SlideShare a Scribd company logo

Business Associate Risk Infographic

G
garyjohnson500
1 of 1
Download to read offline
Healthcare providers should do the following for BA compliance: • Screen 100% of current vendors and document process • Categorize BAs based on risk levels • Develop assessment and vendor management protocols for each category • Obtain Business Associate Agreement for each BA • Set policies and guidelines for consistency • Oversee and manage BAs for compliance with contracts • Implement a formal process for managing security/privacy incidents with BAs The HIPAA Final Omnibus Rule expanded the definition and security responsibility for Business Associates (BAs). Additional vendors are now classified as BAs: • Data storage companies • Health Information Organizations (HIOs) • Subcontractors of a BA, and meeting the BA definition •  Person or entity that creates, receives, maintains or transmits PHI • Patient Safety Organizations (PSOs) • Entities that offer personal health records BUSINESS ASSOCIATES: KNOW YOUR RISK? 41% of healthcare data breaches are due to BAs.4 This is less than half of the total number of healthcare data breaches, yet they impact the most patient records5 : PERCENTAGE OF TOTAL RECORDS EXPOSED BY ENTITY TYPE More vendors are touching ePHI, therefore security risk is greater. 90% of covered entities have had at least one data breach in the past two years.1 Since September 2009, the frequency of these breaches has risen to 46%.8 TOP 3 DATA BREACHES CAUSED BY BUSINESS ASSOCIATES IN 2013: Common ways non-compliance to HIPAA data security and privacy rules are revealed: hospitals, academic medical centers, physicians, clearinghouses (covered entities) 38%62% BAs6 3. TENNESSEE Patient medical history was compromised when a BA stored data on a non-secure site, affecting 32,000 patients across 48 states.11 2. INDIANA A program glitch caused by a vendor compromised medical and financial information for up to 187,533 clients, and Social Security numbers for almost 4,000 of them.10 1. TEXAS Vendor failed to destroy microfiche containing patient records. More than 277,000 records were involved.9 Since 2009, about 30.1M individuals have been affected by health data breaches.2 HHS must post a list of breaches of unsecured protected health information affecting 500 or more individuals.3 This “Wall of Shame” is a prominent source, you don’t want your hospital name here. To date, 1,026 breaches have been reported involving 500 or more individuals. AND more than 116,000 breaches have been reported involving 500 or less individuals.3 116,000 1,026 30.1 MILLION 2 MILLION GREATER SECURITY RISK INCREASING FREQUENCY SAFEGUARD YOURSELF—ACT NOW DATA BREACH SOURCES • OIG work plan • CMS audit • MU Stage 1 attestation • OCR audit • OCR breach investigation For more information on BA management and oversight, visit https://www.vendormate.com/BA-ActNow. 1 Fourth Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute, March 2014, 2 http://www.ihealthbeat.org/articles/2014/8/20/about-301m-patients-affected-by-health-data-breaches-since-2009, 3 http://www.ihealthbeat.org/articles/2014/6/16/one-in-10-us-residents-affected-by-large-health-data-breaches, 4 2011 Cost of a Data Breach Study: United States, Ponemon Institute, March 2012, 5 Third Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute, December 2012, 6 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html, 7 2014 Cost of a Data Breach: Global Analysis, Ponemon Institute, May 2014,8 http://hr.blr.com/HR-news/Benefits-Leave/HIPAA-Health-Information-Privacy/Health-privacy-HIPAA-breach-reports-on-sharp-rise#, 9 http://www.hipaasecurenow.com/index.php/another-business-associate-breach-affects-277000-patients,10 http://www.layeredtech.com/blog/top-10hipaa-data-breaches-of-2013, 11 http://www.healthcarebusinesstech.com/vendor-mistake-causes-data-breach Average cost per breach over the past two years was approximately $2 million. (Average cost per record = $316.10)7 WHAT’S THE TOTAL COST TO A PROVIDER OF A BREACH? ASSOCIATED PENALTIES: $100Individual did not know $1,000Reasonable Cause $10,000Willful neglect, if corrected in a timely manner $50,000Willful neglect, not corrected Minimum fines $50,000Non-repeating infraction $1,500,000Annual repeat Maximum fines RECORDS: 277,000 CLIENTS: 187,533 PATIENTS: 32,000     *previously 250 vendors before the expanded definition •  Person or entity that creates, receives, maintains or transmits PHI • Patient Safety Organizations (PSOs) • Entities that offer personal health records *previously 250 vendors before the expanded definition 5,000– 20,000 VENDORS MIN: 700 –1,500+ BA VENDORS 

Recommended

HIPAA
HIPAAHIPAA
HIPAAbelziebub
 
HIPAA
HIPAA HIPAA
HIPAA ravelo1212
 
How Best Are Medical Practices Prepared to Address HIPAA Breaches?
How Best Are Medical Practices Prepared to Address HIPAA Breaches? How Best Are Medical Practices Prepared to Address HIPAA Breaches?
How Best Are Medical Practices Prepared to Address HIPAA Breaches? Medical Billers and Coders
 
Are Orthopedics Justified in Embracing HIPAA Compliant Orthopedic Billing to ...
Are Orthopedics Justified in Embracing HIPAA Compliant Orthopedic Billing to ...Are Orthopedics Justified in Embracing HIPAA Compliant Orthopedic Billing to ...
Are Orthopedics Justified in Embracing HIPAA Compliant Orthopedic Billing to ...Medical Billers and Coders
 
Challenges and opportunities in the paperless NHS & beyond - A data protectio...
Challenges and opportunities in the paperless NHS & beyond - A data protectio...Challenges and opportunities in the paperless NHS & beyond - A data protectio...
Challenges and opportunities in the paperless NHS & beyond - A data protectio...Osborne Clarke
 
Pt hr confidentiality
Pt hr confidentialityPt hr confidentiality
Pt hr confidentialitycorbsan
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptxQmcleod
 
Doing Business On Internet -- HIPAA Challenge
Doing Business On Internet -- HIPAA ChallengeDoing Business On Internet -- HIPAA Challenge
Doing Business On Internet -- HIPAA ChallengeNick Krym
 

Recommended

HIPAA
HIPAAHIPAA
HIPAAbelziebub
 
HIPAA
HIPAA HIPAA
HIPAA ravelo1212
 
How Best Are Medical Practices Prepared to Address HIPAA Breaches?
How Best Are Medical Practices Prepared to Address HIPAA Breaches? How Best Are Medical Practices Prepared to Address HIPAA Breaches?
How Best Are Medical Practices Prepared to Address HIPAA Breaches? Medical Billers and Coders
 
Are Orthopedics Justified in Embracing HIPAA Compliant Orthopedic Billing to ...
Are Orthopedics Justified in Embracing HIPAA Compliant Orthopedic Billing to ...Are Orthopedics Justified in Embracing HIPAA Compliant Orthopedic Billing to ...
Are Orthopedics Justified in Embracing HIPAA Compliant Orthopedic Billing to ...Medical Billers and Coders
 
Challenges and opportunities in the paperless NHS & beyond - A data protectio...
Challenges and opportunities in the paperless NHS & beyond - A data protectio...Challenges and opportunities in the paperless NHS & beyond - A data protectio...
Challenges and opportunities in the paperless NHS & beyond - A data protectio...Osborne Clarke
 
Pt hr confidentiality
Pt hr confidentialityPt hr confidentiality
Pt hr confidentialitycorbsan
 
Privacy & security training.pptx
Privacy & security training.pptxPrivacy & security training.pptx
Privacy & security training.pptxQmcleod
 
Doing Business On Internet -- HIPAA Challenge
Doing Business On Internet -- HIPAA ChallengeDoing Business On Internet -- HIPAA Challenge
Doing Business On Internet -- HIPAA ChallengeNick Krym
 
How good we are in adhering HIPAA rules
How good we are in adhering HIPAA rulesHow good we are in adhering HIPAA rules
How good we are in adhering HIPAA rulesMedical Transcriptions Service
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
Sarah Kliff: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ou...
Sarah Kliff: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ou...Sarah Kliff: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ou...
Sarah Kliff: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ou...reportingonhealth
 
Overcoming Major Electronic Health Record (EHR) Challenges in 2018
Overcoming Major Electronic Health Record (EHR) Challenges in 2018Overcoming Major Electronic Health Record (EHR) Challenges in 2018
Overcoming Major Electronic Health Record (EHR) Challenges in 2018Medical Transcription Service Company
 
Niall Brennan: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ...
Niall Brennan: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ...Niall Brennan: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ...
Niall Brennan: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ...reportingonhealth
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
 
Hipaa privacy rule
Hipaa privacy ruleHipaa privacy rule
Hipaa privacy ruleMsBelleA
 
Confidentiality
ConfidentialityConfidentiality
Confidentialitymgrate
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
Things to Consider Before Buying Cyber Liability Insurance
Things to Consider Before Buying Cyber Liability InsuranceThings to Consider Before Buying Cyber Liability Insurance
Things to Consider Before Buying Cyber Liability InsuranceTexas Medical Liability Trust
 
Authentication Best Practices
Authentication Best PracticesAuthentication Best Practices
Authentication Best PracticesTexas Medical Liability Trust
 
Keeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor ManagementKeeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor ManagementPaige Rasid
 
My Health Records
My Health RecordsMy Health Records
My Health RecordsHealth73
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAAManas Deep
 
Presentation5
Presentation5Presentation5
Presentation5Hana Tsege
 
Mha690 health care capstone - confidentiality 9-26-2013
Mha690 health care capstone - confidentiality 9-26-2013Mha690 health care capstone - confidentiality 9-26-2013
Mha690 health care capstone - confidentiality 9-26-2013LeRoy Ulibarri
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
 
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
Executive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry complianceExecutive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry complianceThomas Bronack
 
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...M2SYS Technology
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTKimberly Simon MBA
 

More Related Content

What's hot

HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesRedspin, Inc.
 
Sarah Kliff: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ou...
Sarah Kliff: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ou...Sarah Kliff: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ou...
Sarah Kliff: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ou...reportingonhealth
 
Niall Brennan: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ...
Niall Brennan: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ...Niall Brennan: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ...
Niall Brennan: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ...reportingonhealth
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
 
Hipaa privacy rule
Hipaa privacy ruleHipaa privacy rule
Hipaa privacy ruleMsBelleA
 
Confidentiality
ConfidentialityConfidentiality
Confidentialitymgrate
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin, Inc.
 
Things to Consider Before Buying Cyber Liability Insurance
Things to Consider Before Buying Cyber Liability InsuranceThings to Consider Before Buying Cyber Liability Insurance
Things to Consider Before Buying Cyber Liability InsuranceTexas Medical Liability Trust
 
Keeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor ManagementKeeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor ManagementPaige Rasid
 
My Health Records
My Health RecordsMy Health Records
My Health RecordsHealth73
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAAManas Deep
 
Mha690 health care capstone - confidentiality 9-26-2013
Mha690 health care capstone - confidentiality 9-26-2013Mha690 health care capstone - confidentiality 9-26-2013
Mha690 health care capstone - confidentiality 9-26-2013LeRoy Ulibarri
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Compliancy Group
 

What's hot (17)

How good we are in adhering HIPAA rules
How good we are in adhering HIPAA rulesHow good we are in adhering HIPAA rules
How good we are in adhering HIPAA rules
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
 
Sarah Kliff: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ou...
Sarah Kliff: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ou...Sarah Kliff: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ou...
Sarah Kliff: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ou...
 
Overcoming Major Electronic Health Record (EHR) Challenges in 2018
Overcoming Major Electronic Health Record (EHR) Challenges in 2018Overcoming Major Electronic Health Record (EHR) Challenges in 2018
Overcoming Major Electronic Health Record (EHR) Challenges in 2018
 
Niall Brennan: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ...
Niall Brennan: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ...Niall Brennan: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ...
Niall Brennan: "‘It’s the Prices, Stupid’: How sky-high prices are crippling ...
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...
 
Hipaa privacy rule
Hipaa privacy ruleHipaa privacy rule
Hipaa privacy rule
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
 
Things to Consider Before Buying Cyber Liability Insurance
Things to Consider Before Buying Cyber Liability InsuranceThings to Consider Before Buying Cyber Liability Insurance
Things to Consider Before Buying Cyber Liability Insurance
 
Authentication Best Practices
Authentication Best PracticesAuthentication Best Practices
Authentication Best Practices
 
Keeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor ManagementKeeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor Management
 
My Health Records
My Health RecordsMy Health Records
My Health Records
 
Understanding HIPAA
Understanding HIPAAUnderstanding HIPAA
Understanding HIPAA
 
Presentation5
Presentation5Presentation5
Presentation5
 
Mha690 health care capstone - confidentiality 9-26-2013
Mha690 health care capstone - confidentiality 9-26-2013Mha690 health care capstone - confidentiality 9-26-2013
Mha690 health care capstone - confidentiality 9-26-2013
 
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...Business Associates: How to become HIPAA compliant, increase revenue, and gai...
Business Associates: How to become HIPAA compliant, increase revenue, and gai...
 

Similar to Business Associate Risk Infographic

HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTKimberly Simon MBA
 
Executive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry complianceExecutive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry complianceThomas Bronack
 
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...M2SYS Technology
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTKimberly Simon MBA
 
HIPAA Violations and Penalties power point
HIPAA Violations and Penalties power pointHIPAA Violations and Penalties power point
HIPAA Violations and Penalties power pointDeena Fetrow
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010DataMotion
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010DataMotion
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Xiaoming Zeng
 
Mha690 health care capstone - confidentiality 9-26-2013
Mha690 health care capstone - confidentiality 9-26-2013Mha690 health care capstone - confidentiality 9-26-2013
Mha690 health care capstone - confidentiality 9-26-2013LeRoy Ulibarri
 
Mha690 health care capstone - confidentiality 9-26-2013
Mha690 health care capstone - confidentiality 9-26-2013Mha690 health care capstone - confidentiality 9-26-2013
Mha690 health care capstone - confidentiality 9-26-2013LeRoy Ulibarri
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
Business Associate Risk - HC SC Sept 2014
Business Associate Risk - HC SC Sept 2014Business Associate Risk - HC SC Sept 2014
Business Associate Risk - HC SC Sept 2014garyjohnson500
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Hybrid Cloud
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
Information Security Risk Management in Biomedical Equipment
Information Security Risk Management in Biomedical EquipmentInformation Security Risk Management in Biomedical Equipment
Information Security Risk Management in Biomedical EquipmentBart Hubbs
 
Hipaa privacy and security 03192014
Hipaa privacy and security 03192014Hipaa privacy and security 03192014
Hipaa privacy and security 03192014Samantha Haas
 

Similar to Business Associate Risk Infographic (20)

HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUSTHealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
 
Executive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry complianceExecutive Presentation on adhering to Healthcare Industry compliance
Executive Presentation on adhering to Healthcare Industry compliance
 
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
Health IT Data Security – An Overview of Privacy, Compliance, and Technology ...
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
HealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUSTHealthCare Compliance - HIPAA & HITRUST
HealthCare Compliance - HIPAA & HITRUST
 
HIPAA Violations and Penalties power point
HIPAA Violations and Penalties power pointHIPAA Violations and Penalties power point
HIPAA Violations and Penalties power point
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
 
Healthcare preparedness 2010
Healthcare preparedness 2010Healthcare preparedness 2010
Healthcare preparedness 2010
 
Mha690 w1 d2
Mha690 w1 d2Mha690 w1 d2
Mha690 w1 d2
 
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
Patient Privacy Provisions of the HITECH Act Implications for Patients and Sm...
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
 
Mha690 health care capstone - confidentiality 9-26-2013
Mha690 health care capstone - confidentiality 9-26-2013Mha690 health care capstone - confidentiality 9-26-2013
Mha690 health care capstone - confidentiality 9-26-2013
 
Mha690 health care capstone - confidentiality 9-26-2013
Mha690 health care capstone - confidentiality 9-26-2013Mha690 health care capstone - confidentiality 9-26-2013
Mha690 health care capstone - confidentiality 9-26-2013
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
Business Associate Risk - HC SC Sept 2014
Business Associate Risk - HC SC Sept 2014Business Associate Risk - HC SC Sept 2014
Business Associate Risk - HC SC Sept 2014
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
 
Information Security Risk Management in Biomedical Equipment
Information Security Risk Management in Biomedical EquipmentInformation Security Risk Management in Biomedical Equipment
Information Security Risk Management in Biomedical Equipment
 
Healthcare and Cyber security
Healthcare and Cyber securityHealthcare and Cyber security
Healthcare and Cyber security
 
Hipaa privacy and security 03192014
Hipaa privacy and security 03192014Hipaa privacy and security 03192014
Hipaa privacy and security 03192014
 

Business Associate Risk Infographic

  • 1. Healthcare providers should do the following for BA compliance: • Screen 100% of current vendors and document process • Categorize BAs based on risk levels • Develop assessment and vendor management protocols for each category • Obtain Business Associate Agreement for each BA • Set policies and guidelines for consistency • Oversee and manage BAs for compliance with contracts • Implement a formal process for managing security/privacy incidents with BAs The HIPAA Final Omnibus Rule expanded the definition and security responsibility for Business Associates (BAs). Additional vendors are now classified as BAs: • Data storage companies • Health Information Organizations (HIOs) • Subcontractors of a BA, and meeting the BA definition •  Person or entity that creates, receives, maintains or transmits PHI • Patient Safety Organizations (PSOs) • Entities that offer personal health records BUSINESS ASSOCIATES: KNOW YOUR RISK? 41% of healthcare data breaches are due to BAs.4 This is less than half of the total number of healthcare data breaches, yet they impact the most patient records5 : PERCENTAGE OF TOTAL RECORDS EXPOSED BY ENTITY TYPE More vendors are touching ePHI, therefore security risk is greater. 90% of covered entities have had at least one data breach in the past two years.1 Since September 2009, the frequency of these breaches has risen to 46%.8 TOP 3 DATA BREACHES CAUSED BY BUSINESS ASSOCIATES IN 2013: Common ways non-compliance to HIPAA data security and privacy rules are revealed: hospitals, academic medical centers, physicians, clearinghouses (covered entities) 38%62% BAs6 3. TENNESSEE Patient medical history was compromised when a BA stored data on a non-secure site, affecting 32,000 patients across 48 states.11 2. INDIANA A program glitch caused by a vendor compromised medical and financial information for up to 187,533 clients, and Social Security numbers for almost 4,000 of them.10 1. TEXAS Vendor failed to destroy microfiche containing patient records. More than 277,000 records were involved.9 Since 2009, about 30.1M individuals have been affected by health data breaches.2 HHS must post a list of breaches of unsecured protected health information affecting 500 or more individuals.3 This “Wall of Shame” is a prominent source, you don’t want your hospital name here. To date, 1,026 breaches have been reported involving 500 or more individuals. AND more than 116,000 breaches have been reported involving 500 or less individuals.3 116,000 1,026 30.1 MILLION 2 MILLION GREATER SECURITY RISK INCREASING FREQUENCY SAFEGUARD YOURSELF—ACT NOW DATA BREACH SOURCES • OIG work plan • CMS audit • MU Stage 1 attestation • OCR audit • OCR breach investigation For more information on BA management and oversight, visit https://www.vendormate.com/BA-ActNow. 1 Fourth Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute, March 2014, 2 http://www.ihealthbeat.org/articles/2014/8/20/about-301m-patients-affected-by-health-data-breaches-since-2009, 3 http://www.ihealthbeat.org/articles/2014/6/16/one-in-10-us-residents-affected-by-large-health-data-breaches, 4 2011 Cost of a Data Breach Study: United States, Ponemon Institute, March 2012, 5 Third Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute, December 2012, 6 http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html, 7 2014 Cost of a Data Breach: Global Analysis, Ponemon Institute, May 2014,8 http://hr.blr.com/HR-news/Benefits-Leave/HIPAA-Health-Information-Privacy/Health-privacy-HIPAA-breach-reports-on-sharp-rise#, 9 http://www.hipaasecurenow.com/index.php/another-business-associate-breach-affects-277000-patients,10 http://www.layeredtech.com/blog/top-10hipaa-data-breaches-of-2013, 11 http://www.healthcarebusinesstech.com/vendor-mistake-causes-data-breach Average cost per breach over the past two years was approximately $2 million. (Average cost per record = $316.10)7 WHAT’S THE TOTAL COST TO A PROVIDER OF A BREACH? ASSOCIATED PENALTIES: $100Individual did not know $1,000Reasonable Cause $10,000Willful neglect, if corrected in a timely manner $50,000Willful neglect, not corrected Minimum fines $50,000Non-repeating infraction $1,500,000Annual repeat Maximum fines RECORDS: 277,000 CLIENTS: 187,533 PATIENTS: 32,000     *previously 250 vendors before the expanded definition •  Person or entity that creates, receives, maintains or transmits PHI • Patient Safety Organizations (PSOs) • Entities that offer personal health records *previously 250 vendors before the expanded definition 5,000– 20,000 VENDORS MIN: 700 –1,500+ BA VENDORS 