888-448-5451 [email protected]

Many studies have found that healthcare organizations are still not prepared for breach; but when it comes to meeting HIPAA compliance, fortunately, they can’t say no.  At the very least HIPAA compliance requirements can initiate the process of security for organizations and eventually, lead to better protection of the overall facility, medical devices, and sensitive data.  One area of HIPAA compliance that requires attention is the sharing of health information with third parties.

HIPAA rules apply to entities that handle health information, but also third-parties

At a first glance many organizations may believe that HIPAA compliance only applies to healthcare providers or health plan companies; but this is not the case.  HIPAA rules are also applicable to any third party business associate (be it a lawyer or a storage company or a cloud provider) that performs functions and/or activities for healthcare organizations.

  • The HIPAA Privacy Rule allows covered entities to disclose PHI to third parties if they provide satisfactory assurance that the business associate will use the information only for the purposes requested by the HIPAA covered entity; that they will safeguard the information from misuse; and that they will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.


  • These assurances take the form of a Business Associate Agreement (BAA), since they have to exist in writing.  Without a BAA with all business associates, HIPAA covered entities leave themselves vulnerable to breach and potential compliance repercussions.


  • The lack of a BAA is important to note not only for the breach risks involved, but also because some third-party organizations (business associates) have been trying to get out of signing a BAA by claiming the conduit exception rule, which came into force in 2013 and only applies to some entities that transport or transmit PHI, but do not have regular access to PHI (such as internet service providers or couriers).

It is in the best interest of every healthcare organization to ensure they cover all their bases when it comes to who they disclose PHI with, and to make sure third parties are trusted to meet HIPAA compliance requirements; but above all, the safety of the patients who entrust their PHI with the organization at hand.


If patient safety isn’t a priority, costs will certainly keep healthcare organizations on their toes.  A recent Ponemon Institute study found that health data breaches are increasing in cost and becoming more frequent.


  • Almost 90% of healthcare organizations surveyed by the Ponemon Institute had a data breach in the past two years and the annual cost for organizations resulted in an estimated $6.2 billion.


Furthermore, failing to comply with HIPAA can result in civil and criminal penalties.  Civil penalties are monetary and vary from $100 to $1.5 million.  Criminal penalties result in jail time, up to 10 years in jail; and let’s not forget that laws are different depending on the state.


  • California, for example, has the most stringent patient privacy laws and was the first to enact a security breach notification law.  On the other hand, states like Alabama and South Dakota have no security breach law.  Other states allow individuals to sue organizations for privacy violations.


Healthcare executives should ensure their third party business associates are partners in crime when it comes to safeguarding PHI; it is the least they can do to try and ensure the privacy and security of patients.  It is also time to take healthcare data security up a notch and start going beyond HIPAA compliance requirements.  A healthcare facility is only as safe as is their investment in their security program.
Let’s have a chat and evaluate the state of security for your network, mobile devices, insider threats, and other potential vulnerabilities.  It can’t hurt to take 15 minutes of your time to know if you’re a step away from being hacked.

Schedule your free infosec consultation today.