UnityPoint Health in West Des Moines, Iowa, is notifying 1,800 patients that their protected health records have been compromised after it was discovered that an employee of the health system's third party contractor gained unauthorized access to patient records. 

The breach was discovered following a routine audit on Aug. 8, officials say. 

Upon opening a review, UnityPoint discovered the employee of the third-party contractor had used a password of individuals authorized to access to EHR system. The individual accessed the records from February through August 2013, according to a company news release. 

[See also: Ready or not: HIPAA gets tougher today.]

Data accessed include patients names, addresses, dates of birth, health insurance data, medical diagnoses and other health data. Additionally, for nearly 200 patients, Social Security numbers and driver's license numbers may have been viewed. 

UnityPoint is offering credit monitoring to those affected. 

One of the changes to the new HIPAA rules, which had a compliance date of Sept. 23, included making business associates and subcontractors accountable for violating specific privacy and security rules. 

This should have come as no surprise to BAs, said Office for Civil Rights Director Rodriguez.

"We have been clear for a very, very long time now with the business associates about the fact that they will become directly accountable under the regulations, that they should begin taking all the necessary steps to amend, if necessary, their policies and procedures and practices to come fully into compliance with these obligations," he said in an interview with Healthcare IT News.  

[See also: Unencryption at core of HIPAA breach.]

OCR has received some 80,000 complaints regarding HIPAA violations since 2003. Sixteen of those have resulted in hefty monetary penalties.