Disclaimer: This blog article was written by an AdvancedMD partner. The views and opinions expressed in this article are those of the author(s) and do not necessarily reflect the official policy or position of AdvancedMD.
Another vendor HIPAA breach was recently reported affecting over 319,000 patients and their providers. The breach occurred within QRS Healthcare Solutions’ patient portal. Attorneys are already actively advertising a class-action lawsuit against QRS with the following questions on the table:
- Did QRS fail to adopt security safeguards that would have prevented a data breach?
- Did QRS notify customers as soon as it learned of the data breach?
- Did QRS provide a complete list of all individuals affected by the data breach?
- Did QRS provide security in line with industry standards?
What does this mean for your practice and what can you learn from it?
The incidents of security breaches at health information vendors and healthcare facilities are rapidly increasing. And the cost of patient notification after a potential HIPAA breach can be huge. According to the HIPAA Breach Notification Rule, it is the responsibility of the medical provider to send out notification when a breach occurs. Vendors are not required to notify patients as per the rule, but a good business associate agreement (BAA) can stipulate that the vendor take responsibility for notification on your behalf.
In the case of QRS, the vendor sent notification letters to all affected individuals on behalf of its clients. The vendor has also offered complimentary access to identity theft protection services to those affected by the breach. Though these actions go beyond the regulations, they can and should be written into each of your BAAs.
Given this latest breach and the growing risk of a breach affecting you, now is a good time to review BAAs you currently have in place and make sure actions and costs associated with a breach are the vendor’s responsibility should a breach occur. Without this protection, your practice is at risk of incurring significant financial costs even when a breach of patient privacy does not happen at your location.
So what can you do to protect yourself and your practice?
- Look at all vendors you do business and share patient data with and make sure you have a BAA in place. If a vendor says they are not required to give you a BAA, tell them you require one in order to do business with them. The vendor may push back, but it is imperative that you have a BAA set up to minimize risk.
- Review BAAs with your healthcare attorney to ensure responsibility of actions and costs are appropriately worded to cover all breach remediation costs, including patient notification and provision of credit monitoring services.
- Get cybersecurity insurance. Without cybersecurity insurance, a breach could financially ruin your practice.
- Make sure your HIPAA security risk analysis and risk mitigation plan are up to date. If not, please contact TLD Systems to take care of this vital step in protecting your practice.
The number of HIPAA breaches continues to increase, putting your patient data at greater risk every day. Don’t wait until it is too late to protect your practice.
For more information, please reach out to Dr. Michael L. Brody, DPM, at [email protected] or call (631) 403 6687.