Many medical business associates—third parties that include billing companies, credit bureaus, insurance brokers, data processing firms, pharmacy chains, accounting firms and offshore transcription vendors—are unprepared to meet new data breach regulations in the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The Healthcare Information and Management Systems Society (HIMSS) Analytics group arrived at this conclusion after commissioning a national survey of hospitals and business associates to examine their vulnerability to healthcare data breaches. The survey found that one-third of business associates reported that they were unaware they had to conform to HIPAA privacy and security requirements.

"Business associates could represent a risk to healthcare organizations, especially hospitals," said Lisa Gallagher, HIMSS senior director, privacy and security. "The lack of awareness of new federal regulations by business associates coupled with the large number of third parties hired by hospitals to control costs through outsourcing, points to a potential area of concern. Hospitals, in partnership with their business associates, need to actively prepare to comply with the new rules when these breaches happen."

The survey found that 85 percent of health providers will take steps to insure that data held by business associates will not be breached and that close to half of the hospitals surveyed (47 percent) would terminate contracts with business associates if they were responsible for data breaches.

The survey also reported that 50 percent of large hospitals reported at least one data breach this year, and that 68 percent believe that the HITECH Act’s expanded breach notification rules will result in the discovery and reporting of even more data breaches.

Fifty-seven percent of hospitals indicated they now have a greater degree of awareness of data security and breach concerns, and 90 percent said they have changed—or plan to change—policies to prevent data breaches from occurring.