Last week HHS fined an IT Provider $650,000 for failing to properly safeguard PHI. They themselves didn’t cause the breach — intentionally, but their failure to properly secure it and prevent a breach allowed the series of events that caused the breach.
A company issued iPhone had 412 patient records on it. I have no idea why an IT person would have patient records on their cell phone, but the phone was not encrypted and it was stolen, which is a reportable breach.
The interesting part of this story is that the fine was steep for such a low number of records. Based on the report, this is due to the lack of compliance on the part of the Business Associate. The Omnibus Final Rule of 2013 mandates that Business Associates do many things that Covered Entities (Dr’s) do, such as a Risk Assessment, Employee Training, Policies & Procedures and Contingency Plans. Despite this law being in place for 3 years, many Business Associates, including IT providers, do not have the basics in place. Most don’t even know this applies to them!