This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the list (the “HHS List”) posted by the U.S. Department of Health and Human Services (“HHS”) that reports breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”). Four months ago a blog posting in this series did some analysis as to the extent to which such List Breaches are being reported by covered entities (“CEs”) as attributable to events involving business associates (“BAs”). 

A December 2, 2011 article in MedPage Today by Cole Petrochko reported on a survey conducted by the Ponemon Institute (the “Survey”) that was conducted based on "interviews with senior-level staff at 72 healthcare organizations regarding data loss and theft experiences at their facilities. Sites included parent holding companies of healthcare organizations, parts of a healthcare network, and individual hospitals or clinics."


This interesting Survey acknowledged that it had a number of limiting factors, including self-reporting from only 14% of the organizations, mostly larger-sized groups, that were contacted by the Ponemon Institute to participate in the interview process. It is therefore likely that data derived from the HHS List is more reliable in light of the adverse consequences and penalties that can be incurred by a CE from inaccurately reporting in writing to HHS. Nonetheless, according to the Survey, "two out of five respondents (41%) blamed data breaches on employee negligence — not following data-handling procedures, sloppy mistakes, and using unsecure electronic devices — and 49% reported lost or stolen devices. Third-party errors were responsible for 46% of breaches."  [Emphasis supplied.]


It is not clear that the incidents involving “third-party errors” in the Survey are coincident with events that would have been reportable as involving BAs had they been on the HHS List. Moreover, the Survey covered institutional healthcare providers only and not other types of CEs such as insurers, government agencies and individual physicians and physician practice groups. However, the Survey results as to third party errors mirror to some extent the proportion of reported BA involvement with respect to the largest of the List Breaches on the HHS List as of December 2, 2011. 


As of that date, only 83 of the total of 372 List Breaches (22.3%) reportedly involved BAs of the reporting CEs.


This overall amount is far lower than the 46% of breaches that was attributable to third-party errors in the Survey. However, further analysis of the HHS List as of December 2, 2011 reveals the following information that more closely parallels the Survey at higher numbers of involved individuals:


•   3 of the 6 List Breaches (50%) that affected 1,000,000 or more individuals reportedly involved BAs of the reporting CEs.


•   13 of the 29 List Breaches (44.8%) that affected between 30,000 and 999,999 individuals reportedly involved BAs of the reporting CEs.


•   14 of the 47 List Breaches (29.8%) that affected between 10,000 and 29,999 individuals reportedly involved BAs of the reporting CEs.


•   53 of the 290 List Breaches (18.3%) that affected between 500 and 9,999 individuals reportedly involved BAs of the reporting CEs.


While the foregoing review is only a snapshot of the HHS List as of a given date, the review would indicate that, as the size of a List Breach increases, it is more likely that involvement of a BA will be reported. However, the overwhelming proportion of List Breaches (77.7%) on the HHS List that affected fewer than 10,000 individuals have reported no involvement of a BA. 


More data will be required before the impact of BA involvement in smaller and larger List Breaches becomes clearer.  However, there are indications that the larger the List Breach that is reported by a CE, the greater the likelihood that it will involve an alleged BA.