According to a study conducted by PricewaterhouseCoopers around 55 percent of data breaches reported since September 2009 involve business associates. You may wonder about the significance of this study in your daily operations, but the answer is simple: money.
By Dr. Jose I. Delgado
During the last couple of years, I have been approached by multiple healthcare professionals and organizations asking about the legalities of using companies that do not reside in the USA (offshore businesses) to handle electronic protected health information (EPHI). While there are recommendations we would like for anyone to consider prior to hiring any of these companies the reality is that HIPAA does not discriminate between US businesses and offshore companies.
MACRA, MIPS and the October 2 deadline has kept us busy conducting HIPAA Security Risk Assessments. This year, in response to the history of settlements and the amount of breaches related to Business Associates practices, we decided to change our tools appropriately to adjust for these trends. Our findings so far have been quite alarming and clearly displays a recipe for failure.
Over 8 million dollars were paid in just two settlements due to the lack of a business associate agreement. There are already quite a few cases that demonstrate the importance of formalizing your relationship with your subcontractors and making sure that those that meet the requirements of a Business Associate are treated as such. For example: