Lessons from Netflix

Who was hacked?

It wasn’t Netflix that was hacked, but a vendor, Larson Studios, performing audio finishing on the series Orange is the New Black. Like the rest of the business world, not just entertainment, work is completed in collaboration with other companies who specialize in one task or another. After the hack of Sony Pictures in 2014, big studios became savvier about cybersecurity, but smaller entities, the thousands of vendors who support the industry have not, leaving the studios vulnerable to hacking, extortion, and ransomware. At the time of this writing no extortion was paid. Kudos to the victim, the hacker didn’t win this round.

What does this have to do with healthcare?

The situation is analogous to healthcare, with Netflix in the position of a covered entity, and Larson Studios in the role of a business associate. Covered entities outsource tasks like coding and billing, collections, medical transcription, file storage and data backup, among others. When the data a vendor manages contains protected health information (PHI) that vendor’s vulnerabilities put the covered entity at risk. But unlike the entertainment industry, business associates are separately responsible and subject to audits, investigations and fines by the Office for Civil Rights (OCR). And when PHI is breached, both the covered entity and the business associate are responsible.

Yes, it’s real.

In June 2016, a fine of $650,000 was imposed on the Catholic Health Care Services of the Archdiocese of Philadelphia (CHSC), a business associate which provided management and IT services to six skilled nursing facilities. CHSC lost a cellphone containing protected health information of 412 nursing home residents. An avoidable loss if they had been aware of HIPAA requirements and put protections in place.

What to do?

Covered entities need business associate agreements with their business associates. The agreement should specifically describe what the business associate has been engaged to do, and should require the business associate to comply with HIPAA.

Every entity in healthcare which handles PHI needs to understand their responsibility in protecting patient privacy. Inventory your business relationships and have the right agreements in place. Educate yourself about your responsibilities and establish policies backed by a culture of compliance.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start Kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Share This Post

Share on facebook
Share on twitter
Share on linkedin

Maggie Hales

Maggie Hales is a lawyer specializing in health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

3534 Washington Avenue, Saint Louis, MO 63103
Terms of Service | Privacy Policy

Powered by JEMSU

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free