Third-Party Vendors – Don’t Let This Happen To You!

Did you know?

In 2013, the Final Omnibus Rule updated the HIPAA Security Rule and Breach Notification clauses of the HITECH Act.

As a result every Business Associate (BA) that creates, receives, maintains, or transmits electronic Protected Health Information (ePHI) is required to perform a comprehensive enterprise-wide HIPAA Security Risk Analysis (Per: §164.308(a)(1)(ii)(A)).

This means it must include more than your electronic health record (EHR) system. And don’t forget to include any Internet of Thing (IoT) devices you have connected, HHS looks at those too!

Don’t let this happen to YOUR organization!

On February 2014, after Health and Human Services (HHS) Office for Civil Rights (OCR) received separate notifications from each of the six nursing homes regarding a breach of unsecured ePHI by Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS). CHCS provided management and information technology services as a BA.

On April 17, 2014, OCR notified CHCS of OCR’s investigation regarding CHCS’s compliance with the HIPAA Rules. OCR’s investigation indicated that the following occurred:

  1. CHCS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by CHCS (See 45 C.F.R. § 164.308(a)(1)(ii)(A));
  2. CHCS failed to implement appropriate security measures sufficient to reduce the risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) of the Security Rule. (See 45 C.F.R. §164.308(a)(1)(ii)(B)).

In addition to several other provisions identified in the HHS Resolution Agreement, CHCS agreed to pay the Resolution Amount of $650,000 and implement a Corrective Action Plan (CAP).

Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?





Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!