It is becoming increasingly apparent that Business Associates should be taking their responsibility more seriously than they have in the past.  Although, the past could be in previous years or, for some, just yesterday.  The recent settlement of the class-action lawsuit against Stanford Hospital & Clinic over a PHI breach should provide the impetus to make sure your BAs are following security standards and protecting your data.

The details of the case go back to 2010 when, for nearly a year, a spreadsheet containing PHI of 20,000 patients seen in the emergency room were exposed on a public website.  The breach was not the fault of the hospital staff.  The source was one of their vendors.

• A billing contractor sent the spreadsheet with the PHI in it to a subcontractor whose employee needed help converting the data in the spreadsheet to a bar graph.
• The employee decided to post the file on a website requesting assistance in their assignment.  Not anyone in the office; they asked for help on a site that helps students do their homework.
• A patient found the spreadsheet after it had been out there almost a year and reported it.  Not the BA or the hospital staff but a patient found it.

The hospital and the vendor were completely blind-sided by the notification, I am sure.  The good news is there is no evidence that anything was actually done with the data or that anyone saw it or used it inappropriately.  Bad news is the actions were still completely against the law.

Stanford had a BAA with their vendor who then hired a subcontractor who was responsible for the breach.  Standford is in the clear, right?  Wrong.  Stanford has been dealing with this breach since it was discovered.  Stanford, its business associate, Multi-Specialty Collection Services, LLC and their subcontractor, Corcino & Associates were all named in a class action law suit.  Just a few weeks ago a settlement was announced and is awaiting approval.  The settlement is for $4 million.   The BAs will pay out $3.3 million while the rest is up to Stanford.  Also, how much do you think each of them have spent in legal fees, resources and paperwork over the last 3 years on this one issue?  Especially when you think about the fact that they aren’t done yet!

We help our clients send out a due diligence questionnaire to their BAs (even if you are a BA yourself, you should be doing this).  Often there is push back or concern that this company can’t answer these questions because they are too small.  We explain you must ask because you really don’t know for sure what they are doing, but by asking you will at least get them to provide some assurances.  Otherwise, how do you know whether or not they are hiring lovable, yet accident and mistake prone characters like Gilligan, Gomer and Barney?  Not that they couldn’t do the job, but they better have some great training programs and monitors in place if they do!

Mistakes are made.  Things go wrong.  It is bound to happen.  Either way, CEs are the ones left to sort the mess others have made with your data and your patient’s privacy.  Isn’t it better to ask some hard questions so you know who or what you are dealing with on the other end before that happens?

Yes, I grew up on those old sitcoms and love them all to this day!

Filed under: HIPAA Tagged: Breach Case, Business Associate, Business Associate Agreements, Business Associates, Enforcement, Small Provider