A Boston Business Associate HIPAA breach has been reported by Boston Medical Center (BMC) after one of its vendors inadvertently posted confidential healthcare data on an insecure website.
The Business Associate responsible for the breach was MDF Transcription Services, which was contracted by BMC to transcribe the note of doctors into digital records. The Business Associate was therefore required to come into contact with Protected Health Information (PHI) and was required to sign a Business Associate Agreement with BMC confirming that the HIPAA Privacy, Security and Breach Notification Rules would be upheld and that the organization would comply with all HIPAA regulations covering the safeguarding of PHI.
Part of the responsibilities of the transcription company was to ensure that the PHI it was provided with was kept secure at all times, and technical, administrative and physical safeguards adopted in line with the HIPAA Security Rule. However, an error was made by a member of the Business Associate’s staff which resulted in confidential data being posted in an insecure and unprotected folder on the company’s website.
Without any safeguards to protect that data, patient health information could potentially have been viewed by any number of unauthorized individuals. The data uploaded to the site included the PHI from as many as 15,000 patients. The error was not discovered by the healthcare provider or the Business Associate, but another healthcare provider who visited the website and noticed the data had been incorrectly posted.
When the Business Associate HIPAA breach report was received by BMC, an investigation was launched and the Business Associate was contacted immediately to ensure that the data was removed. All patient information has now been secured; although at this point in time the investigators have not been able to determine when the error was made and therefore how long the data had been freely available via the MDF website.
BMC is currently still investigating the vendor HIPAA breach, but has taken the decision to terminate its contract with MDF Transcription Services. According to a statement released by BMC, “BMC has rigorous contracting standards in place to protect patient privacy and any organization that works with BMC must be in full compliance with those standards; however, since the company breached those standards, in accordance with the medical center’s Business Associate terms and conditions, it was given no choice but to terminate the relationship with MDF.”
Since the introduction of the Omnibus Rule in 2013, Business Associates can be held directly liable for data breaches that expose Protected Health Information. The Office for Civil Rights – and state Attorney Generals – may take an interest and in the breach and could potentially issue fines to MDF for the HIPAA violation.
A simple administration error has potential to expose a considerable volume of healthcare data, yet these mistakes can all too easily be made. Human error must be given full consideration in a risk analysis and procedures and policies must be developed to reduce the risk of mistakes being made. Training the staff goes a long way to make sure that tasks are conducted with care.
However, while covered entities can control their own staff and ensure that training is provided, they do not have the same controls over BAs. All Business Associates must therefore be thoroughly vetted before a contract is offered to make sure that the BA really is HIPAA-compliant and will adhere to the same strict security standards as the healthcare provider.
Not all HIPAA breaches can be avoided, but by exercising proper due diligence before selecting a Business Associate and ensuring that a full and comprehensive BAA is prepared, a Business Associate HIPAA breach may be able to be avoided.