There have been many articles written about the risk of a HIPAA breach by business associates (BAs) such as the one reported in Fort Worth on July 11th. A contractor for Texas Health Harris Methodist Hospital Fort Worth failed to destroy hundreds of thousands of records, when former patients’ personal health information turned up in a Dallas Park. Texas Health Harris Methodist Hospital Fort Worth said that they’re notifying each of the 277,000 patients whose personal information on decade-old records showed up.
According to Wendell Watson, spokesman for Arlington-based Texas Health Resources:
“The mammoth breach involves about 277,000 records on microfiche from 1980 to 1990. Only patients from the Fort Worth facility are affected. Included were names, addresses, birth dates, health information and, in some cases, Social Security numbers. “
Your Business Associates Must Comply With HIPAA (including your IT provider)
Make sure you’re asking your BAs for proof of HIPAA compliance, to ensure they understand how to properly protect patient health information. The following are a few questions to ask all of your BAs:
1. Do you have written and well-known policies and procedures regarding the protection of patient health information?
2. When was your last HIPAA Risk Analysis performed? Can you provide proof of your last risk analysis?
3. Have all of your employees been trained on protecting patient health information? Are your employees who have authorized access to information properly trained?
4. Do you have a response plan in the event of a HIPAA breach? Can you present your plan to us?
These questions will help you determine which vendors take HIPAA seriously and which don’t. When your BA causes a HIPAA breach with your patients’ information, it will be your patients who get notified, and your reputation that will be damaged. Signing a business associate agreement (BAA) with a BA won’t ensure HIPAA compliance. It’s up to you to monitor their compliance.
Ensure Your Business Associates Are Thoroughly Trained On HIPAA Compliance Measures
Covered entities and their business associates are both required to train their employees on HIPAA Security, so there’s no excuse for a HIPAA breach to occur by either party as long as you’re consistently monitoring and managing compliance. If you haven’t done so, train your employees today and ensure your business associates are doing the same.