Posted by: Robert Markette
February 13, 2007

A reporter at home health line forwarded a story to me last week about another computer related incident. According to the story, Johns Hopkins University has a contractor who routinely makes microfiche backups of certain data. The contractor receives computer tapes with the data and then makes its backups from the tape. The contractor who creates the microfiche uses a courier to pick up and deliver the tapes from the hospital to its offices and then to return the tapes when the backups have been created.

In the reported case, the tapes with patient information never made it to the business associate. The parties think that the courier services employee left the tapes at one of his stops on his way to the contractor. The good news is the tapes were apparently incinerated by the party that received them.

Once again, a potential security incident occurred because an individual made a mistake. In this case, it was the contracted courier of a covered entitys business associate. When you are contracting for services, your contractor may use a subcontractor. This is in compliance with the Privacy Regulation which specifically allows for business associates to use subcontractors. If you look at your business associate agreement, it allows for subcontractors. The agreement simply requires the business associate to pass the assurances on to the subcontractor.

Having business associate agreements in place establishes what your business associate and its subcontractors are supposed to do to protect your PHI, but that will not stop every potential breach. Individuals will make mistakes, either because they are unaware of the appropriate procedures to follow, or because they fail to follow procedures or simply fail to do their job properly at all, as in this case. As a covered entity, you should not let that stop you from using contractors.

One issue that this incident brings to light is the need for your business associate agreements to require prompt notification in the event of these kinds of mistakes, because you will need to move quickly. Unlike dealing with your own employees, you have no way to train your business associates employees on HIPAA. You do not have an obligation to police their compliance, but you will have to respond when a mistake occurs. Thus, the faster you learn about the problem, the better.

Another way to address this problem would be for the covered entity to deal with the courier directly and require confirmation of delivery. This would reduce the amount of time that passed before the covered entity learned that the items were lost in transit, because it would remove a layer of communication. The covered entity could also notify the contractor when its courier picked up the tapes and have the contractor call when they arrived.

Unfortunately, either method will not prevent a mistake, it will simply speed up the notification process. These kinds of mistakes will happen. Your business associates should be prepared to notify you quickly and you should simply be ready to respond.

News

Human error - the privacy rules weakest link.

News

Health Care

Topics

Recent Updates

Archives

Web Resources



	Home \| Attorneys \| Contact Us \| Site Map
	The information you obtain at this site is not, nor is it intended to be, legal advice. You should consult an attorney for individual advice regarding your own situation. Copyright © 2008 by Home Care Law Blog Gilliland & Markette LLP. All rights reserved. You may reproduce materials available at this site for your own personal use and for non-commercial distribution. All copies must include this copyright statement.