07-31-12 | Blog Post
Oops, I made a mistake
The recent settlement between Accretive Health and the State of Minnesota is one more domino in the growing parade of breach casualties. What makes this case odd is the simultaneous insistence of no wrongdoing or liability, the resignation of their controller and the fact that ePHI (electronic protected health information) was left on a portable device in an employee’s car with no encryption.
No admission of liability
The phrase that keeps dancing through my mind is from the latest kids’ mobile app I made the mistake of downloading onto my phone. My daughter’s favorite snippet is a cheery little song that highlights “Oops, I made a mistake” roughly 50 times within a single 3 minute clip.
The Organizational Requirements of the HIPAA Security Rule defined in 164.504(e) requires contracts between Covered Entities (CEs) and Business Associates (BAs) to extend the chain-of-trust for the explicit purpose of protecting health information. So how can there be no liability if a laptop with unprotected ePHI was left in a vehicle and stolen? One or more of the following must have happened:
In all of the cases above, there is liability on the part of the CE, the BA, and the patient. How can a major healthcare vendor state that it has no liability to protect PHI? Without accepting responsibility or owning liability, how do you improve protections? And who pays a $2.5 MILLION settlement for not doing anything wrong? It’s a terrible example for both CEs and BAs to set to allow this “no liability” myth to pervade the industry.
Maybe Spiderman said it best: “With great power comes great responsibility.”
Hey, if a comic book character can figure it out, I think we should be able to say “Oops, I made a mistake” and then entertain changing our perspective.
CEs, please do:
BAs, please do:
If you have any questions about your responsibilities under the HIPAA Security Rule, please contact a qualified HIPAA legal counsel or a HIPAA security specialist.
References from the HIPAA security rule:
The Privacy Rule allows covered providers and health plans to disclose protected health information to these “business associates” if the providers or plans obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.
General Provision. The Privacy Rule requires that a covered entity obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. The satisfactory assurances must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate.
(e)(1) Standard: Business associate contracts. (i) The contract or other arrangement between the covered entity and the business associate required by §164.502(e)(2) must meet the requirements of paragraph (e)(2) or (e)(3) of this section, as applicable.
(ii) A covered entity is not in compliance with the standards in §164.502(e) and paragraph (e) o this section, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to
cure the breach or end the violation, as applicable, and, if such steps were unsuccessful:
(A) Terminated the contract or arrangement, if feasible; or
(B) If termination is not feasible, reported the problem to the Secretary.
(2) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must:
(i) Establish the permitted and required uses and disclosures of such information by the business associate.
The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity,
(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and
(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.
(ii) Provide that the business associate will:
(A) Not use or further disclose the information other than as permitted or required by the contract or as required by law;
(B) Use appropriate safeguards to prevent use or disclosure of the information other than as provided for by its contract;
(C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware;
(D) Ensure that any agents, including a subcontractor, to whom it provides protected health information received from, or created or received by the business associate on behalf of, the
covered entity agrees to the same restrictions and conditions that apply to the business associate with respect to such information.
April Sage, CPHIMS, Director Healthcare Vertical, Online Tech
April Sage has been involved in the IT industry for over two decades, initially founding a technology vocational program. In 2000, April founded a bioinformatics company that supported biotech, pharma, and bioinformatic companies in the development of research portals, drug discovery search engines, and other software systems.
Since then, April has been involved in the development and implementation of online business plans and integrated marketing strategies across insurance, legal, entertainment, and retail industries until her current position as Director Healthcare Vertical of Online Tech.
Five Questions to Ask Your HIPAA Hosting Provider
Online Tech’s BAA Breach Notification Clause
In the Wake of a Healthcare Data Breach
Healthcare Organizations: Seeking a Cloud Provider? BAAs Required