HIPAA For MSPs by David Sims BA Breaches
00:00:00 00:00:00

BA OCR resolution announced

CHCS in Philadelphia is a BA to 6 skilled nursing clinics in the Philadelphia area. Entities like this do the business part of healthcare and the other clinics don’t have to worry about it. An unencrypted iPhone that wasn’t password protected had PHI on it. They had not completed a risk analysis or a risk management plan! Basically, it seems like they were completely ignoring HIPAA.

A business associate is getting this resolution, $650,000 and a two-year settlement. In the resolution it states, September 23, 2013 is the BA compliance date, which means from this date they hadn’t done the correct things. They canBA fine a BA. In determining the resolution, OCR determined that CHCS provides unique and much-needed services to the Philly region to many different types of people in need such as the elderly and those with HIV/AIDS. This is why the resolution was not as harsh as it could have been.

You can’t develop a risk plan if you don’t do a risk analysis. If you make rules and the higher-ups don’t follow them, then you know the employees won’t either. The rules must come from the top and apply all the way to the bottom. The risk plan needs to be readily available to anyone in your organization. Running a successful business is based on a culture of compliance.

Dental third-party brand new breach announced

There is a new breach that happened when a BA was hacked. Patterson Dental Supply Inc. helps manage dental practice information for various providers. One of the clinics they help service is Massachusetts General Hospital, and 4,300 patients had their PHI hacked and compromised. The BA alerted the authorities and the hospital in February that they had been hacked. But the investigators told the company not to make the announcement because they wanted to investigate with the possibility that the hacker did not know that anyone had discovered the hack. Because of that, the information about the situation is just coming into the news.

The way that your systems are set up depends on how easily you can be hacked. Make sure you have your BA’s sign BAAs (Business Associate Agreements.)

But remember, we are not attorneys! So, always talk to your attorneys for actual legal advice.

Your info for sale on the Dark Net

The dark web makes up a large part of the internet. It is basically like a virtual black market, you can get anything that you need. On the dark web, large files of PHI have been getting released for sale. People have not been able to trace all of this information back to breaches, which means that there are unreported breaches or people simply aren’t watching. Both of which are BAD!

Another issue may be that it is happening at a BA or a 3rd party so the covered entity may not know. Clinics around the country are all at risk of ruining their reputations, even if it is the BA’s fault. A patient is going to have an issue with the clinic, not the BA, if their medical information is compromised. Medical identity theft is a rapidly growing issue in the United States.