they can work with their associates to establish and monitor accountability:

  • Thoroughly vet prospective associates
  • Identify existing associates to create an inventory
  • Rate each associate for risk
  • Review agreements
  • Provide associates with a notice of privacy practices
  • Require proof of associates’ technical security controls.
  •         - Encryption          - Access control         - Access monitoring
  • Request a list of the associates’ subcontractors and their services
  • Maintain documentation of all the above
  • Set backup/substitutes in place

Take a 3-step approach to internal data securityOversight of business associates must be conducted in conjunction with your own security procedures, which should include communicating with stakeholders, instituting a training program, keeping a change management mindset, and prompting vigilance and awareness.

Within your organization, initially and on a regular basis, perform these activities:

  • A security program assessment based on a National Institute of Standards and Technology (NIST)- and Health Information Trust Alliance (HITRUST)-based framework. For more information about HITRUST and Grant Thornton’s HITRUST services, see “HITRUST approves Grant Thornton to perform CFS security assessments.”
  • A privacy and security risk assessment
  • Security testing for vulnerability, indicators of compromise and penetration

  • To best protect valuable data, be proactive and deliberate about monitoring your business associates’ controls as well as you monitor your own.

    1 Humer, Caroline, and Finkle, Jim. “Your Medical Record Is Worth More to Hackers Than Your Credit Card,”, Sept. 24, 2014.
    2 Ponemon Institute. Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, May 2015.
    3 Ibid.

    David Reitzel

    National Leader
    Health Care IT
    Health Care Advisory Services
    T +1 312 602 8531