Business Associate Due Diligence: Lessons Learned from AMCA

by Sarah Harvey / July 5th, 2019

In most healthcare settings, third parties are relied upon to provide secure offerings to assist covered entities in providing quality, secure healthcare services.  Covered entities ultimately bear the responsibility of validating their third party security standards, however, covered entities often times still fall short in ensuring that business associates guard protected health information (PHI) against advancing cybersecurity threats. In one of the most recent cases, Quest Diagnostics, one of the United States’ top blood testing organizations reported that nearly 12 million of their patients fell victim to a data breach caused by one of their business associates, American Medical Collection Agency (AMCA). What exactly caused this data breach? What lessons can covered entities and their business associates learn from it? Let’s take a look.

What Really Happened with American Medical Collection Agency Data Breach?

On May 31st, Quest Diagnostics received noticed from AMCA that an unauthorized user accessed AMCA’s system containing the personal information of patients from Quest Diagnostics via their web payment page between August 1, 2018 and March 30, 2019. According to Quest Diagnostics’ SEC filing against AMCA, the information on AMCA’s compromised system included some financial information, medical information, and other personal information, such as Social Security Numbers, but did not include laboratory test results.  LabCorp also used AMCA for collections and also suffered a breach affecting almost 8 million patients.  Now, Quest Diagnostics, LabCorp and AMCA are facing lawsuits and investigations from state regulators in at least Michigan, Illinois, New Jersey, and Connecticut.

What Lessons Can We Learn from AMCA’s Data Breach?

While it might seem redundant to continuously focus on the need for efficient third-party risk management, AMCA’s data breach proves that this is still something all healthcare organizations need to take more seriously. When partnering with a third party or business associate, healthcare organizations must perform their due diligence and properly vet the organizations they want to partner with. How can they do this? We’ll give you four key lessons learned from the AMCA data breach.

  1. Breach Notification Matters: All the key players made several potential missteps related to breach notification timing and process. First, there are allegations that AMCA knew about the breach in March 2019 and failed to respond to concerns from cybersecurity analysts until the end of May while Quest waited two weeks from the date it received notice from AMCA about the breach to make its “public” statement.  Second, there is nothing on AMCA’s website while Quest and LabCorp’s impact became public through SEC filings rather than any notification posted to their corporate websites.   These choices are being used as evidence of negligence in class action lawsuits and may violate HIPAA breach notification requirements.  Instead, covered entities and business associates must clearly and promptly notify impacted patients within 60 days of breach discovery and notify the Department of Health and Human Services (within 60 days of the breach discovery) and media when the breach impacts more than 500 patients.
  2. Implement a Formal Risk Assessment Policy: In order to comply with HIPAA Privacy and Security Rules, covered entities and business associates must conduct a risk assessment. By doing so, organizations can ensure that they have identified, assessed, and prioritized organizational risk and have proactively worked to mitigate any potential vulnerabilities in their system. Online payment processes, like the web portal used by AMCA, should be considered particularly sensitive to security threats and therefore given great consideration.
  3. Understand Shared Risk: When working with a business associate, covered entities must understand that when they share their patients’ PHI with a vendor, it’s not solely up to the vendor to protect that information. In this case, Quest used Optum 360, another billing service provider, to partner with ACMA so there are multiple layers of shared risk.
  4. Undergo Quality, Thorough Information Security Audits: In many instances, organizations view information security audits as an item to check off a to-do list, or worse, they don’t see it as a valuable investment. If your healthcare organization is committed to delivering quality, secure healthcare services, how exactly can you guarantee that you’ll do this? Undergoing thorough information security audits, like those performed by KirkpatrickPrice, can help your organization ensure that you’re able to deliver quality, secure healthcare services by evaluating the effectiveness of your internal controls and your business associates’ internal controls.

When your patients entrust you with their personal information, especially their PHI, it’s your responsibility to make sure that it remains secure. This includes performing your due diligence when partnering with business associates and validating that your vendors will do everything they can to keep PHI secure. Are you sure your business associates are performing their due diligence? How are you staying on top of your vendors’ compliance efforts? Contact us today to learn more about KirkpatrickPrice’s services and how they can help you ensure that you’re able to deliver the quality, secure healthcare services that your patients deserve.

More HIPAA Compliance Resources

What is a HIPAA Audit?

Penetration Testing in Support of HIPAA Compliance

Road to HIPAA Compliance: Managing Business Associate Compliance

5 Ways Business Associates and Covered Entities Can Prepare for HIPAA Compliance

What is Risk Management?