UnityPoint Health, a health system located in Iowa, recently informed 1,800 patients of a breach of their health information. UnityPoint learned of the breach after an audit discovered that a third party contractor’s employee had improperly gained access to the UnityPoint electronic health record (EHR) system and viewed the records of the 1,800 patients.
The UnityPoint breach shows the risks of allowing a third party contractors, known as “business associates,” to access health information in an EHR system While such access may be required for certain activities, including billing, claims management, or utilization review, providers must be certain that the business associate agreements with such contractors include strong protections for the provider.
For example, business associate agreements should include requirements for the business associate to indemnify the provider for expenses resulting from HIPAA breaches, pay all notification costs associated with such breaches, and maintain insurance policies that provide coverage for a large breach.
Although strong language in a business associate agreement provides legal protection for a provider, it will do nothing to counteract the public relations fallout that results from notifying patients of a breach. Therefore, providers should make every effort to contract with legitimate entities that understand HIPAA compliance.
If you would like more information about HIPAA compliance, please contact Casey Moriarty.