After a Breach Is Too Late: Ensure BA, Subcontractor Compliance Now

Health Care Compliance Association (HCCA)

Health Care Compliance Association (HCCA)

Report on Patient Privacy 21, no. 3 (March 2021)

Sometime during the fall, a worker for a subcontractor of Humana Inc. decided to share actual member information from medical records via a Google document with people he was training to be medical coders, part of his attempt to run a “personal coding business endeavor.”[1]

Early last month, Humana had to notify 65,000 individuals, multiple state officials, the press and the HHS Office for Civil Rights (OCR) of the worker’s data breach. In its notification, Humana said unauthorized access continued from October to December before it was discovered by the now-former worker’s employer, which Humana said is named Visionary. Technically, Visionary is (or was—current status isn’t clear) a subcontractor for a company called Cotiviti, which Humana uses to develop risk adjustment scores needed for payment of certain members. Cotiviti is a business associate (BA) of Humana, the covered entity (CE).

Around the same time, Accellion Inc. was informing its clients that hackers had accessed its file transfer system[2] —among them a big law firm whose exposed documents included prescriptions written for hundreds of patients, including their names. As of RPP’s deadline, it did not appear the patients had been notified (see related story, p. 1).[3]

HIPAA compliance officials know that patient data must be safeguarded everywhere it resides and when it travels from CEs to BAs and then on to subcontractors. And as these recent incidents show, the ties that bind these organizations are crucial to ensuring proper notifications are made in the event of a breach.

But how can CEs be certain that BAs and subcontractors will perform well after an unauthorized disclosure, and in general, be compliant during their usual handling of protected health information (PHI)?

For Erin Smith Aebel, a shareholder in the Tampa, Florida, office of Trenam Law, the answer begins with due diligence in selecting BAs and subcontractors that are “worthy,” insisting on a strong business associate agreement (BAA), and implementing other oversight efforts.

[View source.]

Written by:

Health Care Compliance Association (HCCA)

Health Care Compliance Association (HCCA) on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.