Healthcare organizations, as well as most other industries are increasingly relying on third-party vendors to help them manage their data. However, with the rise of data breaches and cyber attacks, it is more important than ever to ensure that the businesses you work with are properly securing your data. This is especially true when it comes to protected health information (PHI), which is covered by the Health Insurance Portability and Accountability Act (HIPAA).
Are business associates covered entities under HIPAA?
Business associates are not covered entities under HIPAA. Covered entities are defined as healthcare providers, health plans, and healthcare clearinghouses that transmit PHI electronically. However, business associates are still subject to HIPAA regulations and are required to comply with the HIPAA Security Rule, which outlines the standards for protecting PHI.
When companies work with vendors, they are entrusting them with access to sensitive data. This data may include customer information, financial records, and proprietary information. It is critical that companies ensure that their vendors have the necessary security measures in place to protect this data.
There have been several reported security breaches caused by vendors. In 2017, Equifax was the victim of a massive data breach due to a vulnerability in a third-party vendor’s software. In 2018, Marriott International suffered a data breach due to a vulnerability in a third-party vendor’s software. In 2019, Capital One suffered a data breach due to a vulnerability in a third-party vendor’s web application. In 2020, Zoom experienced a data breach due to a vulnerability in a third-party vendor’s software.
So the main point here is to assess your vendor risk. Have them complete a risk assessment regularly and make they are addressing any vulnerabilities found. Another important way to ensure that your vendors are properly securing your data is to maintain agreements with them. These agreements should outline the specific services being provided, as well as the safeguards and security measures that the vendor will implement to protect PHI. By having a contract in place, you can hold your vendors accountable for any breaches that occur as a result of their actions or inactions. Don’t renew these agreements either unless they are up to date on their risk assessments. Remember that vendors do not want to lose your business and will be happy to complete a risk assessment if that is what it takes.
It is crucial for healthcare organizations to carefully vet and monitor their vendors to ensure that they are properly securing PHI. While business associates are not covered entities under HIPAA, they are still subject to HIPAA regulations and can be held accountable for any data breaches that occur. By maintaining agreements with your vendors, you can help ensure that they are meeting the necessary security standards and taking appropriate steps to protect your data.