Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com

Business Associate fined for a data breach UNDER 500 patient records

Posted bySuze Shaffer
Business associate fined non compliant

Most of us are familiar with fines for data breaches of over 500 patient records. This time a business associate was fined $75K for 267 records.

Covered entities are responsibility to vet their business associates. This includes making sure they understand the HIPAA rules. Such as, conducting risk assessments, determining vulnerabilities and how to mitigate them, and maintaining proper HIPAA policies and procedures. While it is unusual to see a fine like this for under 500 records, this says the Office for Civil Rights (OCR) is now setting fines for breaches under 500 patient records. If this business associate had done their due diligence and had tried to be HIPAA compliant, I truly doubt they would have been fined. Compliance can be achieved in 7 Steps with our HIPAA Keeper System!

Do not be afraid to ask who conducted and when their last risk analysis was updated. Ask if you may see a copy of their data security policies. Ask for their HIPAA training certificates or a training list of employees who will be working with your practice.

iHealth Solutions, LLC (doing business as Advantum Health), a Kentucky-based business associate that provides coding, billing, and onsite information technology services to health care providers has paid $75,000 to OCR and has agreed to implement a corrective action plan.

Under the terms of the settlement agreement, iHealth Solutions will be monitored by OCR for two years to ensure compliance with the HIPAA Security Rule. iHealth Solutions has agreed to take the following steps:

  • Conduct an accurate and thorough analysis of its organization to determine the possible risks and vulnerabilities to the electronic protected health information it holds;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information;
  • Implement a process to evaluate environmental and operational changes that affect the security of electronic protected health information; and
  • Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.

Sound familiar? YES, this is what covered entities are required to do! Business associates and their subcontractors (business associates of business associates) are required under HIPAA to follow the same rules and regulations as covered entities. Making sure you have a business associate agreement (BAA) in place is only the first step!

Let your business associates know Aris Medical Solutions has an online system called the HIPAA Keeper™, to help them get compliant and stay compliant with HIPAA!

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

To read about other actual fines, click on our Education tab!

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

View all posts by Suze Shaffer

Share This HIPAA Blog
Employee Termination

Could terminating an employee trigger an OCR investigation?

May 1, 2023
Online technologies and HIPAA

The OCR and FTC are investigating online tracking technologies

August 1, 2023
©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC