Vendor Breach: Who’s Responsible

Vendor Breach: Who’s Responsible

Posted by Amy Wood on Nov 29 2018, 07:53 PM

Vendor Breach: Who’s Responsible

How would you feel if you were plunged into a potential data breach through no fault of your own?  Imagine it.  You have completed all the training for yourself and your staff, you have completed your risk assessment, and mitigated any issues that arose, you have Business Associate Agreements in place, and you know what is required of you to keep your patient’s data safe.  You. Are. Set.  Except you’re not.

One of your vendors potentially breaches your client data! Who is at fault? Who has to pay the potential fines? Who has to pay for the notices and mitigate any problems that may arise? It could still be you! How? You signed a Business Associate Agreement (BAA); doesn’t that mean the vendor is on the hook? Not if you didn’t review the BAA.  All BAA’s are not alike.  Some are so generic that they don’t say anything; while others take no responsibility and lay all of it on you, regardless of how the breach occurred.

This is what happened to Key Dental Group when their vendor refused to return the practice’s EMR database at the termination of its contract.  Read More  “It violates both the EULA and several portions of HIPAA. As Key Dental can no longer view or monitor the database to ensure the security of patient data, officials have begun to notify patients.”

This is why, we at ACS, are so emphatic about completing our clients’ Business Associate Reviews.  We read every BAA and demand an outline of financial responsibilities when the vendor breaches data.  

Sadly, many new vendors may not know how or be capable of adhering to HIPAA; they believe simply signing a stock BAA is all they are required to do and are not as concerned about actually complying with the terms of their contract.

Don’t be caught in the crosshair of your patient data and your vendors.  After all the work you have done to safeguard your ePHI, don’t allow your vendors to leave you holding the proverbial bag when they are the ones that violated HIPAA. 

If you haven’t reviewed all of your BAA’s word for word you could be next, call ACS today 707-888-1191 and ask for our Business Associate Review.  


    Share On

    Leave A Reply

    Please fill all the fields.

    Talk to our experts

    Start your journey to compliance by directly interacting with our experts. With extensive years of experience in making dental practices HIPAA Compliant, we provide everything from start to finish to make you compliant, safe, secure, and confident against data breach. Look no further, begin your training today by scheduling a class with our experts!