Updated 2025: Looking for a Business Associate Agreement? Download our FREE template

TotalHIPAA Logo

A Real World Breach – Why HIPAA Compliance Matters

Summary:

Developing and implementing a HIPAA compliance plan can often seem like preparing for a tornado on a sunny day. You’ve never had a real-world breach before and you don’t foresee an OCR audit anytime in the near future. However, as one of our clients recently discovered, it pays to be prepared because tornadoes hit unexpectedly. […]

Developing and implementing a HIPAA compliance plan can often seem like preparing for a tornado on a sunny day. You’ve never had a real-world breach before and you don’t foresee an OCR audit anytime in the near future. However, as one of our clients recently discovered, it pays to be prepared because tornadoes hit unexpectedly.

What Happened

One of our client’s employees recently reported a breach to the company’s Privacy Officer. The breach report stated that the company’s insurance agency (their Business Associate) accidentally sent the employee’s and his current wife’s Explanation of Benefits (EOB) to the employee’s ex-wife. Understandably, this employee wants to file a complaint. He is well within his rights to do so. The employee can file his complaint with any or all of the following:

  1. The Insurance Company – To file with them he must request a complaint form from the employer’s Privacy Officer
  2. Health & Human Services – Forms found here
  3. State Attorney General – Forms found online
  4. Insurance Commission – Forms found online

The breach was the insurance agent’s fault, however, our client hired the insurance company. So they called us with the big question:

What is their liability?

Because of the Common Law of Agency Provision, an employee reporting a matter to HHS could open the employer up to an investigation—meaning OCR could come in and do a full audit of the insurance agent (the Business Associate), and the Employer (the Covered Entity).

What is the Common Law of Agency Provision?

HIPAA’s Common Law of Agency Provision in the 2013 Omnibus ruling states that a Covered Entity is responsible for the HIPAA compliance of their Business Associates (BAs). Now, this doesn’t mean you have to follow your BAs around. After all, we contract with them to make our lives easier. What it means is that you need to do your due diligence and audit your BAs BEFORE you work with them. At a minimum, the review should include a summary of the BA’s compliance plan and employee training records.

What to do after a Real-World Breach?

If you have a breach, everyone needs to review:

  1. What happened?
  2. How did you handle the breach?
  3. Is this a systemic problem or just a onetime issue?
  4. Where was the breakdown, and how can it be mitigated going forward?

If you discover a systemic issue, the Covered Entity is responsible for terminating the relationship with the Business Associate. At that point, the Covered Entity must recover any PHI the BA is maintains, or require the information to be destroyed according to the terms of the Business Associate Agreement.

What is next?

Fortunately for our client, prior to this real-world breach, they prepared a compliance plan using our Turn-Key Compliance Solution, trained their staff using our online training, and are in the process of completing the implementation of this plan. As part of that process, they put a BA Agreement in place with the insurance agent that caused the breach. The employer is prepared for an investigation led by OCR or a State Attorney General.

Need help creating your HIPAA Compliance Plan? Contact us today!

Sharing is caring!

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

Related Posts

Is Gmail HIPAA Compliant Email? – Well, It Can Be!

Is Gmail HIPAA Compliant Email? – Well, It Can Be!

To use Google Workspace with Protected Health Information (PHI), you must enter into a Business Associate Agreement (BAA) with Google. However, a signed BAA is only the first step. To satisfy the Office for Civil Rights (OCR) modernized Security Rule standards, Covered Entities must properly configure their email settings, utilize end-to-end encryption, and account for new tech, like integrated AI. This guide covers how to secure your Gmail account and the critical configuration steps required to maintain compliance.

Does HIPAA Apply After Death? Limitations of HIPAA Rules

Does HIPAA Apply After Death? Limitations of HIPAA Rules

Yes, HIPAA protections continue long after a patient has passed away. Under the HIPAA Privacy Rule, Protected Health Information (PHI) remains safeguarded for 50 years following the date of death. During this time, the same privacy standards apply, though specific exceptions allow for disclosures to executors, funeral directors, and family members involved in the patient’s prior care.

HIPAA Compliance: A Constant Pulse, Not an Annual Event

HIPAA Compliance: A Constant Pulse, Not an Annual Event

Even though people talk about an “annual HIPAA audit,” compliance isn’t just a once-a-year task. To stay compliant, organizations can’t just “set it and forget it”; they need to constantly manage risks. Staying on top of things is the only way to be ready for an audit at any time.

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Save Cart & Generate Link
Send Cart in an Email Done! close
Empty cart. Please add products before saving :)

Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Send Cart Email
Your cart email sent successfully :)