HIPAA Business Associate Agreement - Real Protection Against Reputation Loss?

A recent breach at Connally Memorial Medical Center in Texas was caused by an individual who lost a laptop that had PHI on an unencrypted drive. The individual was not employed by the hospital, but rather by a business partner or in HIPAA parlance, a business associate . The resolution to the incident was for Connally to update their business associate agreement.  But does a business associate agreement protect an organization from damage to their reputation?

HIPAA defines a business associate as:

"a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information."

In the breach at the medical center, the business associate was by definition not an employee of the medical center, but rather someone working for an organization that provided services to the center and had access to protected health information. As most healthcare organizations do, there was a business associate agreement in place between the medical center and the business associate that covered expectations for how to handle protected health information.  There is a great article on misconceptions about business associate agreements here.

With the agreement in place, was the medical center covered? Apparently, the agreement did not contain a clause requiring that all ePHI be stored on encrypted devices. Hence in looking to determine the root cause to the breach, one resolution by the medical center was "updating its business associate agreement to include a requirement for the use of encryption on all portable devices."  This makes total sense.  But does this really protect the medical center going forward?

From a compliance standpoint, yes. But from a reputation standpoint, no.  Assume, for example, that the business associate agreement had actually been in place with the requirement for encryption prior to the breach.  If the business associate did not follow that requirement, the headline would have been the same and Connally Memorial would still be reporting a breach.  The only difference would be their legal standing over the breach.  Neither patients nor the press care about a healthcare providers internal business dealings. All they know is their health care information was entrusted to the provider, and the expectation is that it will be protected whomever the provider employs or uses to provide services.

So while an updated business associate agreement legally provides protection, actually making sure your ePHI is stored, transferred and accessed correctly is the only way to protect an organization's reputation. Actual enforcement of ePHI integrity standards will take new types of IT applications.  Tausight is is busy working on this and other challenges in Healthcare IT.