Looks like it could be a thing. All business associates (BAs), from super small, like small agency web hosting companies or medical transcriptionists, to large TPAs or data aggregation services, need to pay attention. The recent settlement of Jelly Bean Communications LLC with the Department of Justice – yes, you read that right, the DOJ – under the False Claims Act sets a precedent.
If a small firm like Jelly Bean can be held accountable for what the Florida Healthy Kids Corporation (FHKC) Covered Entity provides to its customers (a website, hosting, and online application), what does that mean for you?
While $293k may not seem a huge amount to a giant IT Consulting firm, for smaller vendors, it can threaten business viability. Cybersecurity practices are under scrutiny, no matter the size of the organization. Civil cyber-fraud is taken very seriously.
Jelly Bean’s mistake? Well, there are multiple, but start with asserting “HIPAA Compliant hosting” in its invoices while hosting an online children’s Medicaid application. When it became apparent that over 500,000 records had been hacked, FHKC shut down the site. The findings show that Jelly Bean, as a business associate, failed to keep the site’s various apps, plug-ins, and security safeguards updated, yet invoices continued to claim HIPAA compliance. Enter the DOJ and the application of the False Claims Act to the situation.
Traditionally, the buck has stopped with the CEs.
They’re to do their due diligence, not just once, but regularly, with their BA/vendor partners. It is, after all, their customers’ PHI that requires protection from privacy violations. Would a regular security risk analysis have helped detect issues early on? A requirement that the BA/vendor provide proof of an independent privacy and security audit raised a red flag?
Covered Entities, it’s a good idea to remember that there is NO such thing as a HIPAA Certification (See our video short about that here). So any prospective business associate who says “We’re HIPAA compliant” may be so at that exact moment, but HIPAA compliance is an ongoing effort, not a static state of being. Privacy and security compliance is a journey of striving for excellence – with no endpoint. Also, any company that calls itself a “conduit” and doesn’t believe they’re a BA, so refuses to sign a BAA? Maybe you need to vet some new potential vendors.
Julia Huddleston, Principal Consultant, holds the designation of Certified Information Privacy Manager, Certified Information Privacy Professional, and Certified (HITRUST) CSF Practitioner. Contact her or Kevin Haralson, MBA, CCSFP, CHP and Senior Compliance Analyst, for a full compliance program review, security risk analysis, or to prep for certification via the HITRUST or SOC process. Apgar and Associates, LLC is an authorized HITRUST Readiness Licensee.