"[This breach] demonstrates why healthcare providers, and all kinds of organizations with sensitive information, need to ensure their business associates to whom they entrust confidential and sensitive information have effective safeguards in place," Herold says. "Counting on just a BA agreement is not enough. Organizations need to go further and require business associates to provide some kind of proof or assurance that the actually have safeguards in place. If they don't obtain some type of assurance, it is likely this type of incident will happen."
Herold says she has audited more than 200 BA information security and privacy programs, and almost all the folks in the information security and IT areas in those organizations had not seen the BA contract.
"[They] had no clue what their acquisitions and contracting department had agreed to in the contracts with regard to information security and privacy activities," she says.
HHC said on its website that it "values and protects individuals' privacy and confidentiality and deeply regrets any inconvenience and concern this may create for patients, staff, and others affected…There is no evidence to indicate that the information has been inappropriately accessed or misused."
HHS is providing information and credit monitoring services to all affected individuals who may be worried about possible identity theft.
Use of encryption limits damage, Herold says. "This incident once more demonstrates why any type of mobile PHI (moving on legs, wheels or otherwise outside of the secured server located within the appropriate facility) needs to be encrypted when in electronic form, and locked securely when in print form."
Jeff Drummond,health law partner in the Dallas office of Jackson Walker LLP, agrees, offering the following advice: "Encrypt. Or at least lock your car doors."