By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    improving patient experience
    6 Ways to Improve Patient Satisfaction Within Hospitals
    December 1, 2021
    degree for healthcare job
    What Are The Health Benefits Of Having A Degree?
    March 9, 2022
    custom software development is changing healthcare
    Digital Customer Journey Mapping and its Importance for Healthcare
    July 21, 2022
    Latest News
    Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
    May 16, 2025
    Learn how to Renew your Medical Card in West Virginia
    May 16, 2025
    Choosing the Right Supplement Manufacturer for Your Brand
    May 1, 2025
    Engineering Temporary Hospitals for Extreme Weather
    April 24, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Can Thinking Younger Make You Live Longer?
    April 20, 2011
    Image
    Obesity’s Outlook Unchanged
    June 13, 2011
    When It’s An Emergency Elderly Not Treated As Well in Hospitals
    July 16, 2011
    Latest News
    Building Smarter Care Teams: Aligning Roles, Structure, and Clinical Expertise
    May 18, 2025
    The Critical Role of Healthcare in Personal Injury Recovery: A Comprehensive Guide for Victims
    May 14, 2025
    The Backbone of Successful Trials: Clinical Data Management
    April 28, 2025
    Advancing Your Healthcare Career through Education and Specialization
    April 16, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Organization fined $418,000 for business associate HIPAA breach
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > Policy & Law > Medical Ethics > Organization fined $418,000 for business associate HIPAA breach
eHealthMedical EthicsMedical RecordsPolicy & Law

Organization fined $418,000 for business associate HIPAA breach

Brad Spannbauer
Last updated: May 22, 2018 11:28 pm
Brad Spannbauer
Share
7 Min Read
SHARE

 

Contents
A harsh settlement and a stark reminder3 questions healthcare organizations need to ask their BAs

Virtua Medical Group – a physician network –  has been fined $418,000 by the New Jersey Attorney General’s Office for failing to safeguard electronic protected health information (ePHI) belonging to more than 1,650 patients.

The data breach occurred following misconfiguration of a database held by one of Virtua’s business associates, Best Medical Transcription. The third-party vendor had been contracted by Virtua to transcribe sensitive data held within medical notes, reports, and letters.

The transcribed notes containing sensitive data were uploaded to a password-protected website at Best Medical Transcription; however, password protection had accidently been removed in January 2016 during a software update. This slip-up caused patient data to become readily available, without any need for authentication. Worse still, content from the vendor’s server wound up being indexed by search engines and could easily be found by simply searching for any terms contained within the notes online.

More Read

Vitamin D May Prevent Macular Degeneration
Patient Satisfaction and P4P – Three Things Doctors Need to Know
Has the iPad Replaced the Stethoscope?
Sowing the Future Wearables Fields
What is Patient-Centered Care and How Does it Benefit Healthcare Providers?

Best Medical Transcription became aware of the lapse in password protection and a potential breach, but it did not notify Virtua Medical Group that data had been exposed.

A harsh settlement and a stark reminder

The Attorney General ruled that there had been multiple accounts of non-compliance with Health Insurance Portability and Accountability Act (HIPAA) requirements, subjecting Virtua to the ruling, despite the fact that the breach technically affected one of its business associates.

Virtua was chastised for failing to conduct a thorough risk analysis of its business associate (BA), Best Medical Transcription, and as a result, electronic Protected Healthcare Information (ePHI) was communicated at the cost of patient confidentiality. Furthermore, the medical group was also condemned for implementing inadequate security measures to reduce the risk potential. The investigation also revealed that Virtua didn’t have a security awareness and training program for staff in place, and there had been “unacceptable delays” in identifying and responding to the data breach.

In a statement, the Attorney General said “Electronically stored data is vulnerable to security breaches and doctors must follow strict rules to safeguard it. When they don’t, patients are personally exposed and the trust they have in their doctors can be irrevocably broken”.

In addition to the financial penalty of $418,000, Virtua Medical Group has agreed to undertake a robust corrective action plan which includes hiring a third-party security professional to conduct a comprehensive risk analysis relating to the company’s handling, transmission, and storage of ePHI, and to perform further risk assessments every two years.

This enforcement action should serve as a stark reminder for healthcare providers (known under HIPAA as ‘covered entities’) to thoroughly vet their third-party vendors to ensure security best practices are being followed, and sensitive data remains protected at all times. Failure to comply can result in significant financial and reputational damage. HIPAA covered entities must remain mindful of their vendors and BAs, ensuring they are compliant before giving them any access to sensitive data.

This action may also indicate a trend towards increased enforcement of HIPAA by the states.  Most of the enforcement actions that come to the public’s attention are brought by the federal department of health and human services office of civil rights (HSS-OCR). However, under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA in 2013, state attorney generals now have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected. And some state privacy laws are even stricter than the federal legislation.

3 questions healthcare organizations need to ask their BAs

  1. Does the vendor identify themselves as a Business Associate?
    Clarity is key when dealing with third-party organizations. If a vendor is providing services that require exchange of PHI and/or ePHI, it is vital that they recognize themselves as a BA, and be willing to sign a BAA. In the eyes of the regulator, if a third party creates, receives, maintains, or transmits ePHI, they are a BA whether they realize it or not.  HIPAA requires that covered entities enter into agreements with their business associates to ensure they will appropriately safeguard protected health information (see 45 C.F.R. §164.308(b)).  Consequently, if a healthcare provider exchanges ePHI with a BA without first having signed a BAA, they are not in compliance with HIPAA.2. How and where will sensitive data be stored, accessed, and shared?
    It is essential to understand how BAs collect, store, process and transfer ePHI, as well as how they protect that ePHI from unauthorized access.  A signed business associate agreement should be in place for both parties, contractually outlining in detail how sensitive data will be managed.

    Additionally, it is a good idea to understand how a BA goes about vetting, training, and educating its employees – after all, policies and procedures are only as good as the employees who are implementing them. Ultimately, the covered entity is responsible for protecting patient data, and if the BA fails to provide adequate security, it is the covered entity that will be held responsible.

  2. Is there an incident response plan in place?
    No organization is immune from a data breach. Therefore, it’s important that the BA has planned ahead and accounted for any potential contingencies with a detailed incident response plan. This should include mandated provisions to notify the covered entity as soon as possible of any potential security gaps or events.

Online faxing service, eFax Corporate helps ensure your online faxing complies with the strictest mandates of HIPAA. Click here to discover how eFax Corporate® helps keep your faxes HIPAA compliant.

Share This Article
Facebook Copy Link Print
Share
By Brad Spannbauer
A 20 year industry veteran, Brad Spannbauer currently oversees product strategy and planning, and provides direction and market leadership for j2 Cloud Connect's worldwide business as their Senior Director of Product Management. His focus in the Healthcare and Legal verticals led to Brad's involvement with the j2 Cloud Services™ compliance team, where he leads the team as the company's HIPAA Privacy & Compliance Officer. To find out more visit https://enterprise.efax.com/

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

Clinical Expertise
Building Smarter Care Teams: Aligning Roles, Structure, and Clinical Expertise
Health care
May 18, 2025
Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
Grounded Healing: A Natural Ally for Sustainable Healthcare Systems
Health
May 15, 2025
Learn how to Renew your Medical Card in West Virginia
Learn how to Renew your Medical Card in West Virginia
Health
May 15, 2025
Dr. Klaus Rentrop Shares Acute Myocardial Infarction heart treatment
Dr. Klaus Rentrop Shares Acute Myocardial Infarction
Cardiology
May 13, 2025

You Might also Like

If You Build It, They will Come

October 28, 2011

Why Doctors Tend to Overtreat

June 14, 2012
dental industry jobs
BusinessMedical EducationPublic Health

Most Satisfying Careers in the Dental Field

September 22, 2013

Vitamin E Supplements May be Hazardous to Bone Health

April 3, 2012
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?