Business Associates (BA) not complying with HIPAA.

Business Associates (BA) not complying with HIPAA is our 6th post on the subject of The History of HIPAA.

In this post we’re addressing the risk BA’s are taking by not complying with HIPAA.

We’re also providing links to stories of “small” BA’s that have been fined by the Office for Civil Rights (OCR), for failing to comply with HIPAA compliance.

OCR = Enforcement

As we stated in our last post, for many years after HIPAA became the law of the land, it was not enforced. HIPAA was known as a paper tiger. It had no teeth and the medical community by and large did not implement HIPAA. But that’s all changed. Now, the saying, “it’s not your father’s HIPAA” truly reflects recent and dramatic changes to the almost 30-year old law.

So what does enforcement look like?

Story telling is the most powerful way to convey an idea. The following stories convey the truth that “it’s not your father’s HIPAA” better than any blog post could.

Business Associates cause 40% of HIPAA breaches.


The HIPAA Journal reports:
“During the first quarter of 2013, 40% of all HIPAA breaches involving the exposure of PHI that affected more than 500 individuals were the result of the actions of business associates of HIPAA–covered entities. The problem appears to be growing, as over the previous four years BA’s caused 30% of all reported HIPPA security breaches. This fact has not been missed by the Department of Health and Human Services.”

BA agreements likely a bigger target of 2015.


FierceHealthIT reports:
“Ex-OCR lawyer David Holtzman notes that there are more than 6,000 HIPAA privacy and security rule complaints and compliance reviews under investigation in an article at HealthcareInfoSecurity. He predicts more high-profile enforcement actions in 2015.”

OCR attorney predicts spiked in HIPAA fines.


FierceHealthIT reports:
“The OCR has said that when it resumes HIPAA audits this fall, the investigations will have a narrow focus and there will be fewer onsite visits. Meites told the American Bar Association that the OCR still has to decide which organizations it will select for an audit from a list of 1,200 candidates–800 healthcare providers, health plans or clearinghouses–and 400 of their business associates.”

Strong enforcement message about compliance . . .

“We will continue to identify and bring to resolution high impact cases that send strong enforcement messages to the industry about compliance,” she said. “These types of cases can include the lack of a comprehensive risk analysis and risk management practices, ignoring identified threats and hazards to systems containing electronic protected health information, and insufficient policies and procedures, and training of workforce member.”
Director Jocelyn Samuels
Office of Civil Rights
March 21, 2013

Real life stories say it so well and that is this: if you think the OCR will never pay you a visit because you’re small business associate, you better think again.


If your company is a health plan, health care clearinghouse, health care provider, insurance broker etc. and you’re relying on tape drives, external hard drives, or USB devices to back up your protected health data (PHI), then it’s critical for you to get and read: 12 Little-Known Facts Every Business Owner Must Know About Data Backup, Security And Disaster Recovery. You’ll learn what most IT consultants don’t know or won’t tell you about making sure your company’s critical data is safe from loss, corruption, cyber criminals, natural disasters and employee sabotage, in addition to:
• The only way to know for SURE your data can be recovered if lost, corrupted or deleted – yet fewer than 10% of businesses have this in place.
• 7 critical characteristics you should absolutely demand from any offsite backup service; do NOT trust your data to any company that does not meet these criteria.
• Where tape backups fail and give you a false sense of security.
• The #1 cause of data loss that most businesses don’t even think about until their data is erased.

You can download your Free Business Advisory Guide Here.

This guide explains, in plain every day English, what you need to know about data backup, security and disaster recovery.

And don’t worry about some sales guy calling you from our office because you downloaded information off of our website. No one from our office will call you; I promise. We don’t like sales calls any more than you do! We understand if you’re not ready to do that, and if that’s the case, then just read these posts when they come out. We post on a regular schedule.

Have you started your HIPAA compliance initiative?

With small health care practices as part of our growing family, we are committed to HIPAA compliance and creating a culture of compliance.
We know first-hand that HIPAA compliance for small health care practices is daunting. As a BA we’re going through it ourselves. We’re actually doing it, not just writing about it.

Do you need some technology help in your health care practice? Would you like to work with a technology company that is dedicated to a culture of HIPAA compliance?

Give us a call at 503.359.1275. We’re always happy to chat!

For more information visit: http://dtsinfotech.com/hipaa-compliance-for-small-health-care-practices

Dedicated to your success,
Wally Moore
General Manager & Compliance Officer
DTS InfoTech . . . computer networks that work



Get Help Now