SC Magazine reported that for the 2nd consecutive year, the Ponemon Institute’s “annual study on the state of security and privacy in health care found that cybercrime was the leading cause of data breaches among hospitals and other medical providers.”
Here’s an alarming statistic discovered: 45 percent of the health care organizations surveyed, “admitted to having more than five breaches over the past two years.”
SC Magazine also said that “Ponemon found that 89 percent of surveyed health care providers experienced a data breach in the last 24 months, with 79 percent admitting to suffering a minimum of two breaches.”
The top security threats that were cited in the report was Employee Negligence, at 69%, and Cyber Attacks, cited in 45% of the data breaches.
The report stated that 61% of health care organizations are “paying more attention” to how their third-party partners handle their data. HIPAA has a Business Associate requirement now that has broad applicability to “partners” who provide legal, actuarial, accounting, consulting, data aggregation, management, administration or financial services when those services have access to the organization’s PHI (Protected Health Information).
The HIPAA Privacy Rule mandates that providers have written contracts with these partners, known as Business Associate Agreements. The HIPAA Privacy Rule deems it non-compliance to not have these agreements in place with these partners who are subject to the rule.
The US Department of Health and Human Services defines a “business associate” as a “person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.”
Since most small-to-medium health care organizations contract some or all of their IT and many other services, these organizations and their IT service providers need to be familiar with the requirements of the Privacy Rule and the use of Business Associate Agreements.