Here’s a scenario I hope you never have to face: your small physical therapy practice hires a third-party billing company to manage your billing operations. Then, that billing company experiences a massive data breach affecting more than 1,000 of your patients. Because the billing company didn’t have an information security or compliance program in place, it was not aware of the breach for more than six months. Unfortunately, the billing company also did not have insurance, so it’s closing its doors, leaving you with insurmountable costs associated with cleaning up the breach—including notifying your patients and offering credit protection services. 

You also have to report the breach to the Office for Civil Rights (OCR), and now OCR is investigating your practice. Worse: You are losing patients left and right, because they don’t care that the billing company caused the data breach—they think you are responsible. After all, you gave their protected health information (PHI) to a business that was not equipped to protect it.

So, what could you have done differently to protect your patients’ PHI—and your practice—when hiring that business associate? Include that company in your HIPAA risk assessment. Here’s how to help ensure you're meeting HIPAA business associate requirements (but first, a little background info):

WebPT Outcomes - Regular BannerWebPT Outcomes - Small Banner

According to HIPAA, third-party vendors are considered business associates.

A business associate is defined in the HIPAA rules as a person or company that—on behalf of the covered entity (a.k.a. your practice)—creates, receives, maintains, or transmits PHI for the covered entity. Examples include electronic medical record vendors (e.g., WebPT), billing companies, or accountants. When entering into a relationship with a business associate, the covered entity must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI—whether it is held by the covered entity or the business associate. 

On May 24, 2019, the Department of Health and Human Services Office for Civil Rights issued a fact sheet outlining the ten circumstances in which HIPAA business associates are directly liable for violations of the law. For a complete list of HIPAA provisions that apply directly to business associates, check out the fact sheet here.

Data breaches have lasting consequences—mostly for providers.

However, large data breaches continue to dominate the press. In 2019, the Ponemon Institute—which conducts independent research on data protection and emerging information technologies—released a study showing that the cost of a data breach has far-reaching effects that last for several years after the breach occurred. The study also revealed that small businesses face disproportionately larger costs relative to bigger organizations, which can hamper their ability to recover from such breaches. A 2018 Ponemon study on third-party risks identified vendors as posing significant risk to company data. To address that, this study recommends tracking and auditing all third-party vendors to make sure they have the compliance and information security safeguards required to protect your data.

So, a business associate’s direct liability under HIPAA is cold comfort for any healthcare provider who experiences a data breach due to that business associate’s acts or omissions. You, as the covered entity, have much more to lose if you trust the wrong business associate with your most valuable data: you patients’ confidential health information.

But, there are things providers can do to reduce risk.

How is a small, medium, or even large organization supposed to mitigate the risk associated with a breach? Here are four tactics to assess and audit your business associates:

Tactic #1: Analyze risks to your ePHI.

The HIPAA Security Rule requires you to perform an accurate and thorough assessment of potential risks and vulnerabilities to your ePHI—and that requirement extends to your third-party vendors. Those vendors are also required to conduct this same type of risk assessment; so, ask them for theirs. Perhaps they can’t give you their detailed analysis because it contains highly confidential information, but they can at least provide you with a summary. If they stare at you with big, blank eyes, however, then you can be confident they are not conducting a risk assessment. 

Tactic #2: Start thinking of your HIPAA business associates as trusted partners.

Before you hand over access to your PHI, learn more about your business associate. What kind of company is it? Who is the organization’s compliance and security officer? What is the company’s physical address? Does it have HIPAA and information security policies in place? In the event of a security incident or data breach, would you be notified—and if so, within what time frame? Think of this as a first interview. Remember, if you do engage this vendor as your business associate, then it will have your practice’s most valuable information. So, you really need to trust this organization. 

Tactic #3: Audit your most critical business associates periodically. 

Do you have a business associate that is critical to the success of your operation? Does it have thousands of your patient records—or even hundreds? If so, audit these business associates periodically. Your audit can vary based on your resources and bandwidth. You can send a simple checklist of requested items annually (e.g., the company’s HIPAA policies or training materials). You can even ask to stop by and observe the company’s operations. The most important aspect of periodic auditing is to keep that critical business associate in the forefront of your mind, so that you maintain good communication and transparency.

Tactic #4: Consider asking your business associates to obtain cyber liability insurance. 

One scary fact about data breaches is that the cost of a breach has risen to about $150 per record. This cost can add up quickly, and most businesses would not be able to sustain this type of financial punch. So, consider asking your critical business associates to purchase a good cyber liability insurance policy. If they have one, ask them to send you proof in the form of a certificate of insurance. You should also purchase a cyber liability policy of your own. 


 Have you conducted your HIPAA risk analysis? If not, consider purchasing HIPAA Check™, produced by Sunhawk Consulting. HIPAA Check uses a proprietary algorithm that pulls from OCR settlements, so you can focus your efforts on the high-risk items first. HIPAA Check also provides suggestions for how to assess each assessment item, including what to ask of your business associates. As a bonus, WebPT Members who purchase HIPAA Check in the Marketplace will find that all business associate relevant audit items are answered on behalf of WebPT—and we will provide you with important information about our HIPAA compliance and information

  • Even Small Practices Face Cybersecurity Threats and Government Scrutiny Image

    articleSep 10, 2019 | 4 min. read

    Even Small Practices Face Cybersecurity Threats and Government Scrutiny

    As exhibited in the news items below, small practices are not immune to HIPAA scrutiny by the federal government’s Department of Health and Human Services (DHHS)—as investigated by their enforcement agency, the Office of Civil Rights (OCR). Potential violations may be reported to these agencies through complaints by individual patients or through OCR-initiated audits.  April 2, 2019: “Michigan Practice Forced to Close Following Ransomware Attack” According to this article , when ransomware encrypted the computer system at …

  • 5 Things Small Practices Need to Know about HIPAA Image

    articleSep 20, 2017 | 9 min. read

    5 Things Small Practices Need to Know about HIPAA

    The Health Insurance Portability and Accountability Act of 1996 —a.k.a. HIPAA—does not distinguish between large and small practices. Fortunately, regulators do. While the law imposes the same requirements upon solo practitioners and large rehab hospitals, the manner in which those requirements are applied may depend upon your practice size. Contrary to what many providers believe, the onus of HIPAA’s requirements won’t hamper your clinical practice. In fact, I’ve found that they actually do the opposite: HIPAA provides …

  • A 10-Point Plan for Smart and Secure Electronic Communications with Patients Image

    articleMar 15, 2018 | 8 min. read

    A 10-Point Plan for Smart and Secure Electronic Communications with Patients

    As emails and text messages have become ubiquitous, patient expectations around provider responsiveness have increased. Gone are the days when providers set aside time each afternoon to return calls; now, they can simply respond to their patients’ texts—but should they? Many physical therapists, regardless of their practice model or patient population, are surprised to learn that they may not be allowed to interact with patients in the manner they—or their patients—prefer. These same providers are typically even …

  • 7 Things to Do When Medicare Requests Your Patient Records Image

    articleOct 10, 2018 | 5 min. read

    7 Things to Do When Medicare Requests Your Patient Records

    October is finally upon us, which means it’s time for spooky memes , pictures of Corgis in costumes , trick-or-treating, and a scary story or two. If you’re a physical therapist, occupational therapist, or speech-language pathologist, though, there are few tricks more bone-chilling than the prospect of a Medicare audit . But, here’s a treat: being audited by Medicare doesn’t have to be a fright fest. Just make sure you follow these tips: 1. Have a procedure …

  • Is Your Practice HIPAA-Compliant? [Quiz] Image

    articleDec 12, 2018 | 1 min. read

    Is Your Practice HIPAA-Compliant? [Quiz]

    Back in 1996—long before the days of social media and smartphones—Congress passed the Health Insurance Portability and Accountability Act (HIPAA) as a means of governing the manner in which providers, insurers, and business associates collect, share, and use patient protected health information (PHI). Ultimately, it’s in everyone’s best interest to ensure that patient information remains private, but adhering to all HIPAA rules can be a daunting task for even the most seasoned provider—especially in the age of …

  • Is Your Healthcare Practice HIPAA-Compliant on Social Media? [Quiz] Image

    articleNov 22, 2016 | 1 min. read

    Is Your Healthcare Practice HIPAA-Compliant on Social Media? [Quiz]

    Using social media for your healthcare practice is a great way to connect with your patients on a more personal level. And while that’s exciting—and awesome—it also comes with some risks. After all, when you put your practice out there on the good ol’ World Wide Web, you have to take even more care to protect your patients’ privacy and comply with all HIPAA regulations . So, in the spirit of testing your social-media savvy, take this …

  • The Ultimate ICD-10 FAQ: Part Deux Image

    articleSep 24, 2015 | 16 min. read

    The Ultimate ICD-10 FAQ: Part Deux

    Just when we thought we’d gotten every ICD-10 question under the sun, we got, well, more questions. Like, a lot more. But, we take that as a good sign, because like a scrappy reporter trying to get to the bottom of a big story, our audience of blog readers and webinar attendees aren’t afraid to ask the tough questions—which means they’re serious about preparing themselves for the changes ahead. And we’re equally serious about providing them with …

  • Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans Image

    webinarFeb 23, 2017

    Suppressing Sticker Shock: How to Handle Your Patients’ High-Deductible Health Plans

    Copayments, coinsurances, unresolved balances—oh my! Any one of these can cause headaches for healthcare providers, but as healthcare reform efforts shift more and more financial burden to insurance beneficiaries, today’s practitioners are increasingly facing all three. And these challenges are not only hurting their patient acquisition and retention rates, but also their bottom lines. Tired of spending time verifying benefits only to lose those patients to copay sticker shock? Stuck in a constant cycle of pursuing past-due …

  • Common Questions from Our Medicare Open Forum Webinar Image

    articleOct 25, 2018 | 43 min. read

    Common Questions from Our Medicare Open Forum Webinar

    Earlier this week, WebPT President Dr. Heidi Jannenga, PT, DPT, ATC, teamed up with Rick Gawenda, PT—President and CEO of Gawenda Seminars & Consulting—to host a Medicare Open Forum . As expected, we received more questions than our Medicare experts could answer during the live session, so we've provided the answers to the most frequently asked ones below. Don't see the answer you're looking for? Post your question in the comment section at the end of this …

Achieve greatness in practice with the ultimate EMR for PTs, OTs, and SLPs.