"Business associates really don't have the best practices piece of the puzzle down," said Rick Kam, president and co-founder at ID Experts, which sponsored the survey. "Some of these organizations may not understand the processes or may lack resources."
They're also not doing the required risk assessments, he added. While 50 percent of healthcare organizations perform a risk assessment after each electronic data breach, only 42 percent of business associates do so.
"There are small signs of hope," said Ponemon. "Healthcare organizations, in general, are more cognizant of data breaches, and are putting more resources in it."
For example, when his company first started doing the study five years ago, it was common to hear people say, "What's medical identity theft?"
Today, he said, there's a high level of awareness of the problem.
Sign up for CIO Asia eNewsletters.