Healthcare Data Privacy

Former Nurse Convicted of Theft of Patient Information and Tax Fraud

Posted by HIPAA Journal

A former nurse from Midway, FL has been convicted of wire fraud, theft of government funds, possession of unauthorized access devices and aggravated identity theft by a court in Tallahassee.

41-year old Tangela Lawson-Brown was employed as a nurse in a Tallahassee nursing home between October 2011 and December 2012. During her time at the nursing home, Lawson-Brown stole the personal information of 26 patients, although she was discovered to have a notebook containing the personal information of 150 individuals.

According to a press release issued by the United States Attorney’s Office for the Northern District of Florida, Lawson-Brown’s husband was arrested in January 2013 and items were seized from Lawson-Brown’s vehicle by the Tallahassee Police Department, including the notebook.

The police investigation revealed that in 2011, Lawson-Brown used the stolen credentials to file fraudulent tax returns in the names of 105 individuals, including 24 patients of the nursing home. Lawson-Brown filed claims totaling more than $1 million. The IRS detected many of the claims as fraudulent, although $141,790 in tax refunds was issued by the IRS.

The refunds were deposited in multiple bank accounts controlled by Lawson-Brown and the funds were used to pay personal expenses, cover car repairs, and to pay off her mortgage.

Lawson-Brown will be sentenced on January 4, 2018. She faces a maximum jail term of 20 years for each count of wire fraud, 10 years for each count of theft of government funds and possession of unauthorized access devices, and an additional 2 years will be added to her sentence for aggravated identity theft.

U.S. Attorney for the Northern District of Florida, Christopher P. Canova, said, “This case illustrates the vulnerability of elderly and disabled persons.  Relatives and other caregivers should be alert to unauthorized tax returns, bank accounts, credit cards, and financial transactions, and should immediately report identity theft crimes to law enforcement agencies.”

The post Former Nurse Convicted of Theft of Patient Information and Tax Fraud appeared first on HIPAA Journal.

Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance?

Posted by HIPAA Journal

Should covered entities monitor business associates for HIPAA compliance or is it sufficient just obtain a signed, HIPAA-compliant business associate agreement?

If a business associate provides reasonable assurances to a covered entity that HIPAA Rules are being followed, and errors are made by the BA that result in the exposure, theft, or accidental disclosure of PHI, the covered entity will not be liable for the BA’s HIPAA violations – provided the covered entity has entered into a business associate agreement with its business associate.

It is the responsibility of the business associate to ensure compliance with HIPAA Rules. The failure of a business associate to comply with HIPAA Rules can result in financial penalties for HIPAA violations for the business associate, not the covered entity.

A covered entity should ‘obtain satisfactory assurances’ that HIPAA Rules will be followed prior to disclosing PHI. While covered entities are not required by HIPAA to monitor business associates for HIPAA compliance, they should obtain proof that their business associate has performed an organization-wide risk analysis, has developed a risk management plan, and is reducing risks to an acceptable and appropriate level.

If information is provided to a covered entity which suggests noncompliance, a covered entity must act on that information. The failure of a covered entity to take appropriate action to resolve a known breach of HIPAA Rules by a business associate would be a violation of HIPAA Rules. If the business associate cannot resolve that breach, it is the responsibility of the covered entity to terminate the business associate agreement. 45 CFR § 164.504(e)

A covered entity will be in violation of HIPAA Rules if it “knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation.” If termination of the BAA is not feasible, the problem must be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).

Even though a covered entity is not liable for business associate HIPAA violations, any business associate breach is likely to reflect badly on the covered entity and is likely to cause harm to its patients or members. It is therefore in the interests of both parties to ensure HIPAA Rules are being followed. It may help to provide business associates with a HIPAA compliance checklist to assist them with their compliance efforts, and access to other resources to help them prevent breaches and mitigate risk.

The post Do Medical Practices Need to Monitor Business Associates for HIPAA Compliance? appeared first on HIPAA Journal.

Summary of September 2017 Healthcare Data Breaches

Posted by HIPAA Journal

There were 35 healthcare data breaches involving more than 500 records reported to the Department of Health and Human Services’ Office for Civil Rights in September 2017. Those breaches resulting in the theft/exposure of 435,202 patients’ protected health information.

September 2017 Healthcare Data Breaches

September 2017 healthcare data breaches followed a similar pattern to previous months. Healthcare providers suffered the most breaches with 25 reported incidents, followed by health plans with 8 breaches, and 2 breaches reported by business associates of covered entities.

There was a fairly even split between unauthorized access/disclosures (16 incidents) and hacking/IT incidents (15 incidents). There were three theft incidents and one lost device, all of which involved laptop computers. One incident also involved a desktop computer and another the theft of physical records. There were no reported cases of improper disposal of PHI.

 

September 2017 Healthcare Data Breaches - Breach Type

There were five attacks on network servers in September, but email attacks topped the list with 13 incidents. 6 were attributed to hacking, including two confirmed phishing attacks and one ransomware incident. The ransomware attack is also understood to have occurred as a result of an employee responding to a phishing email.

There were 7 cases of unauthorized access/disclosures via email. One of those incidents involved an employee emailing PHI to a personal email account. Another saw a healthcare employee email PHI to a relative to receive assistance with a work-related action.

September 2017 Healthcare Data Breaches - Breach Location

 

Healthcare organizations in 24 states reported data breaches in September. The worst affected states were California, Florida and Texas, with three breaches each. Arkansas, Minnesota, North Carolina, Pennsylvania, Washington and Wisconsin each had two reported incidents.

Largest Healthcare Data Breaches in September 2017

The largest healthcare data breaches in September 2017 have been detailed in the table below. Six of the top ten breaches in September were the result of hacking/IT incidents. Hacking/IT incidents resulted in the exposure of 355,084 records – 81.6% of the records exposed in all reported breaches in September. Unauthorized access/disclosures resulted in the exposure of 73,409 records – 16.87% of the total.

The largest reported data breach in September was a ransomware attack that potentially affected 128,000 patients. Data theft was not suspected, although it could not be ruled out with a high degree of certainty.

Covered Entity Entity Type Breached Records Breach Type Breach Information
Arkansas Oral & Facial Surgery Center Healthcare Provider 128,000 Hacking/IT Incident Ransomware attack
Morehead Memorial Hospital Healthcare Provider 66,000 Hacking/IT Incident Phishing attack
Network Health Health Plan 51,232 Hacking/IT Incident Phishing attack
ABB, Inc. Healthcare Provider 28,012 Hacking/IT Incident
Arkansas Department of Human Services Health Plan 26,000 Unauthorized Access/Disclosure Employee emailed PHI to a personal account
CBS Consolidated, Inc. Business Associate 21,856 Hacking/IT Incident Server hacked
MetroPlus Health Plan, Inc. Health Plan 15,212 Unauthorized Access/Disclosure Employee emailed PHI outside company
Mercy Health Love County Hospital and Clinic Healthcare Provider 13,004 Theft Paper records stolen from a storage unit
The Neurology Foundation, Inc. Healthcare Provider 12,861 Unauthorized Access/Disclosure Employee stole PHI
Hand & Upper Extremity Centers dba Hand Rehabilitation Specialists Healthcare Provider 12,806 Hacking/IT Incident Data theft and extortion attempt

The post Summary of September 2017 Healthcare Data Breaches appeared first on HIPAA Journal.

New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity

Posted by HIPAA Journal

A new partnership has been announced between CHIME’s Association for Executives in Healthcare Information Security (AEHIS) and the Foundation for Innovation, Translation and Safety Science’s Medical Device Innovation, Safety and Security Consortium (MDISS). The aim of the new collaboration is to help advance medical device cybersecurity and improve patient safety.

The two organizations will work together to help members identify, mitigate, and prevent cybersecurity threats by issuing cybersecurity best practices, educating about the threats to device security, training members, and promoting information sharing.

For the past three years, AEHIS has been helping healthcare organizations improve their information security defences. More than 700 CISOs and other healthcare IT security leaders have benefited from the education and networking opportunities provided by AEHIS. AEHIS helps its members protect patients from cyber threats, including cyberattacks on their medical devices, though its educational efforts, sharing best practices, and many other activities.

MDISS now consists of more than 2,000 hospitals and dozens of medical device manufacturers who are working together to improve medical device cybersecurity. MDISS has helped to make medical device risk assessments cheaper, faster, and more accessible, while bringing together regulatory bodies, patient advocates, insurers, security researchers, medical device manufacturers, and healthcare providers to advance best practices in medical device cybersecurity and risk management.

It is hoped that the collective voice of AEHIS and MDISS will help to improve information security practices and ensure patients – and health data – are better protected.

“The scale and reach of AEHIS’ education network is a perfect complement to MDISS’ continuous release of envelope-pushing technologies and best practices,” said Dale Nordenberg, executive director of MDISS. “AEHIS will play a key role in accelerating the adoption of next-generation medical device security assessment platforms like MDRAP.”

“Together, AEHIS and MDISS joining forces to advocate and advance better medical device security will benefit AEHIS members and MDISS stakeholders alike,” said Sean Murphy, chair of the AEHIS collaborative relationships committee and vice president and CISO at Premera Blue Cross.

Key Goals of the New Partnership

  • Educating healthcare organizations about medical device cybersecurity strategies
  • Developing and sharing medical device cybersecurity best practices
  • Promoting the adoption of the NIST’s cybersecurity framework
  • Identifying new best practices for securing medical devices and mitigating vulnerabilities
  • Increasing awareness of medical device vulnerabilities among federal policymakers
  • Determining best practices to engage members in advocacy for cyber protection of medical devices
  • Examining the issues that are preventing the sharing of cybersecurity and medical device vulnerability information and helping to support information sharing through existing or modified information sharing efforts.

The post New AEHIS/ MDISS Partnership to Focus on Advancing Medical Device Cybersecurity appeared first on HIPAA Journal.

Internet of Medical Things Resilience Partnership Act Approved

Posted by HIPAA Journal

The passage of the Internet of Medical Things Resilience Partnership Act has been approved by the U.S. House of Representatives.

The main aim of the bill is to establish a public-private stakeholder partnership, which will be tasked with developing a cybersecurity framework that can be adopted by medical device manufacturers and other stakeholders to prevent data breaches and make medical devices more resilient to cyberattacks.

The range of medical devices now being used in healthcare is considerable and the number is only likely to grow. As more devices are introduced, the risk to patients increases. These devices are currently used in hospitals, worn by patients, fitted surgically, or used at home. The devices include drug infusion pumps, ventilators, radiological technologies, pacemakers, and monitors.

If appropriate safeguards are not incorporated into the devices, they will be vulnerable to attack. Those attacks could be performed to gain access to the data stored or recorded by the devices, to use the devices to launch attacks on healthcare networks, or to alter the function of the devices to cause patients harm. What is certain is that if nothing is done, the devices will be attacked and healthcare organizations and patients are likely to be harmed.

The Internet of Medical Things Resilience Partnership Act was introduced by Representatives Dave Trott (D-MI) and Susan Brooks (R-IN) last week. Rep Brooks said, “It is essential to provide a framework for companies and consumers to follow so we can ensure that the medical devices countless Americans rely on and systems that keep track of our health data are protected.”

“In our nation’s hospitals, technology has helped provide better quality and more efficient health care, but the perpetual evolution of technology – its greatest strength – is also its greatest vulnerability,” explained Rep. Trott.

The bill suggests the working group should be led by the U.S. Food and Drug Administration (FDA), and should include representatives from the National Institute of Standards and Technology (NIST), the HHS’ Office of the National Coordinator for Health Information Technology (ONC), the Cybersecurity and Communications Reliability Division of the Federal Communications Commission (FCC), and the National Cyber Security Alliance (NCSA).

At least three representatives of each of the following groups should also join the working group: health care providers, health insurance providers, medical device manufacturers, cloud computing, wireless network providers, health information technology, web-based mobile application developers, and hardware and software developers.

The group will be tasked with developing a cybersecurity framework for medical devices based on existing cybersecurity frameworks, guidance, and best practices. The working group should also identify high priority gaps for which new or revised standards are needed, and develop an action plan to ensure those gaps are addressed.

The working group will be required to submit its report no later than 18 months from the passing of the  Internet of Medical Things Resilience Partnership Act.

The post Internet of Medical Things Resilience Partnership Act Approved appeared first on HIPAA Journal.

53% of Businesses Have Misconfigured Secure Cloud Storage Services

Posted by HIPAA Journal

The healthcare industry has embraced the cloud. Many healthcare organizations now use secure cloud storage services to host web applications or store files containing electronic protected health information (ePHI).

However, just because secure cloud storage services are used, it does not mean data breaches will not occur, and neither does it guarantee compliance with HIPAA. Misconfigured secure cloud storage services are leaking sensitive data and many organizations are unaware sensitive information is exposed.

A Business Associate Agreement Does Not Guarantee HIPAA Compliance

Prior to using any cloud storage service, HIPAA-covered entities must obtain a signed business associate agreement from their service providers.

Obtaining a signed, HIPAA-compliant business associate agreement prior to the uploading any ePHI to the cloud is an important element of HIPAA compliance, but a BAA alone will not guarantee compliance. ePHI can easily be exposed if cloud storage services are not configured correctly.

As Microsoft explains, “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

Configure your account correctly and your data will be secure. Make a mistake and data will be exposed and you could easily violate HIPAA Rules.

Misconfigured Secure Cloud Storage Services

When it comes to secure cloud storage, many organizations believe their cloud environments have been secured, but that is often not the case. How many businesses are leaving data exposed? According to a recent study by cloud threat defense firm RedLock, more than half of businesses have made mistakes that have exposed sensitive data in the cloud.

The report reveals many organizations are not following established security best practices, such as using multi-factor authentication for all privileged account users. To make matters worse, many businesses are failing to monitor their cloud environments which means data is being exposed, but not detected.

The problem appears to be getting worse. RedLock’s last analysis for Q2 revealed 40% of businesses had misconfigured at least one of their cloud storage services – Amazon Simple Storage Service (Amazon S3) for example. A new analysis, published in its latest Cloud Security Trends Report, shows that percentage jumped to 53% between June and September 2017.

Key Findings

  • 53% of organizations have at least one exposed cloud storage service
  • 38% of users exposed data through compromised administrative user accounts
  • 81% are not managing host vulnerabilities in the cloud
  • 37% of databases accept inbound connection requests from suspicious IP addresses
  • 64% of databases are not encrypted
  • 45% of Center of Internet Security (CIS) compliance checks are failed
  • 48% of Payment Card Industry Data Security Standard (PCI DSS) compliance checks fail
  • 250 organizations were found to be leaking credentials to their cloud environments on internet-facing web servers

Cloud Misconfigurations Result in Data Breaches

One need look no further than the widespread misconfigured MongoDB installations that were discovered by hackers in January 2017. Misconfigured databases were plundered, data deleted, and ransom demands issued. More than 26,000 MongoDB databases were hijacked and held for ransom.

Is it not just small organizations that are making errors that are resulting in data exposure and data breaches. The Equifax data breach, which saw the records of more than 143 million Americans exposed, was the result of the failure to address a known vulnerability in Apache Struts; a framework that supported its dispute portal web application. Equifax CEO Richard Smith recently told the House Energy and Commerce Committee that the missed patch was due to a mistake by a single employee.

British insurance giant Aviva found out one of its cloud environments had been ‘hacked’ and was being used to mine Bitcoin. Kubernetes administration consoles were used to gain access to its cloud environment with ease. Its administration consoles lacked passwords.

RedLock is not the only company to report on the problem. IBM X-Force said it has tracked more than 1.3 billion records that were exposed as a result of misconfigured servers up to September 2017.

Training will only go so far. You can train your employees never to leave the firewall turned off, yet occasionally that happens. Bad errors can also occur in the cloud that will similarly lead to data breaches. Leave the door open to hackers and they will infiltrate cloud environments, steal data, and hold organizations to ransom.

What organizations must do is to make sure all doors have been closed and locked. Unless organizations proactively monitor their cloud environments, they will be unaware there is a problem until it is too late.

The post 53% of Businesses Have Misconfigured Secure Cloud Storage Services appeared first on HIPAA Journal.

Is WhatsApp HIPAA Compliant?

Posted by HIPAA Journal

When WhatsApp announced it was introducing end-to-end encryption, it opened up the prospect of healthcare organizations using the platform as an almost free secure messaging app, but is WhatsApp HIPAA compliant?

Many healthcare employees have been asking if WhatsApp is HIPAA compliant, and some healthcare professionals are already using the text messaging app to send protected health information (PHI).

However, while WhatsApp does offer far greater protection than SMS messages and some other text messaging platforms, WhatsApp is NOT HIPAA compliant for several reasons.

Why Isn’t WhatsApp HIPAA Compliant?

First, it is important to point out that no software platform or messaging app can be truly HIPAA compliant, because HIPAA compliance is not about software. It is about users. Software can support HIPAA compliance and incorporate all the necessary safeguards to ensure the confidentiality, integrity, and availability of ePHI, but those controls can easily be undone by users.

HIPAA does not demand that encryption is used. Provided an alternate, equivalent measure is implemented in its place, encryption is not required. Since WhatsApp now includes end-to-end encryption, this aspect of HIPAA is satisfied.

Access controls are also required – See 45 CFR § 164.312(a)(1). This is one area where WhatsApp is not HIPAA compliant. If WhatsApp is installed on a smartphone, anyone with access to that smartphone will be able to view the messages in the user’s WhatsApp account, without the need to enter in any usernames and passwords. That means any ePHI included in conversations would also be accessible. Additional security controls may be installed on a smartphone to authenticate users before the device can be accessed, but even when those controls have been applied, notifications about new messages can often be seen without opening the App or unlocking the device.

HIPAA also requires audit controls – See 45 CFR § 164.312(b). This is another area where WhatsApp is not HIPAA compliant. Messages and attachments are saved, although they can easily be deleted. There is also no HIPAA compliant audit trail maintained in WhatsApp. All data in the account would also need to be backed up. Currently, if you switch phones, your account will be preserved, but your messages will not.

Then there is the issue of what happens to ePHI in a WhatsApp account on a personal device after the user leaves the company. Controls would need to be incorporated to ensure all messages containing ePHI are permanently erased. That would be a logistical nightmare for any covered entity, as it could not be performed remotely, finding messages would be next to impossible, and users would likely object to their WhatsApp being deleted.

Regardless of the features of WhatsApp and how well data is protected in transit, at the time of writing, WhatsApp will not sign a business associate agreement with a HIPAA covered entity. If HIPAA covered entities want to use WhatsApp, before any ePHI is sent, a HIPAA compliant business associate agreement must be signed with WhatsApp. Even though WhatsApp does not read text messages, that does not mean that no business associate agreement would be required.

So, Is WhatsApp HIPAA compliant? In its current form no. When it comes to WhatsApp and HIPAA compliance, even if covered entities were to use additional controls to prevent accidental disclosures, until WhatsApp is willing to sign a BAA, the service cannot be used to send ePHI without violating HIPAA Rules.

The post Is WhatsApp HIPAA Compliant? appeared first on HIPAA Journal.

Does HIPAA Require Identity Theft Protection Services to Be Offered to Data Breach Victims?

Posted by HIPAA Journal

The HIPAA Breach Notification Rule requires covered entities to issue notifications to individuals after their ePHI has been exposed or stolen, but what about credit monitoring and identity theft protection services? Must they be offered?

HIPAA does not stipulate whether credit monitoring and identity theft protection services should be provided to individuals impacted by a data breach. The decision whether or not to provide those services is left to the discretion of the covered entity.

However, following a breach of unsecured protected health information, HIPAA-covered entities are required to provide breach victims with details of the steps that should be taken to mitigate risk and protect themselves from harm.

Those steps include obtaining a credit report from credit reporting agencies – Equifax, Experian, and TransUnion. The credit reporting bureaus must provide consumers with a free credit report once every 12 months if requested.

Breach victims should be instructed to monitor their accounts for any sign of fraudulent activity and should be told what to do if suspicious activity is identified. They should also be told to monitor their Explanation of Benefits statements for benefits that they have not received. Information should also be provided on placing a fraud alert and freeze on their credit files.

While HIPAA does not require covered entities to offer credit monitoring and identity theft protection services, state laws may differ. From October 1, 2015, a breach of Connecticut residents’ names and Social Security numbers requires the breached entity to provide a minimum of 12 months of “appropriate identity theft prevention services, and if applicable, identity theft mitigation services.”

In California, while it is not mandatory to provide credit monitoring and identity theft protection services to breach victims, if those services are provided they must be free of charge and for a minimum of 12 months. State laws are frequently updated, so covered entities should keep up to date with new legislation introduced in the states in which their patients and members reside.

Even though it may not be mandatory for healthcare organizations to provide identity theft protection services to breach victims, many choose to do so. Providing those services can help to reducing the fallout from a data breach.

Credit monitoring services should be provided to data breach victims for 12 or 24 months, if credit/debit card numbers, Social Security numbers, and/or bank account information is believed to have been stolen.

Credit monitoring services inform breach victims when credit monitoring companies receive notifications of applications for credit, loans, or when personal information is changed – changes of address or phone number for example.

Identity theft protection services cover a much broader range of activities, some of which may not show up on credit reports. These include the use of personal documentation such as Social Security numbers, Driver’s license numbers, medical ID numbers, and passport numbers.

The decision about which services to offer should be based on the level of risk breach victims are likely to face. The level of risk will be determined by the nature of the attack, the likelihood of data being used for identity theft and fraud, the risk of data being sold on, and types of data that have been exposed.

The post Does HIPAA Require Identity Theft Protection Services to Be Offered to Data Breach Victims? appeared first on HIPAA Journal.

What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity

Posted by HIPAA Journal

The terms covered entity and business associate are used extensively in HIPAA legislation, but what are the differences between a HIPAA business associate and HIPAA covered entity?

What Are HIPAA Covered Entities?

HIPAA covered entities are healthcare providers, health plans, and healthcare clearinghouses that electronically transmit health information for transactions covered by HHS standards.

Healthcare providers include hospitals and clinics, doctors, dentists, chiropractors, psychologists, pharmacies and nursing homes. Health plans include health insurance companies, company health plans, government programs that pay for healthcare, and HMO’s. Healthcare clearinghouses include transcription service companies that format data to make it compliant and organizations that process non-standard health information.

Even if an entity is a healthcare provider, health plan or healthcare clearinghouse, they are not considered a HIPAA covered entity if they do not transmit any information electronically for transactions that HHS has adopted standards. In such cases, the entity would not be required to comply with HIPAA Rules.

Legally, the HIPAA Privacy Rule only applies to covered entities, although since covered entities usually require the services of vendors, which may need access to PHI in order to perform certain tasks, the HIPAA Privacy Rule permits covered entities to share PHI with those companies.

Before PHI can be shared, vendors must agree to use the PHI only for the tasks that they have been contracted to perform. They must also agree not to disclose the PHI to other entities, and must implement safeguards to ensure the confidentiality, integrity, and availability of PHI. Covered entities must obtain ‘satisfactory assurances,’ in writing, in the form of a contract, that HIPAA Rules will be followed.

What is a HIPAA Business Associate?

A HIPAA business associate is any entity, be that an individual or a company, that is provided with access to protected health information to perform services for a HIPAA covered entity.

Software providers, whose solutions interact with systems that contain ePHI, are considered business associates, as are cloud service providers, cloud platforms, document storage companies (physical and electronic storage), collection agencies, medical billing companies, asset and document recycling companies, answering services, attorneys, actuaries, consultants, medical device manufacturers, transcription companies, CPA firms, third party administrators, medical couriers, and marketing firms. Business associates of covered entities must also comply with HIPAA Rules and can be fined directly by regulators for noncompliance.

Business associates of HIPAA covered entities must sign a contract with the covered entity, termed a business associate agreement or BAA, that outlines the responsibilities of the business associate and explains that the business associate is required to comply with HIPAA Rules.

It is the responsibility of a business associate to ensure that if any subcontractors are used, they too agree to comply with HIPAA Rules and sign a BAA. Information on when a business associate agreement is not required are detailed here.

While a business associate must agree to comply with HIPAA Rules and is responsible for ensuring the confidentiality, integrity, and availability of PHI in its possession, it is the responsibility of a covered entity to ensure that all business associates are complying with HIPAA Rules. If a business associate fails to comply with HIPAA Rules, it is the responsibility of the covered entity to take action to ensure noncompliance is corrected or the contract with the business associate is terminated.

The HHS has developed a tool that explains the differences between a HIPAA business associate and a HIPAA covered entity. You can use the tool to determine if you are a covered entity or a business associate and whether HIPAA Rules must be followed.

The post What are the Differences Between a HIPAA Business Associate and HIPAA Covered Entity appeared first on HIPAA Journal.