Recently HHS released a statement saying they had settled a $75,000 dollar investigation into an organization’s reported unauthorized exfiltration of PHI from an unsecured server. The organization is a business associate (BA) that offers “coding, billing and onsite information technology services to health care providers.”
Many health care organizations work with BAs for the exact purpose listed above. While their breach, in some ways, is out of your control there are things you and your organization can do to limit the risk of third-party breaches. Here are some NIST based steps you can take to mitigate the risk:
Allowing BA’s access to your organization’s sensitive data is always a risk. However, the above steps will help keep BAs accountable and mitigate some of the risk involved.