Business Associates, Mobile Devices Source of Many PHI Breaches

​Almost 57% of all large breaches of protected health information (PHI) from 2010 through 2012 have involved a business associate of healthcare organizations, says a February 2013 report on PHI breaches prepared by Redspin Inc. (Carpinteria, California), a security audit firm. The report recommends that healthcare organizations require that their business associates conduct regular security assessments of their information technology (IT) networks and practices. While the Health Information Technology for Economic and Clinical Health (HITECH) Act established new requirements for business associates to comply with privacy and security requirements of the Health Insurance Portability and Accountability Act (HIPAA) and to notify covered entities of impermissible use or disclosure of PHI affecting 500 or more individuals, healthcare providers must work closely with their business partners to build a secure chain of custody of PHI, Redspin says in a February 13, 2013, press release about the report. Over the three-year period from 2010 through 2012, there were 538 large PHI breaches affecting 21.4 million patient records, the report found. Notably, the number of patient records affected by breaches declined in 2012 from the previous two years, suggesting that the increased security safeguards required by the HITECH Act are having an impact, the report says.