22 Percent of HIPAA Violations Caused by Business Associates

by Ryan Coyne | Sep 18, 2013

The passing of the Omnibus Rule extended HIPAA’s reach to include business associates of HIPAA-covered bodies and requires them to comply with the same set of standards as the healthcare organizations with which they work.

Business Associates are defined as any organization or individual that is required to work with, view or come into contact with Protected Health Information. This means the providers of hosting or data storage services will now be included under HIPAA and will be required to sign a business agreement that states they will adhere to HIPAA regulations. They will also be subject to financial sanctions if the Department of Health and Human Services locates any non-compliance issues.

The new rule was brought in to ensure patient health data is kept safe and in the case of business associates the alteration in legislation is long overdue. BAs are responsible for the exposure of a considerable amount of patient data and since HIPAA was brought in, BAs have been responsible for 22% of all security breaches according to an analysis of HHS breach reports conducted by Profitable Practice.

The research also found that when business associates have been liable for a security breach, the volume of data exposed is considerable. While 22 percent of HIPAA breaches were caused by BA’s, 48% of the 26.8 million individuals affected by security violations had their data exposed as a result of a BA security weakness.

The new rule makes BAs responsible for their actions – or lack of them – and it should minimize the number of data breaches happening as a result of BAs. BAs are also responsible for any subcontractors they use and must take responsibility for their activities and ensure they too are aware of HIPAA regulations and a BA is completed.

Any business associate that does not believe they have the policies and procedures in place to deal with the new HIPAA regulations should act quickly. It is not too late to become HIPAA compliant, although the deadline for putting in place policies and strategies is fast approaching. Any HIPAA violation or non-compliance issue found after the Sept 23 deadline could result in a financial sanction being issued by the OCR of up to $1.5 million per year, while individual violations now carry a maximum penalty of $50,000 per incident.

If you have any questions about the new regulations and what action needs to be taken you should seek legal guidance from an attorney who specializes in healthcare compliance. A full risk analysis must be completed to decide whether any security risks exist and details of the steps taken to protect data should be fully recorded.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter