Business Associate Breach Costs Stanford Hospital $4 Million Dollars

March 24, 2014

Covered entities need to be more diligent in ensuring that their business associates are HIPAA compliant. Just getting them to sign a BA agreement is not enough. Business associates need to provide proof on an on-going basis that they are HIPAA compliant. In this case California state law provided a channel for a patient to file a class action lawsuit which was settled for over $4 million dollars. Based on this type of action business associates should prepare themselves for a new wave of tighter scrutiny from their covered entities.

Stanford claims that they transferred encrypted data to the business associate, yet obviously the business associate was able to access the data and create a spreadsheet which in turn was posted to a public website where it sat for over a year in plain view. The judge was probably also influenced by the fact that this was the fifth breach Stanford has had in the last four years, exposing the PHI of over 92,000 patients.

With the millions in HIPAA fines, FTC fines, class action lawsuits, and state fines it is now clear that the days of easy or non-enforcement of privacy and security laws in healthcar are over. If you want to do business in healthcare you need to be prepared to show that you are compliant on an on-going basis. Remember that HHS says that HIPAA compliance is a process, not an event. You need to have a process in place and be documenting your compliance activities in order to protect your company.

Our Prepare/Care services offer this in a cost effective and efficient manner over the Internet with a Helper available to support you and a Compliance Meter(tm) to provide the needed proof. Take a look at the appropriate video demonstraton or download our Compliance Checklist at www.compliancehelper.com


Back to News