A new Breach Barometer Special Report: Third Party Breaches published by Databreaches.net in collaboration with Protenus highlights that more than 30 percent of patient data breaches are a direct result of third-parties. Community physicians, affiliates, and certain vendors often have extensive access to patient data in the electronic health record (EHR). This increase in the number of users who have EHR access creates a huge vulnerability for healthcare systems and a headache for compliance teams. While vendors are often long-time trusted partners, relationships that add a large number of new EHR users or provide vendor employees with access to patient data create significant patient privacy monitoring challenges.
This complexity surrounding third-parties, and more specifically business associates, exists from the regulatory framework outlined in the HIPAA Omnibus Rule that required all covered entities have Business Associate Agreements (BAAs) in place by September 22, 2014. Business Associate Agreements govern and regulate how ePHI flows between the covered entity and BA, spelling out what business associates need to do in order to comply with HIPAA requirements. With this in mind, many business associates still operate without BAAs in place.
Download the full Breach Barometer Special Report: Third-Party Breaches to learn the full impact of how these third-party breaches are affecting healthcare and specific steps hospitals can take to reduce business associate risk and better protect patient privacy.
Key Take-Aways from the Third-Party Breaches Report:
- Third-party breaches affected 4.5 million patients from January — August 2016.
- Third-party breaches occur too often. A month-to-month recap of 2016 shows 60 breach incidents from third-parties.
- Third-party vendor breaches are more frequent than HHS’s Breach Tool suggests. A close reading of HHS’s closing notes for incidents makes clear that BAs and vendors are involved in more incidents than the tool reports.
- 30+ percent of healthcare data breaches are attributable to third-party vendors. HHS can gain better insight into the type of breaches reported by using more accurate labeling in their breach tool.
- 27% more patients per incident are affected when business associates are involved.
Just the Tip of the Iceberg
HHS’s Office of Civil Rights (OCR) has made it clear that it’s not afraid to go after covered entities and their vendor partners for big settlement amounts. This year’s settlement amounts range from the upper hundreds of thousands to millions. Now is a good time for healthcare organizations to update their privacy monitoring protocols in order to help reduce, if not eliminate, some of the associated costs of a breach.
Similar to the strategies covered entities use to protect patient information in EHRs, checklists that list the actions a BA should take to prevent a breach aren’t the solution to the problem. As our Breach Barometer Special Report shows, the risks of doing nothing or implementing minimal safeguards pose huge threats to the well being of covered entities and their BAs. It is essential for healthcare institutions and their partners to focus on, and invest in, collaborative, on-going, and continuous processes that will protect the institution’s data over time.