Are You Responsible for Your Vendor’s HIPAA Breach?

The answer is “yes” if you don’t have a proper HIPAA/HITECH business associate agreement in place.

Health care providers frequently work with vendors–such as third party billing companies, answering services, shredding companies, and off-sight data storage entities–to assist the practices.  These vendors often contract with subcontractors to assist in providing services to health care providers.  The U.S. Department of Health and Human Services issued its Final Rule on January 25, 2013, which detailed that business associates and subcontractors are directly liable and are required to comply with HIPAA Privacy, Security, and Enforcement Rule.  This rule, however, does not protect the healthcare provider without a proper business associate agreement.

Healthcare providers must ensure that they receive a HIPAA committment from their business associates to keep its information protected.  Business associates must do the same with all subcontractors who handle or use protected health information (PHI).  Health care providers must be vigilant in requiring that their business associate agreement allow their practice to inspect business associate’s agreements with subcontractors to ensure the subcontractors are also required to safeguard PHI.

Fairfax County, Va. Health Department recently had to learn the hard way when it’s business associate’s subcontractor experienced a breach that affected 1,499 patients.  “According to Fairfax County’s statement, HBS notified Molina that a computer file with 1,499 Bailey’s Health Center patients’ pharmaceutical records was inadvertently left on an unsecured computer server. It was then accessed by three separate entities on four occasions between Sept. 9, 2013 and Oct. 3, 2013 . . . Among the exposed information were names and addresses of the patients, pharmacy identification numbers of the patients, medication names and dosages, descriptions of medications’ National Drug Code, payment information, prescriber’s name and address and some patient Social Security numbers.” Article.

Health care providers need to work with a HIPAA/HITECH attorney  to ensure that their PHI is protected by all vendors and subcontractors.  Further, healthcare providers should be wary when their vendors provide the healthcare provider with the vendor’s version of its own business associate agreement.  The document must be reviewed to ensure appropriate protection for the healthcare provider.

Tell us how your organization protects its information?   Share your ideas with us by clicking on the comment button below.  We’d love to hear from you.

Get “News You Can Use” delivered directly to your e-mail inbox. Click here to Subscribe.

Related Posts


Recent Posts

Getting Remarried? Here’s What You Need to Know
March 21, 2024
What is the Biggest Threat to Healthcare?
January 30, 2024
How Can I Simplify Estate Planning?
January 11, 2024
I Have a Trust. Now What?
December 7, 2023
Breaking: Corewell Health Breach
December 5, 2023


Subscribe to Our Newsletter

Subscribe and get your FREE copy of Easy Guide to HIPAA Risk Assessments

An essential tool for all healthcare providers, Easy Guide to HIPAA Risk Assessments breaks down the requirements of HIPAA so you can successfully complete your required risk assessment. (an $8.99 value)

Thank you for subscribing to the Rickard & Associates healthcare blog. You'll receive a confirmation email shortly. After verifying your subscription request, you'll be sent to the "Easy Guide to HIPAA Risk Assessments" download page.