August 8th’s New York Times contains an article that details a HIPAA data security breach traced to an outside billing and payment data contractor for the Stanford Hospital in Palo Alto, California. The item that was disclosed was a detailed spreadsheet, prepared by the billing contractor, tracking the emergency room treatment of 20,000 individuals seen at the hospital during a 6-month period in 2009, including their names and diagnosis codes. Somehow, the spreadsheet made its way to a commercial Web site as an example of how to convert data into a bar graph. The site in question, “Student of Fortune,” provides online tutoring and help with homework to students for a fee. The spreadsheet was made publicly available in this manner for over a year before a patient brought it to the hospital’s attention. It is not clear how the spreadsheet was disclosed in this manner but the article suggests that investigation cleared hospital employees of any involvement.
The hospital provided written notification to affected patients of the breach four days after learning it had occurred. This is within the 5-day time period required under California Health and Safety Code § 1280.15 (scroll down), governing health data security breaches occurring at California medical facilities. The hospital also paid for identify theft protection for the affected patients, even though the spreadsheet did not contain Social Security Numbers or other information commonly leading to identity theft. The Times article notes that in an earlier incident involving theft of a laptop from its Children’s Hospital, Stanford had waited 19 days to notify affected patients’ families, and even though no PHI was released in the incident the California Department of Public Health fined the hospital $250,000 for its delay.
Statistics quoted in the article attribute 20 percent of health data security breaches to outside contractors to the health care providers, insurers and other “covered entities” which were HIPAA’s original focus. HIPAA designates outside contractors whose role requires them regularly to maintain or access protected health information (PHI) as “business associates” and requires that they comply with HIPAA privacy rules to the same degree as the covered entity (hospital, insurer, etc.) they work for, and also enter into a “business associate agreement” to that effect.
Until recently, business associates’ duties and liability under HIPAA were limited to the written terms of their business associate agreements with covered entities. However, HITECH made business associates individually accountable under HIPAA for the first time. Further, proposed regulations under HITECH extend business associate status to downstream subcontractors of business associates, and require that they enter into written agreements with business associates confirming their duties under HIPAA. This brings within the sweep of HIPAA compliance entities — such as document shredders and other peripheral businessplace vendors and service providers — that prior HIPAA regulations had expressly carved out from compliance duties.
Bottom line this means a new level of scrutiny must be brought to service agreements between a business associate, on the one hand, and any other entity that routinely could be considered within the “chain of custody” of hard copy documentation or digital data comprising PHI. A weakness at any point in that chain may result in liability to the business associate and, as occurred in the Stanford Hospital/Student of Fortune matter, to the covered entity itself.