Business Associate Fired for HIPAA Breach

May 1, 2014

A (HIPAA) breach involving the posting of information about 15,000 Boston Medical Center patients on a transcription firm’s unsecured website serves as a reminder of the importance of monitoring the security practices of all business associates.

Every business associate should read this article, at www.healthcareinfosecurity.com not only to see what happened to this transcription company but also to get an insight into the possible repercussions for all business associates. I guarantee that every covered entity that uses a transcription service upon reading this article will start wondering about the HIPAA compliance level of their transcription companies and from there all of their business associates.

Covered entities are becoming aware of the potential liability of sharing their PHI with business associates. More patient records have been breached by Business associates than by covered entities. To protect themselves covered entities are adding indemnification clauses to their business associate agreements, taking out Cyber insurance, and beginning to monitor their business associates. The methods for monitoring business associates vary but often include sending out surveys, requesting copies of HIPAA compliance materials such as risk assessments and policies and procedures. In some cases they may also do on-site audits.

Our privacy and security partner Rebecca Herold, worked for a health insurance company that had her do audits of over 200 business associates. Only a handful of mostly larger companies were completely compliant while many of the smaller companies were almost totally ignorant of their responsibilities. This is even more important today because under the HIPAA Omnibus Rule which became effective on September 23, 2013 the business associate is required to meet the same HIPAA standards as the covered entities.

Answering a survey would require the least amount of work on the part of the business associate but it is important to realize that you are now committed to you answers. If at some later point it is determined that you falsely attested the consequences could be considerable. Getting a request for documents or what is called a “desk audit” requires more work. Finding the documents, making sure that they are up-to-date, copying and sending is a bit more work. The worse scenario is that you don’t have documents that have been updated to meet the standards in the HIPAA Omnibus Rule which went into effect on September 23, 2013. And of course the worst case is that you don’t have written policies and procedures or a HIPAA risk assessment.

With inexpensive, easy to use tools such as our Prepare/Care programs there is no excuse for not being compliant and being able to prove it. Take a look at www.compliancehelper.com , download a HIPAA compliance checklist, watch a video, and sign up.


Back to News