Is OCR Moving the Goal Posts on Vendor Management?

Yesterday, I posted an item about a settlement between New Jersey and Virtua Medical Group after a 2016 data leak by their transcription vendor exposed approximately 1,600 patients’ information on the internet.  New Jersey took the position that this was a HIPAA violation and that the entity was responsible for what its vendor had done or not done.

But the NJ settlement is just one clue that things may be changing in terms of holding entities responsible for vendors. Adam H. Greene and Rebecca L. Williams of Davis Wright Tremaine write:

Recent statements at the 27th National HIPAA Summit suggest that the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) may be changing its position and expecting a greater level of vendor due diligence under HIPAA. Although surprising to many, the HIPAA regulations do not specifically require vendor due diligence or monitoring. Rather, HIPAA requires a business associate agreement (BAA) and that the covered entity take action upon learning of a business associate’s pattern of activity or practice in breach of the BAA. The same is true with respect to the relation between business associates and their subcontractors.


About the author: Dissent

Comments are closed.