How Your Friends Can Hurt You


If a friend gives you Ebola does it matter that you like him? Does it matter that you like your vendors, if their ignorance or flaunting of HIPAA puts you at a high risk of expensive and embarrassing data breaches?

You can like your business partners and vendors, but you should make them prove that they are worthy of your trust. If you trust them but don’t verify their compliance with HIPAA, you are taking huge risks that could hurt your patients and cost you millions of dollars. This is one reason that the Office for Civil Rights will be extending its upcoming HIPAA audits to include Business Associates.

When we conduct HIPAA Security Risk Analyses and HIPAA compliance audits, we almost always find that key vendors don’t understand HIPAA, have done little or nothing to comply, or think that HIPAA is not something that anyone should worry about. In recent weeks we have dealt with issues with small transcription services, a law firm representing a medical practice, Electronic Health Record vendors and a huge healthcare device manufacturer. These trusted vendors have created very high risks for their customers, and ultimately high risks to patients that their identities will be stolen. In our experience with Business Associates not complying with HIPAA, size doesn’t matter.

Our medical clients like their vendors and say things like:

“We have done business with them for years.”

“They are great people to work with.”

“They provide us with great service."

“We don’t want you to break up our relationship.”

We aren’t trying to break up any relationships, but we are trying to protect our clients and their patients from very real threats.

  • Business Associates were responsible for most of the 41 million breached records that have been reported on the HIPAA “Wall of Shame”.
  • Almost a third of the reported data breach incidents (of over 500 records) reportedly were not caused by healthcare organizations, but by their Business Associates, accounting for over 23 million records.
  • Outside of healthcare, business partners were responsible for the huge breaches at Target and Home Depot.

In 2003 HIPAA redefined healthcare and made Covered Entities - medical practices, hospitals, and health plans- the trusted guardians of patient medical records. HIPAA gave the Covered Entities the authority to share access to medical records with Business Associates— outside businesses who provide them with services that require access to Protected Health Information (PHI.)

A medical practice, hospital, and health plan is responsible for their own organization’s compliance, the compliance of their Business Associates, and even the compliance of any subcontractors the Business Associates use. Originally, governance of Business Associates was limited to signing Business Associate Agreements. However, in 2013 the HIPAA Omnibus Final Rule required Business Associates to fully comply with HIPAA by following the Privacy, Security, Data Breach, and Omnibus rules, and to directly face penalties for non-compliance and data breaches. This may make you think that if a Business Associate is liable then you are not, which simply isn’t true.

HIPAA requires you to ensure that your Business Associates comply with HIPAA and sign Business Associate Agreements. If they don't you are required to terminate the contract or report them to the Office for Civil Rights.

Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). 45 CFR 164.502(e) and 164.504(e)

Making sure your Business Associates deserve your trust is not an insult to them, it is just good business and good patient care. And it’s the law.