Business Associate fined for a data breach UNDER 500 patient records

Most of us are familiar with fines for data breaches of over 500 patient records. This time a business associate was fined $75K for 267 records.

Covered entities are responsibility to vet their business associates. This includes making sure they understand the HIPAA rules. Such as, conducting risk assessments, determining vulnerabilities and how to mitigate them, and maintaining proper HIPAA policies and procedures. While it is unusual to see a fine like this for under 500 records, this says the Office for Civil Rights (OCR) is now setting fines for breaches under 500 patient records. If this business associate had done their due diligence and had tried to be HIPAA compliant, I truly doubt they would have been fined. Compliance can be achieved in 7 Steps with our HIPAA Keeper System!

Do not be afraid to ask who conducted and when their last risk analysis was updated. Ask if you may see a copy of their data security policies. Ask for their HIPAA training certificates or a training list of employees who will be working with your practice.

iHealth Solutions, LLC (doing business as Advantum Health), a Kentucky-based business associate that provides coding, billing, and onsite information technology services to health care providers has paid $75,000 to OCR and has agreed to implement a corrective action plan.

Under the terms of the settlement agreement, iHealth Solutions will be monitored by OCR for two years to ensure compliance with the HIPAA Security Rule. iHealth Solutions has agreed to take the following steps:

  • Conduct an accurate and thorough analysis of its organization to determine the possible risks and vulnerabilities to the electronic protected health information it holds;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information;
  • Implement a process to evaluate environmental and operational changes that affect the security of electronic protected health information; and
  • Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures.

Sound familiar? YES, this is what covered entities are required to do! Business associates and their subcontractors (business associates of business associates) are required under HIPAA to follow the same rules and regulations as covered entities. Making sure you have a business associate agreement (BAA) in place is only the first step!

Let your business associates know Aris Medical Solutions has an online system called the HIPAA Keeper™, to help them get compliant and stay compliant with HIPAA!

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

To read about other actual fines, click on our Education tab!

HIPAA investigations to include breaches fewer that 500 patient records

By Aris Medical Solutions

The Office for Civil Rights announced in August they would be working with their Regional Offices to more widely investigate the causes of breaches that affects less than 500 patient records. The Regional Offices will use their own discretion to prioritize which breaches to investigate.

Some of the factors they will be considering include:

  1. The number of records affected
  2. Intrusions of the IT systems
  3. The sensitivity of the data
  4. Whether the data was unencrypted or disposed of improperly
  5. Number of breaches from the same entity including business associates
  6. The lack of reported breaches when comparing similar situations with specific covered entities and business associates

Here are some helpful tips to avoid data breaches:

  • Confirm fax numbers and email address BEFORE sending.
  • Do not permit ANYONE access to your systems without confirming their identity and verifying they are still employed with that particular company.
  • Do not click on links in emails, instead, open your browser and go to the website.
  • Make sure all accesses to ePHI utilizes strong passwords, preferably passphrases.
  • Change your passwords/phrases at least every 90 days. This includes your EHR, PM software, workstation operating system, and email access.
  • If a two-step authentication is available, make sure it is engaged.
  • Use encryption whenever possible, depending on the operating system you use, it may be FREE!
  • Request a network security audit to be performed that includes remediation.
  • Do not retain records longer than necessary, why have that exposure if it is not required!
  • Make sure everyone involved with Patient Data is HIPAA Compliant.

As we mentioned last month, enforcement of HIPAA is here and you must ensure that if you are audited or investigated you have all of the appropriate documentation in place. Remember… if it is not documented, it doesn’t exist!

If you are one of the many organizations that simply do not have the time to do this, you are not alone. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package. Call Aris at 877.659.2467 or click here to schedule a demo.

HIPAA Enforcement is HERE!


By Aris Medical Solutions

I am sure you have seen the recent HIPAA fines from the Office for Civil Rights (OCR). HIPAA enforcement is like never before and the fines are fierce. We knew this day would come and it has.

We are encouraging all medical practices and business associates to make sure you have all of your HIPAA compliance policies, procedures, and documentation implemented. When you are audited is not the time to discover you forgot something. The OCR is not being very kind.

When you are reviewing your HIPAA policies and procedures and deciding whether or not to implement the “Addressable” standards, be careful. Addressable is NOT optional; you must have reasonable and appropriate safeguards in place. Since there is not enough case law on record, this is a gray area. Just be careful you do not fall into the big black hole! Also, do not skip over any “Required” standards. These are required no matter what size your organization is.

We are seeing fines like $750K for neglecting to have a Business Associate Agreement (BAA) in place before data was released and a $650K fine for a lost IPhone that was not encrypted. Make sure you not only have BAAs in place but the business associate is in fact HIPAA compliant. This the responsibility of each practice. HIPAA enforcement is here and it is not going away anytime soon.

If you are one of the many organizations that simply do not have the time to do this, you are not alone. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package. Call Aris at 877.659.2467 or click here to schedule a demo.

“Protecting Organizations through Partnership, Education, and Support”

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC