{"id":2378,"date":"2013-04-05T00:00:00","date_gmt":"2013-04-05T00:00:00","guid":{"rendered":"http:\/\/otava.test\/hhs-wall-of-shame-40-percent-of-2013-hipaa-breaches-involve-business-associates\/"},"modified":"2013-04-05T00:00:00","modified_gmt":"2013-04-05T00:00:00","slug":"hhs-wall-of-shame-40-percent-of-2013-hipaa-breaches-involve-business-associates","status":"publish","type":"post","link":"https:\/\/www.otava.com\/blog\/hhs-wall-of-shame-40-percent-of-2013-hipaa-breaches-involve-business-associates\/","title":{"rendered":"HHS Wall of Shame: Forty Percent of 2013 HIPAA Breaches Involved Business Associates"},"content":{"rendered":"

Of the HIPAA data breaches reported in 2013 so far, nearly 40 percent have involved a business associate. A look at the overall percentage of business associate involvement with data breaches dating back to 2009 reveals that almost 30 percent played a role in the reported cases.<\/p>\n

Clearly, the U.S. Dept. of Health and Human Services (HHS) has attempted to address the chronic issue by widening the HIPAA penalty net to include business associates and subcontractors this year, with the drop of the final omnibus rules that went into effect March 26 (with 180 days to be in compliance).<\/p>\n

While business associates may have a new vested interest as they can be investigated and penalized directly by the Office for Civil Rights (OCR), covered entities also need to pay closer attention to their vendor contracts and security practices as they can be held liable for business associate and subcontractors as well.<\/p>\n

Business associates of covered entities can no longer be overlooked – for every healthcare organization that touches protected health information (PHI), each vendor must undergo scrutiny of their physical<\/a>, administrative<\/a> and technical security<\/a>. When it comes to HIPAA hosting<\/a> providers, the three tiers of security involve:<\/p>\n