Under HIPAA, a medical provider, insurance carrier, or other covered entity can be held responsible for the cyber breach or HIPAA violation of a vendor that has access to protected health information (PHI). In one recent incident, a Florida health care provider was forced to pay $500,000 to resolve the alleged HIPAA violations of its medical billing vendor. More recently, a medical provider in California was required to notify thousands of victims of a cyber breach involving its medical records storage vendor. The California provider was also required to hire a forensic firm to investigate the breach and undertake other costly mitigation efforts. Clearly, covered entities should be mindful of their dealings with vendors that have access to PHI or ePHI (electronic protected health information).
A recent article from the National Law Review provides additional information on this topic and includes the following tips for covered entities:
- Have business associate agreements in place with all vendors that handle PHI;
- Perform due diligence on all vendors;
- Include contractual protections in underlying services agreements and business associate agreements with business associates, including indemnification provisions; and
Review cyberliability insurance coverage, and understand the policy’s coverage of breaches by vendors.