For many healthcare organizations, Business Associate Agreements (“BAA”) have historically been nothing more than a low-priority formality. Now, you must ensure that BAA’s adequately address downstream compliance obligations, in particular those related to an unauthorized access, use, or disclosure of PHI. In order to mitigate risk providers will need to be more vigilant in identifying risk with existing or potential vendors.
Data breaches have been on the rise since reporting became a requirement. Approximately 30 percent of the breaches posted since September 2009, implicate a vendor. These breaches account for nearly 60 percent of records lost or stolen. Covered entities are at risk of incurring substantial regulatory penalties and other financial costs, possibly in the millions of dollars, even for a single breach.
“Another nugget of interest which we can glean from these data is the breakdown between breaches attributed to covered entities (CAs) themselves and to their business associates (BAs). As shown in fig. 5, only 96 of the 435 breaches included in the HHS database were attributed to BAs, but they accounted for the lion’s share of the records lost or stolen.”Statistics and quote courtesy of Lumension Blog
By the Numbers: US Healthcare Data Breaches (July 12th, 2012)