Healthcare Security Incident

What if your Business Associates Had A Security Incident?

Covered Entities (CEs) believe it’s impossible to determine whether the policies and procedures of their Business Associates (BAs) are adequate to respond effectively to a security incident.

To complicate matters, more believe their Business Associates would NOT notify them in the event of a security incident.

It is crucial that BAs notify CEs in the event of inappropriate use or disclosure of Protected Health Information (PHI) not provided for in the contract. This includes any breaches of unsecured PHI, as well as any security incidents. The Business Associate Agreement (BAA) should specify how and for what purpose the PHI will be used by each BA or subcontractor.

HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of security incident at 45 CFR 164.304).

HIPAA also identifies breaches as access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of PHI. (See the definition of breach at 45 CFR 164.402).

Did You Know?

Business Associates (BAs) are at a greater risk by their limited knowledge, understanding, and/or implementation of the HIPAA Security and Breach Notification Rules in their organization.

BAs can be, and have been, held directly liable and subject to civil and, in some cases, criminal penalties for making uses and/or disclosures of protected health information (PHI) that were not authorized.

A Bad Year for Business Associates

During 2018, there were a total of 74 different Business Associate healthcare breaches added to the Office of Civil Right (OCR) ‘Wall of Shame’, potentially compromising the health information of 5,726,824 individuals.

Here are the breach types by the numbers:

  • • Unauthorized Access/Disclosure = 34
  • • Hacking/IT Incident = 33
  • • Loss = 5
  • • Theft = 2


That’s 71 new Business Associate breaches added to the ‘Wall of Shame’ and who now could have OCR in their business affairs – this is NOT a position you EVER want for YOUR business. But wait, didn’t I just tell you there were 74 different BA healthcare breaches?

Clearly, you were paying attention; that is because 3 different organizations had already made the list in 2018!! Find out who made the list by requesting your copy of the ‘2018 Business Associate Healthcare Data Breach Report’.

Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility!

Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?

Security Incident



For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.