Features Navigation

Live Chat (800) 825-0224 Live Demo

← Back

Critical Insight’s 2021 Health Data Breach Report


Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.

In a recent report on HIPAA breach trends, the HHS shared that breaches involving business associates or third-party vendors between January and June 2021 accounted for 40% of all HIPAA breaches. Because of the damaging consequences of any HIPAA breach, it’s useful for providers to understand the potential risks medical practices face when working with others.

When providers send communications to recipients outside of the practice, data security cannot be ensured—even with the best software in place. If patient data coming from your practice is breached within a business associate’s purview, you are ultimately deemed responsible for the breach since it was your data and your choice to share it.

To help mitigate the potential of a business partner’s breach affecting your practice, here are some useful steps you can take.

1. Make sure you have a business associate agreement (BAA) with every one of your partners or third-party vendors. A BAA is a contract between you and your partner that clearly states who is responsible for the costs associated with a potential breach. If possible, you’ll want to make the business associate responsible should a breach occur at their location, indemnifying your practice of any responsibility involving data they hold, maintain, or process on your behalf. The BAA should also include a clause that requires the business to have HIPAA breach insurance.

It’s not uncommon to hear from a business partner that they are not required to sign a HIPAA business associate agreement. Be advised that if you do not have a signed agreement, you are not protected should there be a breach at that company. If a company you share patient information with is not willing to sign a BAA, it is recommended to stop doing business with them regardless of the reason they provide.

2. Have an attorney look at the BAA and ensure the document is written in a way that fully protects you. Most businesses will write up an agreement that puts their interests first and does not fully protect the medical practice. If you haven’t already, it’s a good idea to have your attorney review all current agreements in place to make sure they’re written accordingly.

3. Get HIPAA breach insurance for your medical practice. The costs of HIPAA breach mitigation can be huge and could push your practice to the brink financially. With the growing risk of incurring a HIPAA breach, having coverage can mean the difference between your practice staying active or closing its doors.

4. Follow the minimum necessary doctrine when sharing information with a business associate. It’s best practice for providers to share only the minimum amount of information necessary to achieve the task at hand. In other words, avoid sharing any patient information a partner does not need to do their job.

For more information on HIPAA compliance and working with business associates, please feel free to contact TLD Systems at http://www.tldsystems.com via email [email protected] or by phone at (631) 403-6687.

Michael Brody, DPM
Dr Brody has been actively involved in Computers and Medicine since the 1980’s. Dr Brody as a Residency Director at a VA hospital on Long Island and was present as the VA moved from paper records to computerized records. During this time, he was exposed to the stringent rules and regulations that government employees need to adhere to when protecting patient information. He co-founded TLD Systems with Warren Melnick to create a platform that doctors who wish to work in private practice have a cost-effective method of implementing HIPAA compliance in their practices in a manner that does not interfere with their ability to practice medicine. He has served on the Health Information Technology Standards Panel (HITSP), the Standards and Interoperability Framework (S&I), as a member of the Ambulatory Care Committee at the Certification Commission on Health Information Technology (CCHIT), and numerous other organizations. He is currently a member of the Physicians Committee at the Healthcare Information and Management Systems Society (HIMSS) and a co-Chair of the EHR workgroup at Health Level Seven International (HL7)

Topic: EMR/EHR

Other Resources Related to This Topic


How Innovative EHRs Advance Patient Care

The earliest electronic medical records were simply electronic versions of a paper chart and were...


2021 Fall Release Sheet

The new AdvancedMD Pay credit card processing feature. More secure multifactor authentication. Improved design of...


At-home Care Sheet

Family medicine is one of the most critical parts of the care continuum, and practitioners...

“The money I have invested in AdvancedMD is miniscule compared to the return. I have never been more efficient – ever – in my professional life as I am now.”

Jed Shay, MD
The Pain Care Center

Read the story  ›

“[Our] patients are very well-educated and well-informed, and they want to see results quickly. The practice has to run extremely efficiently and be accessible to them. The nice thing about [AdvancedMD] is it has allowed me to be more efficient both in and out of the office. Now I don’t have to come back into the office, which is great for my family and everything else. It saves me a lot of time – probably an hour a day on the three days I work in the second office.”

Keith Berkowitz, MD
Center for Balanced Health

Read the story  ›

“The best thing I ever did in private practice was getting AdvancedMD—it has liberated me.”

Estaban Lavato, MD
La Loma Medical Center

“Having integrated practice management and EHR is absolutely wonderful, you don’t have to flip back and forth between systems—all of your information is at hand when needed.”

Raju Raval, MD

Read the story  ›