The cost of third-party remote access noncompliance: HIPAA edition

It’s no news to healthcare-related organizations that if they handle personal health information (PHI) or electronic personal health information (ePHI), they are required to maintain HIPAA/HITECH compliance. These regulations are stringent, and staying compliant can be difficult. Covered entities find themselves in a difficult position, as their HIPAA compliance is not only dependent on their actions, but on those of their vendors, too. Covered entities tend to deal with many vendors at once, and the risk management of those third parties can prove to be time-consuming and costly. A great way for a vendor to separate themselves from their competitors is by taking steps beyond those legally required to ensure they are compliant and trustworthy of handling PHI/ePHI. On the flip side, vendors with a habit of noncompliance risk a damaged reputation and losses of customers and profits and possible sanctions from the Office of Civil Rights inspector generals.

BAAs are agreements, not guarantees

Third-party vendors, or business associates as they are called in the HITECH Act, are required to sign a business associate agreement (BAA) before being granted access to PHI. But even though BAAs contractually bind vendors to HIPAA compliance, they don’t guarantee vendors’ compliance in practice.

Even with BAAs in place, 56% of provider organizations have experienced a third-party or vendor breach. 

As such, the requirements for vendors extend beyond simple compliance measures. In cases where breaches do occur, business associates are obligated under federal law to disclose details of the incident. The U.S. Department of Health and Human Services (HHS) requires under the Breach Notification Rule that business associates notify their covered entities of any breaches occurring under their watch in a timely manner. Vendors must also adhere to the HIPAA Security Rule, which instructs them to conduct and document security risk analyses of their computers and information systems. Thankfully, the Office of the National Coordinator for Health Information Technology (ONC) provides a useful tool for conducting risk assessments. 

The expectation behind these measures is that covered entities and their business associates are proactive, rather than reactive, when it comes to data security. Unfortunately, many vendors don’t conduct these checks or document their responses regularly, leading to significant breaches and heavy fines. David Rauschendorfer, senior director of CynergisTek’s Security Services Operations, explained the effects of this lack of preparation in 2019. “Vendors lack activities that identify threats as well as the potential business impacts of identified vulnerabilities,” he said, “These high-risk vendors often lack established or formally documented methodologies to prioritize and address identified risks.”

The Office of Civil Rights (OCR) for HHS is responsible for handing down penalties for HIPAA violations, and the severity of their punishments for noncompliance proves just how seriously the government takes PHI/ePHI security. 

Noncompliance fines can be crippling

Penalties for HIPAA noncompliance are broken into four tiers based on the level of perceived negligence found at an organization at the time of the violation.

• First tier: The covered entity did not know and could not have been reasonably expected to know about the breach. Fines of $100-$50,000 per incident, up to $1.5 million.
• Second tier: The covered entity knew, or could have known with proper precautions, about the breach, but did not act with willful neglect. Fines of $1,000-$50,000 per incident, up to $1.5 million.
• Third tier: The covered entity acted with willful neglect but corrected the breach in a timely manner. Fines of $10,000-$50,000 per incident, up to $1.5 million.
• Fourth tier: The covered entity acted with willful neglect and did not correct the breach in a timely manner. Fines of $50,000 per incident, up to $1.5 million.

And don’t forget, there are also criminal penalties of up to 10 years in jail for intentional malicious activity. 

In the worst cases, HIPAA violations can prove disastrous. In 2018, the American Medical Collection Agency (AMCA), a medical bill and debt collector experienced a major data breach. As a vendor with access to PHI, AMCA was beholden to HIPAA regulations, and its noncompliance violations eventually caused the company to file for bankruptcy in 2019. A bankruptcy of this size underscores the seriousness of federal regulations, as well as the consequences for vendors and covered entities that don’t take their security measures seriously. 

Benefits of compliance for vendors

Credibility with covered entities: With so many vendors working for larger health organizations at the same time, it becomes nearly impossible to vet all third-parties responsible for handling PHI and ePHI. As a vendor, if you can vet yourself – and prove it – that could go a long way with establishing your credibility among covered entities. Vendors should have clear procedures in place for how they protect PHI and ePHI, as well as how they identify and anticipate threats and vulnerabilities. These actions and responses should be documented and ready to demonstrate to covered entities who solicit your expertise. By upholding HIPAA compliance rules, you prove that you’re capable of protecting the sensitive data contained within the healthcare industry. As always, when it comes to data security, it is better to be proactive than reactive.  

Patient trust: The worst thing that can happen to a vendor is being found responsible for a data breach. Not only will that vendor lose business and be hit with huge fines, but it will also lose the trust of the patients who trusted the company with its personal information in the first place. Adhering to HIPAA compliance and ensuring robust data security infrastructures are the best ways to protect against breaches and maintain the reputation of your brand as a trustworthy recipient of PHI and ePHI.

Consistent profitability: HIPAA compliance helps protect against breaches, but it also protects against going the way of AMCA. The noncompliance fines can be significant, and they can greatly affect the profitability of any organization found to be in violation. So even if costs associated with staying compliant start to add up, take the long-term view. These costs prove worth the investment when they prevent the kinds of breaches and noncompliance corrective action that can eventually lead to bankruptcy.

Because of the HIPAA regulatory guidelines and the additional requirements found within the HITECH Act, it obviously behooves both covered entities and BAs to regularly ensure their operations are compliant. Download our HIPAA and HITECH overview and use the interactive checklist to determine if your current network setup is in compliance with industry guidelines.