As a BA of Hospitals, Law Firm Settles HIPAA Case Over Attack That Exposed Patient Data

By Nina Youngstrom

A New York City law firm that’s a business associate (BA) of its hospital clients has agreed to pay $200,000 in an agreement with the New York State Office of Attorney General (OAG) over alleged violations of HIPAA and New York state business law.[1]

The law firm, Heidell, Pittoni, Murphy & Bach LLP (HPMB), which represents hospitals and hospital networks in litigation, is also required to implement reforms. They include appointing a chief information security officer, encrypting data and patching software in the context of maintaining an information security program.

The OAG alleged the law firm’s “poor data security measures made it vulnerable to a 2021 data breach that compromised the private information of approximately 114,000 patients.” For example, the law firm left its server vulnerable to attack by failing to timely apply Microsoft software patches when they were released in the spring of 2021, according to the Assurance of Discontinuance, which has the OAG’s investigative findings and the relief agreed to by the law firm.[2]

“Third-party vendors are really where health care organizations, such as hospitals and health systems, are vulnerable,” said Walter Johnson, assistant privacy officer at Inova Health System in Fairfax, Virginia. A small or midsize BA “doing a heavy lift for a specific area for the covered entity is an easy target for threat actors. Any gap identified by threat actors allows them a back door to the covered entity.” Johnson noted that some covered entities (CEs) are requiring BAs to cover the costs associated with a breach they’re responsible for. Their business associate agreements (BAAs) would include a liability provision to that effect.

As fiduciaries, law firms, accounting firms and some benefit vendors have a higher threshold for protecting client data, said attorney Iliana Peters, former acting deputy director of the HHS Office for Civil Rights. “A fiduciary has additional obligations to their clients—many of them ethical—to protect the best interests of their clients. They are entities with their own ethics and other compliance obligations besides requirements pursuant to HIPAA and any state law that might be applicable,” said Peters, with Polsinelli in Washington, D.C. She said hospitals have a different relationship with a fiduciary than they do with other types of BAs, such as software vendors. “Some software vendors or other infrastructure vendors may only be concerned with their business. Many of them are very good data stewards but some are not.” In theory, covered entities have less to worry about when data is in the hands of fiduciaries because “there are fewer concerns about redisclosure versus other vendors who might specialize in, for example, artificial intelligence, social media or other software technologies” and possibly reuse or sell aggregated and anonymized data, Peters said.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings