Manatt’s Robert Belfort, a partner with Manatt Health, spoke with Health Data Management about a recent data breach affecting Quest Diagnostics.
This breach could potentially expose the data of 11.9 million patients, and could include personally identifiable information, credit card data and health information, according to Health Data Management.
Belfort said the incident highlights the risk that healthcare organizations face when they share health information with contractors.
“In this case, it appears the breach occurred at the subcontractor level with a company that Quest did not have a direct contract with,” he said. “Covered entities face challenges evaluating the security programs of their business associates. The HIPAA privacy rule does not expressly require such an evaluation, but covered entities take on litigation and public relations risks when they fail to do so.”
Belfort added that it is “probably unreasonable” for covered entities to closely monitor all of their business associates. “But covered entities should have a risk stratification process that allows them to target their evaluation and monitoring efforts on those business associates who maintain large amounts of sensitive data,” he said.
Read the article here.