As advancements in health information technology allow increased access to Protected Health Information, covered entities
and business associates face an uphill struggle to protect patient data and privacy.
Adding to the complexity are industry trends around the renewed focus on vendor relationships and compliance, along with
the Office for Civil Rights’ (OCR) heightened scrutiny of BAs. In fact, OCR’s enforcement measures have targeted poor
Business Associate Agreement management, emphasizing incidents in which the business associate (BA) was at fault.
BA breaches on patients of a CE can range from cases of identity theft to exposure of sensitive information regarding a
condition, treatment or test that could lead to harm, embarrassment or discrimination. If fines are imposed, sanctions and
actions will be held against the CE as well.