Venyu Blog

While the HITECH Act sits strategically in the wheelhouse of PHI compliance, the business associates to whom enforcement is entrusted are striking out every time they come to bat, resulting in patient records continuing to be compromised. Consider the following:

• New York’s Lincoln Medical and Mental Health Center recently notified patients that their personal health information may have been exposed after seven CDs full of unencrypted data (the equivalent of 130, 495 patient records) were “FedExed” by a hospital contractor (e.g. under the provisions of the HITECH Act otherwise known as Business Associate, or BA),and then lost in transit. The data included “sensitive” health and personal information including Social Security numbers, addresses, dates of birth, health plan numbers, and even, yes even, detailed descriptions of medical procedures.
• As reported by eSecurityPlanet, what’s being called a “sloppy website upgrade” is being blamed for a data breach that left sensitive personal information of more than 230,000 Anthem Blue Cross members exposed for more than five months. Turns out the corporate website had been refreshed by a third-party (BA) vendor who failed to secure sections of the site to ensure visitors couldn’t access members’ medical records and Social Security numbers.

And these examples are probably just the tip of the obligatory iceberg; in other words the ones that are actually getting media attention. A deeper dive below the surface would undoubtedly show more cracks up and down the BA compliance construct, just at the point HIPAA HITECH regulations are finally (and mercifully) coming on line.

If the HITECH Act is going to work as prescribed those providers, or covered entities (CE’s), need to ensure the Business Associates they hire for third-party initiatives must comply with all facets of the Act. As Sharon Roberts, Rph, PharmD, JD, states, “Any entity that comes into possession of PHI, even indirectly or temporarily, for example, in the course of conducting due diligence in connection with a proposed acquisition, financing or underwriting, could have legal responsibilities under HIPAA and the HITECH Act.”

If Business Associates really are the Achilles Heel in Covered Entities being in compliance with the HITECH Act, enforcement can’t be the equivalent of an ankle monitoring bracelet, one that deftly identifies the individual but fails to govern their actions.