As a Covered Entity or a Business Associate, you know you need Business Associate Agreements with entities that perform a service or a function for you which requires access to Protected Health Information (“PHI”) to carry out (these are Business Associates or subcontractors).  A required element of Business Associate Agreements is that you will not transfer PHI to entities you know are not properly securing the PHI.  Therefore, what should be done in instances when you discover a Business Associate or subcontractor that is not adequately securing PHI?

The first step is see if the issue can be resolved, or to ‘cure.’ Send the Business Associate written communication putting them on notice that they have a specific time (i.e. 30 days) to correct the issue and secure the PHI, otherwise, the contract will terminate and the exchange will end.  The best case scenario is that they cure the issue within the specified time. If the issue is not corrected in time, then the contract can terminate and the exchange of PHI should end.  The only exception would be if termination is not feasible, for instance because there are no other viable options for the service.  In which case, you must notify the HHS Office for Civil Rights of the potential breach.

As the exchange of PHI becomes more prevalent and complex, the chain of trust on which the PHI is exchanged becomes increasingly important.  If one link within that chain is weak, it must be strengthened or removed.