Privacy Data Breaches | The Importance of Assessing Business Associate Privacy Controls
Published On October 7, 2019
Blog Post by Mary Potter, Consultant and Project Delivery Manager at Meditology Services
It’s a typical Monday. An inbox full of emails, a calendar full of appointments and a fresh cup of coffee nearby. The phone rings and it’s a patient calling to a report a possible inappropriate disclosure of their information. The patient’s mother is irate that a sensitive diagnosis was revealed in child support discussions. She is certain that the information came from your hospital. After calming the caller, you start your investigation and quickly find out that the breach was likely caused by an employee of your population health vendor.
You reach out to the vendor and learn that the employee is related to the patient’s family and accessed the information out of “concern.” Since the employee was not trained on the appropriate access and disclosure of protected health information the vendor is not comfortable terminating the employee, but they promise “it will never happen again.” The vendor notified the patient and considers the matter “resolved.”
Far from resolved, the patient’s mother is furious and wants to know why your organization did not assure that this person knew what she could and could not do before she was given access. She wants to know why your organization does not protect her information. She is not interested in your explanation that it was the vendor’s responsibility, her lawyer will be in touch.
You hang up the phone and take a deep breath. How this could happen? As a covered entity you have a third-party risk assessment program in place. Your team assesses security controls of vendors during the evaluation process. Contract terms have confidentiality language and you have business associate agreements in place. You believe you have a good program overall, but clearly there is a gap.
You wonder how many other employees at that vendor (or other vendors) have been on-boarded quickly and are uneducated in healthcare privacy policies and procedures. Do they monitor employee access? Do they have a strong breach investigation and sanction process? What are their controls over disclosing your patient’s data? How can you find out? How many FTEs will it take to create a privacy assessment process?
Privacy Assessments of Business Associate is the answer! Healthcare privacy officers and their staff are often overwhelmed with high-stakes projects. Vetting vendors for privacy compliance requires a team of subject matter experts in the laws and regulations that impact covered entities and business associates. Meditology Services offers a range of Privacy Services to augment overloaded healthcare privacy staff.
Meditology assesses each Business Associate’s privacy program and reports individually and collectively on vendor privacy compliance and risk. In addition, Meditology’s Privacy Business Associate Inventory and Tracking Service can inventory actual and potential Business Associates from your accounts payable listing, identify missing or out-of-date Business Associate Agreements, and support you in reaching out to Business Associates on your behalf to meet Health and Human Services requirements.