Business Associates' Liability in Breaches of PHI

Business Associates' Liability in Breaches of PHI

Would it surprise you to know that more than half of all breaches (57%) have involved business associates? This is according to a study of recent healthcare breaches. Business associates are third-party vendors that need access to PHI to provide their services to covered entities.

The report examines a total of 538 incidents affecting more than 21.4 million individuals since the interim breach notification rule under the HITECH Act went into effect in August 2009. While the breach data shows improvement year-over-year, we caution against complacency. Clearly, the increase in the number of health providers who conducted HIPAA Security Risk Assessments in 2012 had a positive impact, but continuous and durable security requires continuing investment and effort. It is an ongoing process of vigilance.

In light of the January 25 HIPAA omnibus final rule that holds BAs and subcontractors liable for HIPAA compliance, health providers should not just assume all BAs will comply; they need to be proactive, working closely with their business partners to build a secure "chain of PHI custody."

The lack of encryption on laptops and other portable electronic devices is the root cause of over one-third of PHI breaches (38%). Encrypting portable devices should be more widely implemented and enforced given the surge in the use of personally-owned mobile devices at work. OCR has been encouraged to promulgate a new rule to address this issue.

Personal health records are high-value targets for cybercriminals as they can be exploited for identity theft, insurance fraud, stolen prescriptions, and dangerous hoaxes. Although there has been a relatively low incident rate of hacking among all PHI breaches to date, last year's attack on the Utah Department of Health "may be the canary in the coal mine." Some 780,000 Medicaid and Children's Health Plan records were targeted.

Refer your business associates and their subcontractors to Healthcare Care Compliance Pros for complete HIPAA compliance training. Then you will know that your business associates and their subcontractors are fully aware of their responsibilities.

If your business associates and their subcontractors are not trained and compliant, it will put your practice at risk for HIPAA violations and penalties!