Lee SlatonBy Lee Slaton, Vice President of Healthcare; Smart Training

Of course, as a health care provider, you’re responsible for your patients’ protected health information (PHI). But what if one of your vendors that has access to your patients’ PHI sustains a data breach? Who’s at risk—you, the practice owner, or your vendor?

The answer (as Clinton-esque as it sounds) is, “it depends.”

Specifically, it depends on whether you have a good business associate agreement (BAA) in place with the vendor that sustained the breach.

Consider this. A recent data breach of 829,454 patient records occurred at Luxottica—the world’s largest eyewear company and owner of brands such as Ray-Ban and Oakley.

Luxottica partners with LensCrafters, Target Optical, EyeMed, Pearle Vision, and other eye care providers. Much like software services provided to dental practices by some dental service organizations, cloud-based data backup companies, or appointment reminder services, Luxottica provides their partners web-based appointment scheduling software for their patients.

According to a Luxottica’s breach notification, their appointment-scheduling application was hacked by unknown individuals on Aug. 5, 2020, and the attackers potentially gained access to personal and protected health information of patients of Luxottica’s partners.

Here’s why it’s incredibly important for your practice to have a properly executed BAA with each of your vendors that has access to your patients’ PHI.

If a practice owner does not have a properly written and executed BAA with the vendor who sustained the data breach, the practice owner is on the hook for the breach.

If the practice owner does have a properly written and executed BAA with the vendor who sustained the breach, the liability for the breach is on the shoulders of the vendor.

Smart Training’s compliance advisors encounter practice owners every week who have their heads in the sand when it comes to the unacknowledged and unprepared-for risk to their livelihood that data breaches pose. Dealing with BAAs isn’t rocket science, but BAAs do need to be properly prepared and executed. A boilerplate form with blanks usually won’t suffice for a BAA.

Not sure if your practice is properly protected? Smart Training’s certified HIPAA professional  created hundreds of custom BAAs for its clients. Compliance and risk management isn’t a sideline for Smart Training; it’s all it does. It’s conducted over 1,500 inspections of dental practices across the country. Put the advantage of its experience to work for your practice.