Business Associates Responsible for 22 Percent of HIPAA Violations

The introduction of the Omnibus Rule extended HIPAA’s reach to include business associates of HIPAA-covered entities and requires them to adhere to the same set of standards as the healthcare organizations with which they do business.

Business Associates are classed as any organization or individual that is required to handle, view or come into contact with Protected Health Information. This means the providers of hosting or data storage services will now be covered under HIPAA and will be required to sign a business agreement that stipulates they will abide by HIPAA regulations. They will also be subject to financial penalties if the Department of Health and Human Services discovers any non-compliance issues.

The new rule was introduced to ensure patient health data is protected, and in the case of business associates the change in legislation is long overdue. BAs are responsible for the exposure of a considerable amount of patient data and since HIPAA was passed, BAs have been implicated in 22% of all security breaches according to an analysis of HHS breach reports conducted by Profitable Practice.

The research also indicated that when business associates have been responsible for a security breach, the volume of data exposed is considerable. While 22 percent of HIPAA breaches were caused by BA’s, 48% of the 26.8 million individuals affected by security breaches had their data exposed as a result of a BA security issue.

The new rule makes BAs accountable for their actions – or lack of them – and it should reduce the number of data breaches occurring as a result of BAs. BAs are also responsible for any subcontractors they use and must take responsibility for their actions and ensure they too are aware of HIPAA regulations and a BA is signed.

Any business associate that does not believe they have the policies and procedures in place to deal with the new HIPAA regulations should take prompt action. It is not too late to become HIPAA compliant, although the deadline for implementing policies and procedures is fast approaching. Any HIPAA violation or non-compliance issue discovered after the Sept 23 deadline could result in a financial penalty being issued by the OCR of up to $1.5 million per year, while individual violations now carry a maximum penalty of $50,000 per incident.

If you are in any doubt about the new regulations and what action needs to be taken you should seek legal advice from an attorney who specializes in healthcare compliance. A full risk analysis must be conducted to determine whether any security risks exist and details of the steps taken to protect data should be fully documented.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.