Vendor HIPAA Breach Affects 319K Patients & Their Providers | AdvancedMD

Features Navigation

Live Chat (800) 825-0224 Live Demo

← Back

Vendor HIPAA Breach Affects 319K Patients & Their Providers

Public Policy

Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.

Another vendor HIPAA breach was recently reported affecting over 319,000 patients and their providers. The breach occurred within QRS Healthcare Solutions’ patient portal. Attorneys are already actively advertising a class-action lawsuit against QRS with the following questions on the table:

  • Did QRS fail to adopt security safeguards that would have prevented a data breach?
  • Did QRS notify customers as soon as it learned of the data breach?
  • Did QRS provide a complete list of all individuals affected by the data breach?
  • Did QRS provide security in line with industry standards?

What does this mean for your practice and what can you learn from it?

The incidents of security breaches at health information vendors and healthcare facilities are rapidly increasing. And the cost of patient notification after a potential HIPAA breach can be huge. According to the HIPAA Breach Notification Rule, it is the responsibility of the medical provider to send out notification when a breach occurs. Vendors are not required to notify patients as per the rule, but a good business associate agreement (BAA) can stipulate that the vendor take responsibility for notification on your behalf.

In the case of QRS, the vendor sent notification letters to all affected individuals on behalf of its clients. The vendor has also offered complimentary access to identity theft protection services to those affected by the breach. Though these actions go beyond the regulations, they can and should be written into each of your BAAs.

Given this latest breach and the growing risk of a breach affecting you, now is a good time to review BAAs you currently have in place and make sure actions and costs associated with a breach are the vendor’s responsibility should a breach occur. Without this protection, your practice is at risk of incurring significant financial costs even when a breach of patient privacy does not happen at your location.

So what can you do to protect yourself and your practice?

  1. Look at all vendors you do business and share patient data with and make sure you have a BAA in place. If a vendor says they are not required to give you a BAA, tell them you require one in order to do business with them. The vendor may push back, but it is imperative that you have a BAA set up to minimize risk.
  2. Review BAAs with your healthcare attorney to ensure responsibility of actions and costs are appropriately worded to cover all breach remediation costs, including patient notification and provision of credit monitoring services.
  3. Get cybersecurity insurance. Without cybersecurity insurance, a breach could financially ruin your practice.
  4. Make sure your HIPAA security risk analysis and risk mitigation plan are up to date. If not, please contact TLD Systems to take care of this vital step in protecting your practice.

The number of HIPAA breaches continues to increase, putting your patient data at greater risk every day. Don’t wait until it is too late to protect your practice.

For more information, please reach out to Dr. Michael L. Brody, DPM, at [email protected] or call (631) 403 6687.

Michael Brody, DPM
Dr Brody has been actively involved in Computers and Medicine since the 1980’s. Dr Brody as a Residency Director at a VA hospital on Long Island and was present as the VA moved from paper records to computerized records. During this time, he was exposed to the stringent rules and regulations that government employees need to adhere to when protecting patient information. He co-founded TLD Systems with Warren Melnick to create a platform that doctors who wish to work in private practice have a cost-effective method of implementing HIPAA compliance in their practices in a manner that does not interfere with their ability to practice medicine. He has served on the Health Information Technology Standards Panel (HITSP), the Standards and Interoperability Framework (S&I), as a member of the Ambulatory Care Committee at the Certification Commission on Health Information Technology (CCHIT), and numerous other organizations. He is currently a member of the Physicians Committee at the Healthcare Information and Management Systems Society (HIMSS) and a co-Chair of the EHR workgroup at Health Level Seven International (HL7)

Topic: Public Policy

Other Resources Related to This Topic


2022 MIPS IA

Got a handle on your MIPS Improvement Activities (IA) categories for 2022? To help, we’ve...


MACRA Quality Guide 2022

Just because you are new to MACRA and MIPS doesn't mean you need to feel...


MIPS Attestation 2022

New users to QPP.CMS.GOV – Register now for a HARP Account If you have never...

“The money I have invested in AdvancedMD is miniscule compared to the return. I have never been more efficient – ever – in my professional life as I am now.”

Jed Shay, MD
The Pain Care Center

Read the story  ›

“[Our] patients are very well-educated and well-informed, and they want to see results quickly. The practice has to run extremely efficiently and be accessible to them. The nice thing about [AdvancedMD] is it has allowed me to be more efficient both in and out of the office. Now I don’t have to come back into the office, which is great for my family and everything else. It saves me a lot of time – probably an hour a day on the three days I work in the second office.”

Keith Berkowitz, MD
Center for Balanced Health

Read the story  ›

“The best thing I ever did in private practice was getting AdvancedMD—it has liberated me.”

Estaban Lavato, MD
La Loma Medical Center

“Having integrated practice management and EHR is absolutely wonderful, you don’t have to flip back and forth between systems—all of your information is at hand when needed.”

Raju Raval, MD

Read the story  ›