Sister CISA CISSP

Feb 26 2010   7:25PM GMT

Health Care Breaches and Third Party Associates

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

The Department of Health and Human Services has posted a list of the covered entities, (i.e., those that come under HIPAA regulations) that have reported health information data breaches impacting more than 500 people.

DHHS is now required by the HITECT Act to post the list, which includes the covered entity’s name, the nature of the breach and the number of individuals affected.

It’s worth noting that the 36 incidents posted date only from Sept. 22, 2009–when entities were first required to start reporting the breaches–to Jan. 18, 2010.

Out of the 36 incidents, 29 were due to theft.
Out of the 29 incidents, 16 were due to “portable electronic devices,” (mostly laptops and a few USB drives). That’s 50% of the thefts.

HIPAA requires that the entities (by which they mean: hospitals, private practices, higher education health care, health insurance companies, etc., etc.) have an a documented agreement with third party associates they use to process health-care information. In other words, the billing companies, drug companies, medical marketers, medical transcribers and any other associate that handles Personally Identifiable Health Information (PIHI).

Of the 36 incidents, seven occurred at associates. That’s about 20% of reported events.

Given today’s regulatory climate, as well as business improvements by outsourcing, it’s worthwhile to consider the risk of outsourcing handling of specific health and financial information.

If you review the list, you can see that the organization is listed first, whether or not the loss was from an business associate. That’s a list that no business (health care or otherwise) wants to be on. Does your organization have those kinds of relationships? (Think payroll, health billing, HR databases?)

What kind of agreement is in place to protect that data? (And your company?) Has anyone verified that they are handling the data securely? Organizations tend to think that they have offloaded the reputation and financial risk by outsourcing that information. They should take a look at that list and think again.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: