Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.
In a recent report on HIPAA breach trends, the HHS shared that breaches involving business associates or third-party vendors between January and June 2021 accounted for 40% of all HIPAA breaches. Because of the damaging consequences of any HIPAA breach, it’s useful for providers to understand the potential risks medical practices face when working with others.
When providers send communications to recipients outside of the practice, data security cannot be ensured—even with the best software in place. If patient data coming from your practice is breached within a business associate’s purview, you are ultimately deemed responsible for the breach since it was your data and your choice to share it.
To help mitigate the potential of a business partner’s breach affecting your practice, here are some useful steps you can take.
1. Make sure you have a business associate agreement (BAA) with every one of your partners or third-party vendors. A BAA is a contract between you and your partner that clearly states who is responsible for the costs associated with a potential breach. If possible, you’ll want to make the business associate responsible should a breach occur at their location, indemnifying your practice of any responsibility involving data they hold, maintain, or process on your behalf. The BAA should also include a clause that requires the business to have HIPAA breach insurance.
It’s not uncommon to hear from a business partner that they are not required to sign a HIPAA business associate agreement. Be advised that if you do not have a signed agreement, you are not protected should there be a breach at that company. If a company you share patient information with is not willing to sign a BAA, it is recommended to stop doing business with them regardless of the reason they provide.
2. Have an attorney look at the BAA and ensure the document is written in a way that fully protects you. Most businesses will write up an agreement that puts their interests first and does not fully protect the medical practice. If you haven’t already, it’s a good idea to have your attorney review all current agreements in place to make sure they’re written accordingly.
3. Get HIPAA breach insurance for your medical practice. The costs of HIPAA breach mitigation can be huge and could push your practice to the brink financially. With the growing risk of incurring a HIPAA breach, having coverage can mean the difference between your practice staying active or closing its doors.
4. Follow the minimum necessary doctrine when sharing information with a business associate. It’s best practice for providers to share only the minimum amount of information necessary to achieve the task at hand. In other words, avoid sharing any patient information a partner does not need to do their job.
For more information on HIPAA compliance and working with business associates, please feel free to contact TLD Systems at http://www.tldsystems.com via email [email protected] or by phone at (631) 403-6687.