HIPAA Violations by Associates or Sub-Contractors

Friday, September 24, 2010

Jack Anderson


Naturally the focus is on electronic records since it is easier to lose a large number of electronic records but that does not mean that those dealing with paper records are safe. 

Several large pharmacies have been fined millions for improper disposal of prescription information.

So you say you have good policies and procedures in place?  How about your business associates and their sub-contractors? 

In this case the hospitals turned the records over to a pathology group (Carney) who in turn handed it off to a medical billing company (Goldthwait) and the former owner  of the medical billing company Joseph Gagnon stated that they had been dumping the unsecured records at the dump for at least 2 or 3 years.

Maybe you have a business associate agreement in place that you think will protect you. 

"Goldthwait employees come to hospital pathology labs and print out the information they need to bill insurers — or the pathologists mail the information to the company.

Dole, the Carney pathologist, said he required Gagnon to sign an amendment to their contract in 2003 stating that he would dispose of the paper in a way that complied with newly passed federal legislation designed to protect patients’ health information — though the amendment did not specify exactly how Gagnon would do that."

A seven year old agreement with no specific requirements is not much of a firewall.  If I was the auditor I would find everyone in this daisy chain guilty of willful neglect.

You simply must get "suitable assurance" that your business associates are compliant.

Here is a link to the complete article: www.boston.com/news/local/massachusetts/articles/2010/08/13/mass_hospitals_investigate_exposure_of_records/?page=1

Cross-posted from Compliance Helper

Possibly Related Articles:
Healthcare Provider
Post Rating I Like this!
Allan Pratt, MBA Wow, difficult to imagine that "a seven year old agreement with no specific requirements" was all that the companies in this post depended on to avoid security breaches.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.