HIPAA Business Associate Agreement

829K Record Data Breach: HIPAA Business Associate Agreement

829K Record Data Breach: Business Associate Agreement


by Lee Slaton        12/30/2020

HIPAA Business Associate Agreement

Importance of HIPAA Business Associate Agreements

HIPAA Business Associate Agreements are required to reach compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

This recent record-breaking breach proves the importance of Business Associate Agreements.

Who is at fault for a HIPAA breach?

Of course, as a health care provider, you’re responsible for your patients’ protected health information (PHI). But what if one of your vendors that has access to your patients’ PHI sustains a data breach? Who’s at risk—you, the practice owner, or your vendor?

The answer (as Clinton-esque as it sounds) is, “it depends.”

Specifically, it depends on whether you have a good HIPAA Business Associate Agreement in place with the vendor that sustained the breach.

Recent HIPAA Business Associate Data Breach

Consider this. A recent data breach of 829,454 patient records occurred at Luxottica—the world’s largest eyewear company and owner of brands such as Ray-Ban and Oakley.

Luxottica partners with LensCrafters, Target Optical, EyeMed, Pearle Vision, and other eye care providers. Much like software services provided to dental practices by some dental service organizations, cloud-based data backup companies, or appointment reminder services, Luxottica provides their partners web-based appointment scheduling software for their patients.

According to a Luxottica’s breach notification, their appointment-scheduling application was hacked by unknown individuals on Aug. 5, 2020. The attackers potentially gained access to personal and protected health information of patients of Luxottica’s partners.

Here’s why it’s imperative for your practice to have a properly executed Business Associate Agreement with each of your vendors that has access to your patients’ PHI:

If a practice owner does not have a properly written and executed Business Associate Agreement with the vendor who sustained the data breach, the practice owner is on the hook for the HIPAA data breach.

If the practice owner does have a properly written and executed HIPAA Business Associate Agreement with the vendor who sustained the breach, the liability for the breach is on the shoulders of the vendor.

Can my practice use a HIPAA Business Associate Agreement template?

Your HIPAA Business Associate Agreement should reflect the relationship between your office and the particular business associate. Meaning you shouldn’t use standardized templates.

Smart Training’s Certified HIPAA Professional can help

Jim Moore, Smart Training’s Certified HIPAA Professional, can create Business Associate Agreements customized for your practice and business associate agreement. Jim Moore also creates your other HIPAA documents for you. 

Smart Training’s Dental Platinum+Dental Essentials, and Complete Medical Compliance packages provide you with all the HIPAA documents you need. We take the burden of HIPAA compliance off your shoulders, so you can get back to treating your patients! 

If you have none of the packages above, request a free demo with a Compliance Adviser.

Smart Training
820 W Spring Creek Pkwy, Ste 400-R Plano, Tx 75023