Berea College incurs breach costs because they forgot to ask a business associate to sign a BA agreement
Berea College in Kentucky is notifying current and former patients of the Berea College Health Service of a self-discovered HIPAA violation that has not been associated with any harm to patients. In a notice posted on their website today, they explain:
Berea College Health Service (BCHS), a department of Berea College and medical care provider for the Berea College campus community, recently recognized during a review that it did not have a written agreement to protect patients’ medical privacy with a contractor who handled insurance billing for BCHS from January 2012 through October 2013. The provisions of the Health Insurance Portability and Accountability Act (HIPAA) required BCHS to have such an agreement in place when the contractor began providing services in January 2012.
Although this contractor had access to medical records, including names, addresses, dates of births, insurance numbers, social security numbers, and diagnosis and treatment information, BCHS has no reason to believe that any patient information has been misused or disclosed inappropriately. We did not have a written agreement in place because BCHS failed to request it. The contractor has advised us that patient health information was used and disclosed only for BCHS billing and for no other purpose, and we have been assured that the contractor has returned to BCHS or destroyed any patient information that she might have accessed. Nevertheless, we are obligated to notify you of this issue.
Read the full notice here (pdf).