When A Business Associate Is Also A Covered Entity
August 2, 2012
Valuable guidance for covered entities and business associates can be contained in the U.S. Department of Health and Human Services list of breaches of unsecured protected health information affecting 500 or more individuals ("list breaches"), especially within the brief summaries of the breach cases that the federal Office of Civil Rights has investigated and closed.
An example is list breach 265 (“LB 265”), which reported a theft of a laptop in Alaska from Trisha Elaine Cordova, a business associate of Catholic Social Services (“CSS”), the related covered entity, on Feb. 1, 2011. The laptop reportedly contained approximately 493 adoption home studies affecting 1,700 individuals. LB 265 also happens to be the most recent list breach involving a business associate for which a summary has been provided by the OCR. (As an aside, LB 265 actually appears on line 266 of a chronological schedule of list breaches because the first line was used by HHS for column headings.)
According to the LB 265 summary: “The protected health information involved in the breach included names, addresses, phone numbers, dates of birth, driver’s license numbers, and health information; 20% of the files contained social security numbers.” View entire article