By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
Health Works CollectiveHealth Works CollectiveHealth Works Collective
  • Health
    • Mental Health
    Health
    Healthcare organizations are operating on slimmer profit margins than ever. One report in August showed that they are even lower than the beginning of the…
    Show More
    Top News
    health benefits of taking a vacation to reduce stress
    Relaxing European Destinations to Reduce Stress Risks to Health
    October 11, 2021
    pain management tips
    Managing Pain Differently: Alternative Pain Management Techniques
    January 12, 2022
    5 Ways to Promote Wellness in Your Home
    April 12, 2022
    Latest News
    The Wide-Ranging Benefits of Magnesium Supplements
    June 11, 2025
    The Best Home Remedies for Migraines
    June 5, 2025
    The Hidden Impact Of Stress On Your Body’s Alignment And Balance
    May 22, 2025
    Chewing Matters More Than You Think: Why Proper Chewing Supports Better Health
    May 22, 2025
  • Policy and Law
    • Global Healthcare
    • Medical Ethics
    Policy and Law
    Get the latest updates about Insurance policies and Laws in the Healthcare industry for different geographical locations.
    Show More
    Top News
    Healthcare Spend at Historic Low
    August 8, 2011
    Can “Portfolio Theory” Be Applied to NIH Funding Decisions?
    May 18, 2012
    Changing Behavior to Conquer Obesity
    September 23, 2012
    Latest News
    Streamlining Healthcare Operations: How Our Consultants Drive Efficiency and Overall Improvement
    June 11, 2025
    Building Smarter Care Teams: Aligning Roles, Structure, and Clinical Expertise
    May 18, 2025
    The Critical Role of Healthcare in Personal Injury Recovery: A Comprehensive Guide for Victims
    May 14, 2025
    The Backbone of Successful Trials: Clinical Data Management
    April 28, 2025
  • Medical Innovations
  • News
  • Wellness
  • Tech
Search
© 2023 HealthWorks Collective. All Rights Reserved.
Reading: Organization fined $418,000 for business associate HIPAA breach
Share
Notification Show More
Font ResizerAa
Health Works CollectiveHealth Works Collective
Font ResizerAa
Search
Follow US
  • About
  • Contact
  • Privacy
© 2023 HealthWorks Collective. All Rights Reserved.
Health Works Collective > Policy & Law > Medical Ethics > Organization fined $418,000 for business associate HIPAA breach
eHealthMedical EthicsMedical RecordsPolicy & Law

Organization fined $418,000 for business associate HIPAA breach

Brad Spannbauer
Last updated: May 22, 2018 11:28 pm
Brad Spannbauer
Share
7 Min Read
SHARE

 

Contents
A harsh settlement and a stark reminder3 questions healthcare organizations need to ask their BAs

Virtua Medical Group – a physician network –  has been fined $418,000 by the New Jersey Attorney General’s Office for failing to safeguard electronic protected health information (ePHI) belonging to more than 1,650 patients.

The data breach occurred following misconfiguration of a database held by one of Virtua’s business associates, Best Medical Transcription. The third-party vendor had been contracted by Virtua to transcribe sensitive data held within medical notes, reports, and letters.

The transcribed notes containing sensitive data were uploaded to a password-protected website at Best Medical Transcription; however, password protection had accidently been removed in January 2016 during a software update. This slip-up caused patient data to become readily available, without any need for authentication. Worse still, content from the vendor’s server wound up being indexed by search engines and could easily be found by simply searching for any terms contained within the notes online.

More Read

Health Barometer – Youth Lead the Way
China – Future Obesity Treatment Market
Join Me for My EHR Usability Webinar on November 30 at 1:00p
A Quick Resource Kit for ‘Hospitals and Social Media’
Ways to Make Your Images Work for You

Best Medical Transcription became aware of the lapse in password protection and a potential breach, but it did not notify Virtua Medical Group that data had been exposed.

A harsh settlement and a stark reminder

The Attorney General ruled that there had been multiple accounts of non-compliance with Health Insurance Portability and Accountability Act (HIPAA) requirements, subjecting Virtua to the ruling, despite the fact that the breach technically affected one of its business associates.

Virtua was chastised for failing to conduct a thorough risk analysis of its business associate (BA), Best Medical Transcription, and as a result, electronic Protected Healthcare Information (ePHI) was communicated at the cost of patient confidentiality. Furthermore, the medical group was also condemned for implementing inadequate security measures to reduce the risk potential. The investigation also revealed that Virtua didn’t have a security awareness and training program for staff in place, and there had been “unacceptable delays” in identifying and responding to the data breach.

In a statement, the Attorney General said “Electronically stored data is vulnerable to security breaches and doctors must follow strict rules to safeguard it. When they don’t, patients are personally exposed and the trust they have in their doctors can be irrevocably broken”.

In addition to the financial penalty of $418,000, Virtua Medical Group has agreed to undertake a robust corrective action plan which includes hiring a third-party security professional to conduct a comprehensive risk analysis relating to the company’s handling, transmission, and storage of ePHI, and to perform further risk assessments every two years.

This enforcement action should serve as a stark reminder for healthcare providers (known under HIPAA as ‘covered entities’) to thoroughly vet their third-party vendors to ensure security best practices are being followed, and sensitive data remains protected at all times. Failure to comply can result in significant financial and reputational damage. HIPAA covered entities must remain mindful of their vendors and BAs, ensuring they are compliant before giving them any access to sensitive data.

This action may also indicate a trend towards increased enforcement of HIPAA by the states.  Most of the enforcement actions that come to the public’s attention are brought by the federal department of health and human services office of civil rights (HSS-OCR). However, under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act’s amendment to HIPAA in 2013, state attorney generals now have authority to bring civil actions in federal district court to enforce HIPAA when the interests of state citizens have been affected. And some state privacy laws are even stricter than the federal legislation.

3 questions healthcare organizations need to ask their BAs

  1. Does the vendor identify themselves as a Business Associate?
    Clarity is key when dealing with third-party organizations. If a vendor is providing services that require exchange of PHI and/or ePHI, it is vital that they recognize themselves as a BA, and be willing to sign a BAA. In the eyes of the regulator, if a third party creates, receives, maintains, or transmits ePHI, they are a BA whether they realize it or not.  HIPAA requires that covered entities enter into agreements with their business associates to ensure they will appropriately safeguard protected health information (see 45 C.F.R. §164.308(b)).  Consequently, if a healthcare provider exchanges ePHI with a BA without first having signed a BAA, they are not in compliance with HIPAA.2. How and where will sensitive data be stored, accessed, and shared?
    It is essential to understand how BAs collect, store, process and transfer ePHI, as well as how they protect that ePHI from unauthorized access.  A signed business associate agreement should be in place for both parties, contractually outlining in detail how sensitive data will be managed.

    Additionally, it is a good idea to understand how a BA goes about vetting, training, and educating its employees – after all, policies and procedures are only as good as the employees who are implementing them. Ultimately, the covered entity is responsible for protecting patient data, and if the BA fails to provide adequate security, it is the covered entity that will be held responsible.

  2. Is there an incident response plan in place?
    No organization is immune from a data breach. Therefore, it’s important that the BA has planned ahead and accounted for any potential contingencies with a detailed incident response plan. This should include mandated provisions to notify the covered entity as soon as possible of any potential security gaps or events.

Online faxing service, eFax Corporate helps ensure your online faxing complies with the strictest mandates of HIPAA. Click here to discover how eFax Corporate® helps keep your faxes HIPAA compliant.

Share This Article
Facebook Copy Link Print
Share
By Brad Spannbauer
A 20 year industry veteran, Brad Spannbauer currently oversees product strategy and planning, and provides direction and market leadership for j2 Cloud Connect's worldwide business as their Senior Director of Product Management. His focus in the Healthcare and Legal verticals led to Brad's involvement with the j2 Cloud Services™ compliance team, where he leads the team as the company's HIPAA Privacy & Compliance Officer. To find out more visit https://enterprise.efax.com/

Stay Connected

1.5kFollowersLike
4.5kFollowersFollow
2.8kFollowersPin
136kSubscribersSubscribe

Latest News

Streamlining Healthcare Operations: How Our Consultants Drive Efficiency and Overall Improvement
Global Healthcare Policy & Law
June 11, 2025
magnesium supplements
The Wide-Ranging Benefits of Magnesium Supplements
Health
June 11, 2025
Preparing for the Next Pandemic: How Technology is Changing the Game
Technology
June 6, 2025
migraine home remedies and-devices
The Best Home Remedies for Migraines
Health Mental Health
June 5, 2025

You Might also Like

PPACA: “It’s in there!”

March 25, 2011

Poll Position – How You Ask the Question Matters

September 24, 2011

Dispelling the Myths of a Healthcare IT Investment ‘Bubble’

July 16, 2011
eHealth

Why “Visitors” is a Misleading Metric for Your Hospital Website

November 19, 2015
Subscribe
Subscribe to our newsletter to get our newest articles instantly!
Follow US
© 2008-2025 HealthWorks Collective. All Rights Reserved.
  • About
  • Contact
  • Privacy
Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?