Behavioral Health Data Breach Affects 67,000
A behavioral health practice based out of Springfield, Missouri has notified 67,493 patients of a behavioral data breach involving their medical data. The breach occurred in August of 2018–however, what makes this behavioral HIPAA breach unique is that a vendor, not the provider itself, was ultimately responsible for the breach.
This raises serious concerns about the growing trend of data breaches affecting health care organizations and their patients originating from a behavioral data breach caused by a vendor. Under HIPAA regulation, a mental health HIPAA breach that is caused by a vendor can ultimately impact providers if there isn’t an effective compliance program in place.
Behavioral HIPAA Breach
According to the behavioral health data breach notice, Burrell Behavioral Health reported that its business associate had an internet-accessible portal that contained health care data that it was maintaining on behalf of the practice. The data breach occurred when a server was made available to the public which contained the names, addresses, phone numbers, birth dates, and services rendered, insurance information, driver’s license numbers, and Social Security numbers of Burrell’s patients.
An investigation into the behavioral health data breach was conducted, which revealed that the data was not made available through search engines. However, the fact that the information was made publically available still constitutes a data breach.
HIPAA regulation defines business associates as any vendors who are paid to handle to handle protected health information (PHI). PHI is any demographic information that can be used to identify a patient. Common examples of PHI include a patient’s name, address, phone number, email address, Social Security number, insurance ID number, and medical records, to name a few.
HIPAA regulation demands that providers execute a business associate agreement (BAA) with any business associates before any PHI can be shared. That means that telehealth providers who work with video chat platforms, cloud storage providers, patient portals, and billing services, must ensure that BAAs have been executed before any PHI may be accessed by those vendors.
BAAs are one of the most effective ways of protecting your behavioral health practice from liability in the event of a mental health HIPAA breach that has been caused by a vendor. In this case, Burrell Behavioral Health says that they have an effective security program in place, but fail to mention if a BAA was executed with their vendor.
This is just one of many data breaches affecting healthcare organizations around the country day after day. With the increasingly digital nature of health care information, HIPAA compliance and data security must become a priority for maintaining the privacy and security of patient data.
If you need assistance with HIPAA compliance, consider working with our TBHI affiliate, the HIPAA Compliancy Group. (When you purchase services from them, TBHI will be paid a small commission.) They can help you support your HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance. The Guard is built to address the HIPAA regulations, including guided walkthroughs of HIPAA Risk Assessments. With The Guard, you can focus on running your practice while keeping your patients’ data protected and secure. Compliancy Group’s team of expert Compliance Coaches® can also field questions and guide you through the implementation process, taking the stress out of managing compliance. Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!
Ransomware hackers attack smaller healthcare practices daily, creating serious data breaches and HIPAA violations. Are you and your clients/patients vulnerable, too?
Managing social media use and HIPAA compliance can lead to some of the most common misunderstandings faced by healthcare providers. Improperly trained employees can expose your organization to HIPAA violations and costly fines!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.