This episode demonstrates the need for well designed Business Associate Agreements.
The state of California works with IBM for disaster recovery services. A set of data cartridges was shipped to the IBM facility in Boulder Colorado to test the ability of IBM to run the software remotely. This is an important aspect of any HIPAA plan: disaster recovery and testing the disaster recovery plan.
California contracted with Iron Mountain for secure transportation of these data cartridges, and with IBM for the disaster recovery solution. So the state of California needs to have Business Associate Agreements with both Iron Mountain and IBM. Iron Mountain utilized Fedex to actually ship the data cartridges.
Important take away points from this:
1 - California does not have a relationship with Fedex for this purpose so they are not required to have a BAA with Fedex
2 - Iron Mountain should be required, as per the terms of the BAA with the state of California, to insure that the business partners they work with take the same care with patient data that they are required to.
3 - The data cartridges never made it to their intended destination
According to the news reports, these cartridges were lost in transit while in the possession of Fedex. When push comes to shove, responsibility for this loss of patient data rests squarely on the shoulders of the State of California. The wording in their Business Associate Agreement with Iron Mountain will be very important in determining who is responsible for any potential financial implications of the data loss.
When this type of event occurs it is a wake up call for each of us to look at our internal processes and the processes, policies and procedures of any company that we entrust with patient data.