Episode 49: Know The Rules! 2018 Wall of Shame Business Associate Breaches

Health & Human Services (HHS) Wall of Shame

Covered Entities (CEs) are not alone when it comes to experiencing a healthcare breach.

Business Associates (BAs) are at a greater risk by their limited knowledge, understanding, and/or implementation of the HIPAA Security and Breach Notification Rules in their organization.

HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires CEs and their BAs to provide notification following a breach of unsecured protected health information (PHI). (45 CFR §§ 164.400-414)

Breach Notification Requirements

After experiencing a breach, CEs must notify affected individuals, the Secretary, and when required, the media regarding certain details of the breach.


BAs must notify CEs if a breach occurs at or by the BA.

Notification by a Business Associate

A BA must provide notice to the CE without unreasonable delay, and no later than 60 days from the discovery of the breach. Where possible, the BA should provide the CE with the identification of each individual affected as well as any other available information required to the CE.

You Should Know!

BAs can be (and have been) held directly liable and subject to civil and, in some cases, criminal penalties for making uses and/or disclosures of PHI that were not authorized.

From January – August 2018, there have been 25 different BAs healthcare breaches added to Health & Human Services (HHS) Office of Civil Rights (OCR) ‘Wall of Shame’, potentially compromising the health information of 2,102,420 individuals.

These 25 healthcare breaches are made up of 11 BAs for Unauthorized Access/Disclosure to PHI and 14 BAs for Hacking/IT Incidents.

That’s 25 new Business Associates immortalized on the ‘Wall of Shame’ and who now have OCR in their business affairs – this is NOT a place you EVER want YOUR business to be in.

Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility!



Please join HIPAA alli to learn how HIPAA applies to YOUR organization, and YOU too can become a defender of PHI!!



Remember: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges to CEs’ & BAs’ as their organizations and technologies change.

Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?


Wall of Shame



For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.

One thought on “Episode 49: Know The Rules! 2018 Wall of Shame Business Associate Breaches

  1. […] January – December 2018, there were 39 different BA healthcare breaches added to the OCR ‘Wall of Shame’, potentially compromising the health information of 5,487,456 […]