Key: Make sure your business partners are on the up-and-up. How far does your facility go in policing your business partners' HIPAA information security practices? Check out this lesson from one Connecticut provider, and see if you need to take additional steps. The situation: The data included patients' names, addresses, dates of birth, marital status, Social Security numbers, Medicaid and Medicare numbers, medical record numbers, and certain diagnosis and treatment information. Having such unencrypted data on the employee's laptop was a violation of the contractor's policy, the VNA and hospital note in the July 30, 2012 release. The HIPAA breach isn't technically the VNA's fault. The providers "go to great lengths to ensure that data transmitted or transported by their employees are fully encrypted to prevent unintended disclosure," VNA notes in the release. But the VNA and hospital still are left holding the bag when it comes to dealing with the fallout from the breach. "We profoundly regret this incident happened. Integrity and safety are two core values of both Hartford Hospital and VNA HealthCare," they say. "We take very seriously our stewardship of this information, which is central to our roles as healers and caregivers." In addition to apologizing, they are offering two years of free credit report monitoring for patients whose data was affected by the breach. Remember HIPAA at Contract Time "It might surprise you how often this happens," notes HIPAA expert Robert Markette, Jr., with Benesch Friedlander Coplan & Aronoff in Indianapolis. "Your business associates may not be as compliant as you think." But how far do you want to go in policing your business associates? They already are subject to direct HIPAA penalties under the HITECH Act, Markette points out. "How do you verify no data has been placed on a contractor device?" Markette asks. You can require that contractor employees don't take data home, but monitoring compliance would be a logistical challenge. Additionally, procedures like random audits or programs that log data access and copying can be cumbersome. Remember: Try this: Editor's note: