Business associates are continually finding themselves in a state of turmoil when it comes to security and HIPAA compliance. Recently, Stanford University Hospital in Palo Alto, California experienced a breach of 20,000 patients’ medical records due to a business associate HIPAA violation. The medical records were made accessible online to the public for almost a year after an error was made by one of Stanford University Hospital’s business associates.
The hospital and its business associate, Multi-Specialty Collection Services of Los Angeles (MSCS), confirmed that the medical data of 20,000 patients had been accidentally sent to a job prospect who then posted the data on a tutoring website as part of a job skills test. The incident occurred in an email sent to affected patients, according to MSCS.
Anthony Reyna, MSCS President, disclosed that a marketing vendor sent patient health information directly from Stanford Hospital. The job applicant was later given the converted data to use for a part of the skills test, which involved creating graphs and charts using the data. The applicant used a website called studentoffortune.com to display the data for the assignment.
The applicant completed the assignment on her own, and while she did not receive the job position, she left the data posted on the public website. The data was discovered and removed nearly a year later. The applicant was not aware that the data was real, and Reyna confirmed that the exposure resulted from a business associate HIPAA violation.
While the data did not expose Social Security numbers, it did include names, dates of admission, diagnostic codes, billing codes, and charges. This information is considered protected health information (PHI) under HIPAA regulation. PHI is any demographic information that can be used to identify a patient. MSCS removed the data immediately after the breach was discovered. Yet, it is not clear how many people accessed the data during the time it was online.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigates HIPAA violations and enforce penalties against organizations that fail to implement the necessary measures to protect PHI.
Understanding Business Associate HIPAA Violations
Since the Omnibus Rule went into effect in 2013, business associates are now required to be HIPAA compliant. A business associate is any individual who may encounter protected health information (PHI) on behalf of covered entities. This can be an IT provider, lawyers, billing companies, collection services, to name a few. In this case, MSCS is considered a business associate of Stanford University Hospital.
The omnibus rule additionally states that a business associate agreement (BAA) must be executed between a covered entity and business associate prior to PHI being shared, exchanged, or transmitted. A BAA outlines what a business associate can and cannot do with the PHI they encounter, how they will protect the information, how they prevent PHI disclosure, and the appropriate methods for reporting a breach if one occurs.
Lawyers have filed class action lawsuits against Stanford Hospital & Clinics and Multi-Speciality Collection Services, with $20 million in damages being claimed for not implementing safeguards to protect patients’ PHI. In response, the hospital terminated their contract with MSCS. Assistant Vice President of Stanford University, Lisa Lapin spoke out regarding the incident and said, “MSCS bears the complete and sole responsibility for the breach.”
The hospital did not take responsibility for the HIPAA violation itself, but is working towards reducing any damages caused and has notified all patients affected by the incident. The hospital has also confirmed that no credit card details, dates of birth, or Social Security numbers have been exposed in the breach.
This business associate HIPAA violation demonstrates how this incident could have been avoided if the proper security and compliance measures were followed. Business associates should be familiar with the regulations laid down by HIPAA to protect the privacy of patients and ensure the necessary controls are in place to keep patients’ data protected.
Simplifying HIPAA Compliance
Compliancy Group offers healthcare professionals and business associates our web-based HIPAA compliance solution, The Guard™. The Guard gives users everything they need to manage all aspects of HIPAA compliance including business associate agreements, vendor audit questionnaires, and annual tracking.
Our team of expert Compliance Coaches™ guide users through the entire process and help you send out your business associate agreements, identify your vendors, and protect the PHI that you exchange with those vendors. Find out how Compliancy Group can help simplify your compliance so you can confidently run your business!