• linkedin
  • Increase Font
  • Sharebar

    What happens if your business associate has a patient data breach?

    Here’s a cautionary tale: A medical practice comes to us in a panic. It turns out the physician had received a letter from the Office of Civil Rights (OCR) ordering an investigation related to a patient data breach – not his own. 

    In this instance, the practice’s business associate (BA), a web hosting company, had committed the breach and exposed patient information, part of which ended up in a Google search. The web hosting company was investigated and is awaiting a final determination from OCR. But the medical practice was also being investigated because it had contracted the services of its provider.


    RELATED content from Medical EconomicsPatient data security risks climb with ACA rollout 

    Impact to the physician

    This particular medical practice, an oral surgeon with a staff of six, had 20 days to answer 15 questions all pointing to electronic security measures it should have taken to protect the thousands of patients stored in its systems (the investigation came after the initial 60 days that they had to notify patients). The workload in response to an OCR investigation could be enough to make a physician want to shutter his practice. Here is just a taste of the OCR’s questions:

    • Copies of any notes, documents and reports relating to any internal investigation, including any forensic analysis conducted by the covered entity, or its designated contractor or agent of the alleged incident. Please detail any corrective measures taken as a result of this alleged incident.
    • Please indicate whether you conducted a breach risk assessment for the alleged incident. If so, please provide a copy of the breach risk assessment.
      • If you determined that a breach of patients’ PHI occurred as a result of this incident, please indicate, as applicable, whether you notified the affected individuals, the media, and the HHS Secretary.
      • If you notified the affected individuals, the media, and the HHS Secretary, please provide OCR with documentation of said notifications.

    You can view the remaining 13 questions on our website.

    If the OCR determines that the medical practice is in willful neglect of HIPAA regulations it could be looking at a fine of $50,000 per incident, up to $1.5 million.

    NEXT: BAs do not have to disclose a breach in a timely manner

    Art Gross
    Art Gross co-founded Entegration in 2000 and serves as president and CEO. As Entegration’s medical clients adopted EHR technology Gross ...


    You must be signed in to leave a comment. Registering is fast and free!

    All comments must follow the ModernMedicine Network community rules and terms of use, and will be moderated. ModernMedicine reserves the right to use the comments we receive, in whole or in part,in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

    • No comments available

    Latest Tweets Follow