MDF Transcription Services, a Business Partner of Boston Medical Center, has been sacked after a HIPAA breach that revealed the secret data of roughly 15,000 people when their information was publicized on an unsafe transcription website.
The HIPAA breach wasn’t found by the hospital, but by a different healthcare provider who noted that information had been erroneously displayed on the website. According to a statement provided to Security Media Group, Boston Medical Center was notified of the mistake on March 4, 2014.
As soon as the mistake was exposed the medical center acted swiftly and contacted its Business Partner to secure the data. As per the statement, BMC “Instantly informed MDF and its subcontractors of this mistake and the website was deleted from the Internet within a day. We take our obligation to maintain our patients’ secrecy extremely seriously and have alerted all people who were affected by this vendor mistake.”
It’s not clear at this point how long the data was displayed on the website before it was deleted, so it’s not clear the level of danger that the victims have been exposed to by the event. The hospital, along with its subcontractors and BA, are now attempting to determine the period of the violation.
MDF is used by many doctors at the hospital to copy doctor notes. The data, which included names, addresses, prescriptions and medical information, was provided to MDF who copied the information and posted the copied notes on a company website where it might be accessed by doctors.
The company had been used for many years by the hospital without any issues or earlier HIPAA violations. In the bygone days, all data was password locked, avoiding any unauthorized person from accessing it. In this instance, the data was uploaded to the website without any password protection. Any individual accessing the website might consequently have accessed the PHI included in these copied reports.
As per the statement issued by Boston Medical Center, “BMC has thorough contracting standards in position to defend patient secrecy and any business that works with BMC should be in full conformity with those standards;” however, as the company breached those standards, as per terms and conditions of the medical center’s Business Associate, it had no choice but to end the association with MDF.
HIPAA is a Problem for Several Transcription Businesses
One problem confronted by transcription services is carrying out the work with spiraling operational costs and limited resources. One method used to reduce costs is to subcontract the work to subcontractors. There is a surplus of people not based in the U.S who are capable of offering cut-price transcription services through online freelancer portals such as Upwork.
Protected Health Info is shared with these people, who perform the jobs as asked, and email the data or post the transcribed data on websites. Regrettably, these ways of communication are unsafe and lack the safeguards necessary under HIPAA. It’s not clear whether it was MDF that was accountable for the violation or one of its subcontractors, and whether this was the cause for the violation.
Business Partners Are Responsible for their Actions Under HIPAA
After the introduction of the Omnibus Rule, Business Partners of healthcare providers can be held responsible for HIPAA breaches that result in violations of Protected Health Information. The Office for Civil Rights can impose fiscal fines up to $1.5 million for each HIPAA breach category, per year. Boston Medical Center might also be responsible to pay a penalty if it has not exercised adequate control over its Business Partners.
HIPAA covered entities should make certain that all of their Business Partners are made conscious of their responsibilities under HIPAA, and should agree to obey data Privacy and Security Rules. If BMC is found not to have informed MDF of its responsibilities, or if an up to date, as well as approved Business Associate Agreement, isn’t in place, BMC might similarly be penalized.
Even with a Business Associate Agreement in place, there is no assurance that HIPAA Rules will be obeyed, so it’s up to the healthcare provider to carry out checks to make sure this is the case and that its Business Partners are always HIPAA obedient.