[ Monday, April 30, 2018 ]
Jeff [3:11 PM]
As you may know (I posted on it
at the beginning of the month), a large NJ physician practice paid a $400,000 fine
as a result of a transcription company's use of an unsecured FTP server (NOT discovered by Justin Shafer, though). Edward McKinney, CISO of Floyd Medical Center in Rome, Georgia alerted me about Virtua, and wondered: is this the beginning of Covered Entities being held liable for the sins of their Business Associates?
Maybe. First, keep in mind this is a state AG action, not an OIG action, so the effect on HIPAA enforcement is a little more tenuous. But also, it's pretty easy to read the AG's statements as directly damning Virtua for not minding its own privacy and security matters (insufficient risk analysis, insufficient security training), not for it's inability to sniff out the vendor's shortcomings.
We could be entering an era where the sins of the vendors are visited upon the covered entities, especially if the covered entity failed to properly vet the vendor (like a negligent credentialing claim). But I'm not ready to make that leap -- I think there's sufficient direct blame here that you don't need to pin it on indirect blame. A covered entity with great risk analysis and training might still be guilty of hiring a bad vendor due to the fact that it didn't kick the tires hard enough, and there's a conceptual HIPAA violation in that scenario. But I really think, unless the vetting was unconscionably bad, you'll not see that as a violation. Rather, you still much more likely to see a failure to do sufficient first-party risk analysis (as well as missing policies and procedures).
Blogger: HIPAA Blog - Edit your Template