We have previously written about the risk of business associates (BAs) to patient information here and here. Now we have another large data breach caused by a hospital’s business associate. An article over at the Star Telegram goes into the details.
A contractor for Texas Health Harris Methodist Hospital Fort Worth failed to destroy hundreds of thousands of records which turned up in a Dallas park.
Texas Health Harris Methodist Hospital Fort Worth says it is notifying hundreds of thousands of former patients whose personal information on decades-old records turned up in a Dallas park instead of being destroyed by a contractor.
The breach affected 277,000 patients
Wendell Watson, spokesman for Arlington-based Texas Health Resources, the hospital’s corporate parent, said the mammoth breach involves about 277,000 records on microfiche from 1980 to 1990. Only patients from the Fort Worth facility are affected.
Included were names, addresses, birth dates, health information and, in some cases, Social Security numbers.
Make sure your BAs are complying with HIPAA
If you are not asking for proof of compliance from your BAs you will have no idea if they understand how to properly protect patient information. Here are a few simple questions to ask of all your BAs:
- When was the last time your performed a HIPAA risk assessment? Can you show us your last risk assessment?
- Do you have written policies and procedures on protecting patient information?
- Have all your employees been trained on protecting patient information? Are the employees that will be accessing our information properly trained?
- In the event of a breach do you have a response plan? Can we see what your plan looks like?
By asking these questions you will quickly find out which vendors have taken HIPAA seriously and which have not. Signing a business associate agreement (BAA) with a BA does not ensure compliance with HIPAA regulations.
Remember if your BA has a breach with your patient information, it will be your patients that get notified. It will be your reputation that is damaged.
All Covered Entities and Business Associates need to train their employees on HIPAA security. We now offer free online HIPAA security training for Covered Entities and Business Associates. Find out more about our free training and send the information to ALL your Business Associates.
Now there is no reason why Business Associates have not trained their employees on protecting your patient information.