Where Are the Big Business Associate HIPAA Breaches?

It seems like I have HIPAA and security on my mind lately. It started with me writing about the 6 HIPAA Compliance Reality Checks whitepaper and then carried over with my piece looking at whether cloud adoption addresses security and privacy concerns. In the later post, there’s been a really rich discussion around the ability of an enterprise organization to be able to secure their systems better than most healthcare organizations.

As part of that discussion I started thinking about the HHS HIPAA Wall of Shame. Off hand, I couldn’t think of any incidents where a business associate (ie. a healthcare cloud provider) was ever posted on the wall or any reports of major HIPAA breaches by a large business associate. Do you know of some that I’ve just missed?

When I looked at the HIPAA Wall of Shame, there wasn’t even a covered entity type for business associates. I guess they’re not technically a covered entity even though they act like one now thanks to HIPAA Omnibus. Maybe that’s why we haven’t heard of any and we don’t see any listed? However, there is a filter on the HIPAA Breach disclosure page that says “Business Associate Present?” If you use that filter, 277 of the breaches had a “business associate present.” Compare that with the 982 breaches they have posted since they started in late 2009.

I took a minute to dig into some of the other numbers. Since they started in 2009, they’ve reported breaches that affected 31,319,872 lives. My rough estimate for 2013 (which doesn’t include some breaches that occurred over a period of time) is 7.25 million lives affected. So far in 2014 they’ve posted HIPAA breaches with 478,603 lives affected.

Certainly HIPAA omnibus only went into effect late last year. However, I wonder if HHS plans to expand the HIPAA Wall of Shame to include breaches by business associates. You know that they’re already happening or that they’re going to happen. Although, not as often if you believe my previous piece on them being more secure.

As I considered why we don’t know of other HIPAA business associate breaches, I wondered why else we might not have heard more. I think it’s naive to think that none of them have had issues. Statistics alone tells us otherwise. I do wonder if there is just not a culture of following HIPAA guidelines so we don’t hear about them?

Many healthcare business associates don’t do much more than pay lip service to HIPAA. Many don’t realize that under the new HIPAA omnibus they’re going to be held accountable similar to a covered entity. If they don’t know those basic things, then can we expect them to disclose when there’s been a HIPAA breach? In healthcare organizations they now have that culture of disclosure. I’m not sure the same can be said for business associates.

Then again, maybe I’m wrong and business associates are just so much better at HIPAA compliance, security and privacy, that there haven’t been any major breaches to disclose. If that’s the case, it won’t last forever.

About the author

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

2 Comments

  • John – we do a lot of Risk Assessments for Business Associates and I can assure you, you are spot on with your assumption regarding Business Associates. Some are in no better shape than Covered Entities. Some have no idea of HIPAA regulations and what their responsibilities are. And these are just the organizations that are going through Risk Assessments and have some concern about HIPAA. I would assume there are a lot more BAs that don’t even realize they are covered under the Omnibus Rule.

  • There are a few things at work here:
    1) If you look at the “wall of shame” many are by larger business associates and most are due to bafoonery with laptops or other portable storage devices.
    2) Cloud breaches have not yet been an issue as encryption is the basic secure point. I’m sure we’ll see some issues in the future.
    Oh and the “cloud” is not the security panacea everyone things it is.

Click here to post a comment
   

Categories