This blog series has been following breaches of Protected Health Information (“PHI”) that have been reported on the U.S. Department of Health and Human Services (“HHS”) ever-lengthening parade list (the “HHS List”) of breaches of unsecured PHI affecting 500 or more individuals (the “List Breaches”).  As reported in a previous blog post in this series, as of August 14, 2013 (and today), there were postings of 646 List Breaches.

Several prior posts in this series here and here addressed the extent to which such List Breaches are being reported by covered entities (“CEs”) as having been attributable to events involving business associates (“BAs”).

As of August 20, 2013, 146 of the total of 646 List Breaches (22.6%) reportedly involved BAs of the reporting CEs.  This is remarkably consistent with the percentage of 22.3% (83 of the total of 372 List Breaches) as of December 2, 2011, reportedly involving BAs of the reporting CEs.

Further analysis of the HHS List as of August 20, 2013, reveals the following:

• 3 of the 6 List Breaches (50%) that affected 1,000,000 or more individuals reportedly involved BAs of the reporting CEs.

• 16 of the 43 List Breaches (37.2%) that affected between 30,000 and 999,999 individuals reportedly involved BAs of the reporting CEs.

• 21 of the 80 List Breaches (26.3%) that affected between 10,000 and 29,999 individuals reportedly involved BAs of the reporting CEs.

• 106 of the 517 List Breaches (20.5%) that affected between 500 and 9,999 individuals reportedly involved BAs of the reporting CEs.

While the foregoing review is only a snapshot of the HHS List as of a given date, it would indicate that, as the size of a List Breach increases, it is more likely that involvement of a BA will be reported. However, the overwhelming proportion of List Breaches (79.5%) on the HHS List, which affected fewer than 10,000 individuals, have reported no involvement of a BA.

More data will be required before the impact of BA involvement in smaller and larger List Breaches becomes clearer. However, there are indications that the larger the List Breach that is reported by a CE, the greater the likelihood that it will involve an alleged BA.  It is therefore incumbent upon any CE at a minimum to

(i) choose its BAs with care,

(ii) enter into effective business associate agreements with terms appropriate for the specific risks that may be present, and

(iii) continue to monitor the total performance of BAs, including both delivery of services and HIPAA compliance.