Unfortunately, HIPAA data breaches are increasingly common. Kaiser Permanente, one of the largest healthcare insurance providers in the U.S., recently reported a massive exposure of millions of patient records (Protected Health Information, or PHI). 

This unfortunate event also serves as a learning moment for companies who may not understand how to avoid such unintended consequences.

The Kaiser Permanente Data Breach

This April, the health insurance conglomerate Kaiser began notifying patients and healthcare providers that 13.4 million protected records had been compromised. 

What happened?

The company keeps its cards close to its chest… or at least as much as it can, without violating the Data Breach Notification Rule of HIPAA regulations. Tech news outlets are reporting that Kaiser has shared protected records with third-party advertisers, including some of the biggest companies in the world (Google, Microsoft, and X). 

This unauthorized disclosure of patient records included IP addresses and other personal data that could connect user activity with the Kaiser platform and, accordingly, these advertisers through a tracking code. 

The collected data showed advertisers how these patients moved around the platform, engaged with services, and used the devices. 

The breach seems unintentional, and the company has stated that it has not found any instances where these advertisers used personal information. 

This breach follows other breaches of confidentiality in 2023, where the company sent PHI to outdated mailing addresses (incurring a $450,000 fine) and dumped patient records along with biowaste (incurring a $49 million fine). 

What Does HIPAA Require When Working with Vendors?

HIPAA requires covered entities to ensure that their third-party vendors, also known as business associates, protect the privacy and security of protected health information (PHI) when it is transferred to or handled by these vendors. 

Furthermore, CEs aren’t supposed to share PHI with vendors in non-healthcare-related roles–in this case, advertisers. 

Here are some specific requirements:

1. Business Associate Agreements (BAAs): Covered entities must have a written BAA with each third-party vendor that will have access to PHI. This agreement must detail the permissible uses and disclosures of PHI by the business associate and clearly outline the business associate’s obligations to protect the information.
2. Safeguards: The BAA must require the business associate to implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of PHI. This includes encryption, secure access controls, and regular security assessments.
3. Reporting: Business associates must report to the covered entity any use or disclosure of PHI not provided by their contract, including breaches of unsecured PHI.
4. Compliance with the Security Rule: If a business associate handles electronic PHI (ePHI), they must also comply with the HIPAA Security Rule. This includes ensuring the confidentiality, integrity, and availability of ePHI.
5. Subcontractors: Business associates must also ensure that any subcontractors they engage with who will have access to PHI agree to the same restrictions and conditions that apply to the business associate concerning such information.

How Can Covered Entities Ensure Security with Vendors?

Ensuring third-party vendors maintain proper HIPAA compliance is a crucial responsibility for covered entities. Here are several steps that covered entities can take to help ensure their vendors or business associates comply with HIPAA regulations:

1. Conduct Thorough Due Diligence: Before entering into agreements with vendors, covered entities should assess the vendor’s understanding of HIPAA requirements and ability to comply. This includes reviewing the vendor’s history of HIPAA compliance and security policies, procedures, and practices.
2. Execute a Comprehensive Business Associate Agreement (BAA): As part of the due diligence process, ensure a detailed BAA is in place. This agreement should clearly define what constitutes PHI, the permissible uses and disclosures of PHI, the safeguards that must be in place to protect it, and the actions to be taken in the event of a breach.
3. Regular Audits and Assessments: Covered entities should periodically audit their business associates to ensure compliance. This could involve reviewing security risk assessments and audits conducted by the business associate or even performing their independent audits.
4. Training and Education: Ensure that the vendor provides adequate training to its employees regarding HIPAA compliance. Covered entities might also consider offering or requiring additional training modules specific to their operations and expectations.
5. Incident Response and Breach Notification Procedures: The BAA should include apparent incident and breach reporting procedures. Covered entities need to know how quickly they will be notified of a security incident involving their data and what steps the vendor will take to mitigate the damage.
6. Review and Update BAAs Regularly: Regulatory requirements can evolve, and BAAS must be reviewed regularly and updated to comply with new regulations and changes in business operations.
7. Obtain Proof of Safeguards: Request proof of the safeguards business associates have in place. This might include certifications, results of recent audits, or compliance with other regulatory frameworks that might overlap with HIPAA.
8. Manage and Monitor Access: Ensure business associates only have access to the minimum necessary PHI to perform their job functions. Continuous monitoring of access and activities can help quickly identify and address potential non-compliance.
9. Communication and Collaboration: Maintain open lines of communication with business associates. This encourages timely reporting of potential issues and fosters a collaborative approach to compliance and security.

Of course, the clearest way to maintain separation with vendors is to ensure that important PHI doesn’t end up in their systems. In situations where data collection for processes like marketing coexists with HIPAA-regulated systems, it’s critical to maintain a clear separation between the two.

Keep Your Healthcare-Related Information Safe with Continuum GRC

Continuum GRC is a cloud platform that stays ahead of the curve, including support for all certifications (along with our sister company and assessors, Lazarus Alliance). We provide risk management and compliance support for every major regulation and compliance framework on the market, including:

• FedRAMP
• StateRAMP
• NIST 800-53
• FARS NIST 800-171 & 172
• CMMC
• SOC 1 & SOC 2
• HIPAA
• PCI DSS 4.0
• IRS 1075 & 4812
• COSO SOX
• ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
• NIAP Common Criteria
• And dozens more!

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect its systems and ensure compliance.