Lax Business Associate Practices Can Lead to PHI Security Breaches

October 31, 2011 – In The News
Medical Practice Compliance Alert

Business associates, such as billing consultants or attorneys, may not always take protected health information (PHI) as serious as health professionals. This is why many security breaches are often caused by such business associates in possession of the PHI of the providers’ patients and not been caused by providers.

The business associate also often does the grunt work with the PHI and transports it on behalf of the covered entity, so it’s often vulnerable and exposed, notes attorney Michael Kline.

Although it’s the business associate that caused the reach, it’s the covered entity who is required to report it, with the associated costs and bad publicity. “The covered entity, which is also the victim, is the name that’s remembered,” said Kline. It’s also the covered entity, not the business associate, that ends up being sued by the patients. Class action lawsuits have already been filed against Stanford Hospital and Tricare for the breaches incurred.

“This is a minefield,” warns Kline.