Inside A HIPAA Breach

A business associate's breach has a serious ripple effect on one small healthcare provider.

binder of compliance rules and conducts training annually. Attorneys laughed at the provider's binder, Jones said ruefully. Its annual training initiatives and other safeguards did not typically include the formal documentation processes OCR demanded.

"I think we're as well prepared as most practices are but we weren't prepared for what happened here," said Jones.

OCR requires documentation; small practices don't necessarily take attendance for online training sessions, for example, or formally list processes they practice, Gross said. Also, small practices might not have the internal capabilities to verify that business associates comply with the terms of their contracts or fail to address details such as notification timing, he added.

The government gives organizations 60 days after discovery of a breach to notify patients: After a billing company found a breach in its system, it alerted one practice on day 52, giving the healthcare provider only eight days to react, prepare, and share a message with patients, said Gross, discussing other small practices affected by business associate breaches.

"I think you'll get those details if the covered entity or the business associate went to a lawyer, but a lot of these business associate agreements are standard boilerplate business associate agreements, and some of the details are not defined," he said. "A lot of organizations are just signing these documents without knowing what it is, especially on the associate side. I think you're seeing a lot of signatures of business associate agreements without attention to detail."

While still wondering how OCR will penalize his practice after it completes the review, Jones already has learned from this experience, he said. The dental surgery, which stopped working with its first solution provider after finger-pointing began, offered two years of LifeLock monitoring to all 50 affected patients; about half took the service, said Jones. The father of the patient who discovered the breach requested more.

"He wanted 10 years, which we eventually decided to do. And then he signed a letter of understanding and agreed not to pursue any further action against the practice," said Jones. "I can understand some dismay there. I can understand how he felt."

In addition, the practice upgraded all its computers to Windows 8, including the few previously still on Windows XP. It also is working closely with its insurer, attorneys, a local solution provider, and HIPAA Secure Now on the audit and improvements to training, technology, documentation, and practices, and added encryption and vulnerability testing, said Jones. 

The owners of electronic health records aren't necessarily the patients. How much control should they have? Get the new Who Owns Patient Data? issue of InformationWeek Healthcare today.

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing