The Department of Health and Human Services’ (HHS) announcement that they will begin auditing Business Associates in October motivated a Covered Entity’s compliance officer to call Total HIPAA last week. He had done a Google search on what a Covered Entity should do to monitor their Business Associates and the Business Associate Subcontractors. The only guidance he could find was a Total HIPAA blog from December 15, 2015.
In that blog, Total HIPAA suggested the following questions be sent to Business Associates:
- What is your security program?
- How are you educating your workforce?
- How do you manage access to and handling of patient/client information?
- Do you have policies and procedures for both Privacy and Security?
- Have you vetted your Business Associate Subcontractors?
There are many other questions that a Covered Entity can ask a Business Associate. These five questions open the conversation and will help a Covered Entity qualify the HIPAA compliance of their Business Associates.
The phone call continued with this question: How does a Covered Entity determine if the Business Associate is requiring their Subcontractors to be compliant? Our answer: Request the BA submit the same five questions to the Subcontractors.
Will HHS be satisfied in the case of an audit that the Covered Entity is making a good faith effort to secure their clients’/patients’ PHI? HHS has indicated that they are not sure what they will find during the process of the desk audits. The HHS Office for Civil Rights’ (OCR) will issue preliminary reports to each of the Covered Entities and Business Associates selected.1 We should have more guidance after the audits are completed. Submitting these questions will certainly show HHS that all three categories, Covered Entities, Business Associates and Business Associate Subcontractors, recognize that they all must meet the same set of compliance requirements.
It is important to be sure your Business Associate Agreements are up-to-date and include revisions required under the Omnibus Final Rule in order to stay HIPAA compliant. For the upcoming BA audits in October, OCR will notify 40-50 Business Associates and, unlike Covered Entities, Business Associates aren’t getting any warning. “The time to prepare for the audits is now” says David Holtzman, VP of Compliance at Security Consultancy. He goes on to say “Business Associates should be prepared to produce their policies and procedures for notifying their Covered Entities when there has been a breach incident, as well as samples of when and how they have done so.”1
The best advice to give is Be Prepared! Make sure your BAAs are renewed or modified to include regulations in the HIPAA Omnibus Final Rule of 2013. Ask your Business Associates the 5 questions listed above and suggest they send those same 5 questions to their Subcontractors. Take note that after the desk audits, OCR has plans to conduct on-site audits as well for both Covered Entities and Business Associates.
Now is not the time to worry, rather it is the time to take action. Privacy attorney Kirk Nahra states, “The time to worry will be when there is an actual [breach] investigation, so they should use this opportunity to get their documents and policies lined up.”1 Audits are a great chance to get organized and make sure your documents, policies, and procedures are all in compliance with HIPAA.
For more information on how to quickly and cost-effectively meet compliance requirements, check out this video: HIPAA Prime™