[ Tuesday, June 28, 2016 ]
Tex. Health & Human Services Commission Breach:
Jeff [4:00 PM]
The HHSC's records vendor, Iron Mountain, lost some boxes
with records of 600 people who applied for benefits with HHSC.
In case you didn't know, the HITECH and Omnibus Rule changes to HIPAA's definition of "business associate" make clear that anyone who "creates, receives, maintains or transmits" PHI for a covered entity is a business associate. "Maintains" includes storage, so wherever a covered entity stores its PHI, whether it's a cloud-based server or Uncle Bob's Self Storage, the storage company is a business associate. Of course, self-storage places, that never intend to access the records in storage and don't even know what people keep in their storage lockers, really don't want to be BAs, and they sure don't want to sign BAAs. But have you ever seen the TV show Storage Wars? Stuff in self-storage facilities sometimes gets disclosed to the general public. Unfortunately, if you are a covered entity and you're using a self-storage facility, you must get them to sign a BAA, or find another facility.
There are facilities that will sign BAAs, and Iron Mountain is one of them. This is the first breach I've heard of involving Iron Mountain; hopefully it will be the last.
Hat tip: Virginia Mimmack
Blogger: HIPAA Blog - Edit your Template