Who’s on the hook for breach notifications in healthcare? Recent cybersecurity incidents like the massive Change Healthcare data breach have left providers scrambling and seeking clarity. The tangled relationships between Covered Entities and Business Associates make it tricky to figure out who’s liable, especially when cyber incidents ripple down the vendor chain. This raises big questions about the contents of Business Associate Agreements and clarifications on who’s responsible for what, ensuring everyone’s ready when a data breach hits.
In this episode:
Who pays for breach notifications? – Ep 457
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
HIPAA Briefs
[04:59] Should I just sign the BAA? No.If you are not performing services that make you a BA, then you don’t need to sign the BAA. However, you should be prepared to document why you are not a BA.
If you do sign the BAA, you need to understand that it is a legal binding contract and you should be prepared to meet the obligations under the HIPAA rules for business associates as well as those in the BAA.
That is our briefest brief yet.
405(d) Tip of the Week
[07:34] A new 405d Post is out that covers the 5 Year Plan plus determining your HICP fit. But, it also shares details about the last Spotlight Webinar which was on the CISA Priority Telecommunications Services. The article includes a link to the webinar recording and the slides. These services are designed to prioritize communications for critical personnel during emergencies for those who handle mission-critical functions. The best part is they are low to no cost for organizations that qualify.There are three different parts to the services – wireless, landline and repair and installation of critical data and voice circuits. Check out the links in the show notes or the 405d Post or on 405d.hhs.gov.
Who pays for breach notifications?
[14:32] So much of the news in our little niche of a niche of a niche is in some way related to the Change Healthcare cyberattack that it is hard to cover other things we usually share. Some recent news on that front lets us share more on the ongoing impacts along with something we don’t usually discuss as a primary topic. Who pays for a breach notification and other damages from a vendor’s cyber attack?The MGMA sent a letter to OCR on April 25 specifically requesting a clear statement from OCR on three things.
- Responsibility for breach notifications rests solely with Change and United.
- Providers that are completely innocent in this unique situation will be spared any regulatory scrutiny.
- OCR will ensure that Change and United fulfill the promises they have made in a prompt and transparent manner.
All of those are very important when you consider the AMA report stating that 31% of physicians they surveyed were unable to make payroll due to delays in claim payments. More than half reported using personal funds to cover expenses in the practices. Certainly paints a stark comparison to our discussion last week about the pocket change the impact has had on the multibillion dollar corp. Not one member of their leadership has worried about making payroll and certainly thought they would have to dip into their own pockets to pay the company’s bills. This means little to them in the long haul while it is crushing the ones who are actually trying to provide the care.
As they made clear in their letter, there is little reason to trust the press releases from the UnitedHealth Group stating they have offered to make notifications and undertake related administrative requirements on behalf of any provider or customer. While that may be encouraging, MGMA points out they have no reason to think they can make business decisions based on their word there.
At the same time, no prudent medical group can rely on vague promises in a press release containing no specifics with respect to either timing or implementation. To our knowledge, no MGMA member has actually received from Change or United the promised “offer,” in writing or otherwise.
Physician practices currently face mounting concerns about their own regulatory exposure should United not fulfill these promises to the satisfaction of your office. Further, as more patients become aware of the possible disclosures of their sensitive PHI and PII, they will turn to their providers for information and assurances, neither of which can currently be provided.
Every point is true. All of them should be addressed, hopefully, as they are requesting.
What are the costs involved with breach notifications?
[25:46] There are a lot of costs not normally considered. Have you ever tried to mail letters to millions of people? Some math to consider include the supplies like paper to print on and envelopes and the postage. This will have to be done by a mailing service which will add more costs. If you are going to email them then you still have the costs of making sure you have the right addresses and getting them into a system that is designed to send out thousands of messages at a constant clip. What about the bounce backs and return mail? Yep, more costs there to address.But, there are costs for people to write up the notice and confirm that it meets the legal requirements. It also has to include the costs for handling the onslaught of phone calls and emails that these notices always create.
A lot of people will suggest not including identity theft protection but I can assure you – do not fail to offer that in your letter. The costs associated with people who sign up will pale in comparison to the costs of the bad PR you will receive and the increase in calls you will get.
It is a very expensive endeavor and there are very few ways to save money in this step that will not cost you even more money in the long run. Just the mailing costs can be estimated at the post office website. The costs to print by the post office run 0.32 – 0.45/per letter. However, you can’t just turn off something like this like a mailing for lawn service. A BAA must be in place because you will need to provide PHI in order to send them. That means actual security and stuff so know right off the bat, you will need to double, triple or quadruple that number depending on many factors.
Then you have to pay for the postage. Even with the basic mailing numbers on the USPS site you will spend roughly a dollar per letter just to print and mail in bulk. So, plan on that being $3 – $5 per patient just to get the letters out the door. Not too bad until you start doing math on 30K, 50K, 100K, and so on.
Who decides who pays for breach notifications?
[33:00] It is in your Business Associate Agreement (BAA) and most people have no idea what they have in the BAA with Change Healthcare or even the upstream BA that contracted with them who contracted with the provider’s office. If you are a BA that is upstream from Change you need to know what your downstream AND your upstream contracts have committed you to do.The content of your BAA is not a thing to take lightly like so many still do. There are many elements that should be included and may be included in any given contract.
The requirements for things like the list below should be evaluated regularly:
- Assisting in response and investigation
- Notifications to patients
- Notification time limits for both incidents and breaches to your upstream and downstream
- Indemnification limits
- Offshoring limits
- Ability to terminate when the other party isn’t being serious about prisec
- What about all the AI stuff
If you don’t understand all of these requirements how can you properly manage them in a crisis situation?
In other news
[48:12] One final thing, as we mentioned there is a lot going on with cyber security requirements across every one of the 16 critical infrastructure sectors. A new memo was released just today and getting to us just before we are recording this National Security Memorandum on Critical Infrastructure Security and Resilience | The White House. The level of attacks we face every second right now is overwhelming. We must be asking where have they gotten in and how can we find them no matter what part of those 16 sectors you work in. Someone wants to hack into these systems, do something malicious or steal something important or both on a constant basis. We will get a briefing after several other briefings have happened that finally trickle down to the little people like us. According to our email about this, the memo contains a number of requirements for CISA and the sector risk management agencies (including HHS) to work with the other critical sectors on sector risk identification and mitigation efforts. Things have been moving at a rapid clip so we will let you know what we hear on it. But, pay attention. Some new things are being discussed. From a quick review it is requiring urgency on getting risk assessed and managed along with information sharing. There are a lot of x days for this and x days for that in the risk management and mitigation discussions.In the end, navigating the murky waters of breach notifications comes down to getting your BAAs right and knowing who’s responsible for what. Whether you’re a Covered Entity or a Business Associate, it’s crucial to understand your role and ensure everyone’s prepared when a data breach hits. So, double-check those contracts, communicate clearly with your partners, and make sure you’re not left holding the bag when things go sideways.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
