Are You Responsible for Your Vendor’s HIPAA Breach?

The answer is “yes” if you don’t have a proper HIPAA/HITECH business associate agreement in place.

Health care providers frequently work with vendors–such as third party billing companies, answering services, shredding companies, and off-sight data storage entities–to assist the practices.  These vendors often contract with subcontractors to assist in providing services to health care providers.  The U.S. Department of Health and Human Services issued its Final Rule on January 25, 2013, which detailed that business associates and subcontractors are directly liable and are required to comply with HIPAA Privacy, Security, and Enforcement Rule.  This rule, however, does not protect the healthcare provider without a proper business associate agreement.

Healthcare providers must ensure that they receive a HIPAA committment from their business associates to keep its information protected.  Business associates must do the same with all subcontractors who handle or use protected health information (PHI).  Health care providers must be vigilant in requiring that their business associate agreement allow their practice to inspect business associate’s agreements with subcontractors to ensure the subcontractors are also required to safeguard PHI.

Fairfax County, Va. Health Department recently had to learn the hard way when it’s business associate’s subcontractor experienced a breach that affected 1,499 patients.  “According to Fairfax County’s statement, HBS notified Molina that a computer file with 1,499 Bailey’s Health Center patients’ pharmaceutical records was inadvertently left on an unsecured computer server. It was then accessed by three separate entities on four occasions between Sept. 9, 2013 and Oct. 3, 2013 . . . Among the exposed information were names and addresses of the patients, pharmacy identification numbers of the patients, medication names and dosages, descriptions of medications’ National Drug Code, payment information, prescriber’s name and address and some patient Social Security numbers.” Article.

Health care providers need to work with a HIPAA/HITECH attorney  to ensure that their PHI is protected by all vendors and subcontractors.  Further, healthcare providers should be wary when their vendors provide the healthcare provider with the vendor’s version of its own business associate agreement.  The document must be reviewed to ensure appropriate protection for the healthcare provider.

Tell us how your organization protects its information?   Share your ideas with us by clicking on the comment button below.  We’d love to hear from you.

Get “News You Can Use” delivered directly to your e-mail inbox. Click here to Subscribe.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.