In the Ponemon 2011 Cost of Data Breach Study, 41% of breaches were due to third party mistakes. Take a step back and think about the impact of that number. The use of third party organizations are more and more common.
According to the HHS.gov website, some examples of third party / business associates include:
Examples of Business Associates.
- A third party administrator that assists a health plan with claims processing.
- A CPA firm whose accounting services to a health care provider involve access to protected health information.
- An attorney whose legal services to a health plan involve access to protected health information.
- A consultant that performs utilization reviews for a hospital.
- A health care clearinghouse that translates a claim from a non-standard format into a standard transaction on behalf of a health care provider and forwards the processed transaction to a payer.
- An independent medical transcriptionist that provides transcription services to a physician.
- A pharmacy benefits manager that manages a health plan’s pharmacist network.
Another common business associate is an IT company that manages the network and performs data backups.
Many hospitals and medical practices have between 3 and 20+ business associates. The risk with having so many business associates is that the chance of a data breach increases with the more third parties that have access to patient data.
You may be saying to yourself that you have business associate agreements so you don’t have to worry about this. Having an agreement in place that states the business associate will comply with the HIPAA / HITECH regulations is fine but how do you know that they are properly protecting the data? If the business associate is complying with HIPAA regulations as required under HITECH they would have policies and procedures in place, have performed a risk assessment, trained all their employees on protecting patient information, had a security response plan in place, etc.
And if the business associates had all of the requirements of HIPAA / HITECH you probably would have a lot less to worry about. But when was the last time you asked to see their policies? Do you have any proof that the business associate has trained all their employees? Are they carrying your data around on unencrypted USB drives? You won’t know the answers to these questions unless you ask and require proof of compliance.
Ensuring that your business associates are properly protecting patient data will go a long way in reducing the chances of a data breach.