Business Associates Are in Healthcare Data Breach Spotlight This Year
The number one source of healthcare data breaches is still lost or stolen unencrypted devices – but you wouldn’t know it from the headlines this year. The two biggest breaches so far in 2013 resulted from improper disposal of records and improper disclosure. And both involved business associates.
Business associates have been involved in about 22% of the more than 600 breaches that have been reported on the Department of Health and Human Services website from September 2009 through August 2013, and breaches during that time period have affected a total of about 22.5 million individuals, according to a health data breach trends analysis by HealthcareInfoSecurity.
With the new HIPAA Omnibus Rule now in effect, the spotlight is shifting from covered entities (healthcare organizations) to business associates. The business associates involved in the two breaches mentioned above, a document shredding vendor in the case of Texas Health Harris Fort Worth hospital and a technology company in the case of the Indiana Family and Social Services Administration, are both liable under HIPAA.
Covered entities should heed caution from these headlines and update business associate agreements to make it clear that their vendors will share responsibility for any breaches that result from their negligence.
Business associates should examine their security programs and take the following precautions to protect patient information and comply with the new law:
- Encrypt data whenever possible
- Consider cyber insurance to protect your business in the case of a breach
- Employ privacy monitoring tools to prevent breaches caused by internal users
Finally, business associates should consider having an independent risk assessment to identify potential security threats. To learn more about how you can comply with the HIPAA Omnibus Rule, contact me.