Protecting your hospital’s data is no longer just about managing the systems inside your enterprise. Changes being considered in federal privacy regulations are prompting the legal counsel at many hospitals to begin looking at the security policies of contractors and even sub-contractors.
“Suddenly everyone is very interested in whether their business associates are complying with all security requirements,” Kathryn Coburn who practices law with Cooke Kobrick & Wu LLP.
She spoke on a panel at the Health IT Law Track at HIMSS14, which was presented by HIMSS Media in partnership with the American Bar Association Section of Science and Technology.
“What we find is employers give their employees very little instruction in order to protect their information, and suddenly covered entities are requesting information from their contractors as to what security is in place and what backup is available.”
The source of this new interest in the policies of partners stems from recommendations by the HIT Policy Committee Privacy and Security Tiger Team in December 2013. The recommendations expanded the definition of business associate to include responsibility (and liability) “downstream” to all subcontractors, who may be responsible for the tracking and disclosure of PHI (personal health information).
Clarification of the rules will come eventually. Until they do, hospitals and physician practices should be preparing their departments for a change that will assign some responsibility for data breaches caused by partners. This has special meaning to IT departments exploring the cost-savings they can gain from cloud storage.
Arthur Peabody, Jr., Lead Medicare Counsel for BlueCross BlueShield Association, told the audience that “security auditors are a practical necessity for most HIPAA covered entities before they deliver their PHI to cloud service providers (CSP’s). “Third party security auditors are not required by law or regulation but may offer the only protection for a covered entity to verify the security policies and procedures of cloud service providers that offer web based SaaS.”
Peter Laughlin, counsel at Morrison & Foerster LLP, told the audience that there are still many risks taken by hospitals that are well within their control. For example, “data from an infusion pumps are zipping in the hospital wirelessly and we all know that we should encrypt that information. But there are always some who are slow learners.”
Another source of risk are the hard disks used to store data on medication delivery systems. Many of those storage devices are leased. When that equipment is returned, the data may have been erased, “but how many hospitals think to wipe that hard drive before they return it?” asked Laughlin.
The growing risk from data breaches was noted by Lucy Thomson, principal with Livingston, PLC and Past Chair of the ABA Section of Science & Technology Law. Over the last five years, the number of data breaches reported by the healthcare sector has grown at such a rapid rate, that it now surpasses the retail industry as the leading sector within the United States. In 2009, healthcare had only 14% of all data breaches while retail had 41%. In 2013, the number of data breaches within healthcare has increased to 43 percent of all reported breaches, surpassing the retail sector with 34%.
