Two years ago, South Shore Hospital of South Weymouth, Massachusetts suffered a data breach when boxes of unencrypted backup tapes went missing while being shipped to their data management business associate, Archive Data Solutions, to be erased. According to HealthcareITNews.com, over 800,000 affected individuals had their personal health information compromised, including names, SSNs, financial account numbers and medical diagnoses.
The Attorney General filed suit and finally reached a settlement – the hospital was fined a $250,000 civil penalty and required to contribute $225,000 to a state fund for protected health information protection awareness.
The case stipulates that the hospital never informed their business associate that ePHI (electronic protected health information) was on the tapes, and the hospital also did not do their due diligence to ensure their business associate had the appropriate safeguards in place to protect ePHI.
South Shore Hospital was also charged with the failure to sign a business associate agreement with Archive Data. Additionally, the hospital did not have any HIPAA training program in place for its workers.
This incident and the resulting fines could have been easily avoided with a bit of forethought and a more in-depth judgement process of their business associates. As I’ve written about before in Five Questions to Ask Your HIPAA Hosting Provider, a healthcare organization or any related organization that deals with PHI and is seeking third-party vendors needs to check the following off of their list before signing a contract:
Even if your vendor is not technically a business associate, if their service in any way may affect the availability, integrity or confidentiality of your patient health information, a business associate agreement should be a solid requirement.
Read more about HIPAA violations, including specific cases, violation types, penalties, and the most common errors made by healthcare organizations that have suffered a data breach in order to avoid a breach of your own.
Looking for more information on HIPAA IT requirements, recommendations, and the foundation of a secure HIPAA compliant data center?
Download our HIPAA Compliant Data Centers white paper now for a complete guide to HIPAA hosting with IT vendors.
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.