The most recent breach was reported by QRS Healthcare Solutions who has the EHR product Paradigm. What does this mean and what can you learn to protect your practice?
There are already attorneys advertising a class action lawsuit against QRS for the following reasons:
- Did QRS fail to adopt security safeguards that would have prevented a data breach?
- Did QRS notify customers as soon as it learned of the data breach?
- Did QRS provide a complete list of all individuals affected by the data breach?
- Did QRS provide security in line with industry standards?
See https://www.thelyonfirm.com/class-action/data-breach/qrs/
According to reports, this breach was due to security issues at a patient portal.
When a breach happens, the HIPAA Breach Notification Rule requires that the MEDICAL PROVIDER notify patients about the breach. QRS is the vendor and vendors are not required to notify patients as per the rule, but a good Business Associate Agreement can require the notification to be provided by the vendor. The cost of notification in case of a breach can be huge. Now is a good time to look at the Business Associate Agreements you have in place and make sure that if one of your vendors experiences a breach, the costs associated with the breach are the responsibility of the vendor. In this case QRS sent notification letters to all affected individuals on behalf of it’s clients. QRS is also offering complimentary access to identity theft protection services. Once again this goes beyond the regulations but is something that can be written into the Business Associate Agreement.
The incidents of breaches at both Health Information Vendors and Health Care facilities is increasing exponentially. Even with the steps that QRS has taken the health care providers who utilize QRS for EHR services are likely to experience significant financial costs. It is important to remember that when a breach occurs, the HIPAA regulations place all of the responsibility upon the health care provider. That places you and your practice directly in the cross hairs even though the breach did not occur at your location. It is still your data and your responsibility.
What can you do to protect yourself from events such as this which are completely beyond your control?
- Look at all vendors that you do business with and make sure you have a Business Associate Agreement (BAA) with any vendor that you share patient data with. Even is they say they are not required to give you a BAA, tell them you require one in order to do business with them. The BAA protects you and places responsibility upon the vendor so many times vendors will do everything possible to avoid signing these agreements. At TLD Systems we have seen some companies go as far as to sent letters to health care providers from their attorneys explaining why they do not need to give out the BAA. The vendor is trying to protect itself and make sure all the financial and administrative burden of a breach they may create is on you. Do not let this happen.
- Review your BAA’s with your health care attorney and make sure that the BAA places as much responsibility for a breach upon the vendor shielding you from many of the costs related to breach remediation, including patient notification, providing credit monitoring services and other costs
- Get Cybersecurity Insurance. The costs associated with a breach can be huge and without Cybersecurity Insurance a breach could financially ruin your practice.
- Make sure your HIPAA Security Risk Analysis and risk mitigation plan are up to date. If they are not please contact TLD Systems now to take care of this vital step in protecting your practice https://www.tldsystems.com
The number of HIPAA Breaches continues to increase and your risk of having YOUR data involved in a breach becomes greater each and every day. Don’t wait until it is too late to protect your practice.
For more information please reach out to me my email address is mbrody@tldsystems.com
Michael L. Brody, DPM
Read Comments