Looking for a Business Associate Agreement? Download our FREE template.

Total HIPAA Logo

OCR’s Phase 2 of HIPAA Audit Program Focuses on Business Associates

The Department of Health and Human Services’ (HHS) announcement that they will begin auditing Business Associates in October motivated a Covered Entity’s compliance officer to call Total HIPAA last week. He had done a Google search on what a Covered Entity should do to monitor their Business Associates and the Business Associate Subcontractors. The only guidance he could find was a Total HIPAA blog from December 15, 2015.

In that blog, Total HIPAA suggested the following questions be sent to Business Associates:

  1. What is your security program?
  2. How are you educating your workforce?
  3. How do you manage access to and handling of patient/client information?
  4. Do you have policies and procedures for both Privacy and Security?
  5. Have you vetted your Business Associate Subcontractors?

There are many other questions that a Covered Entity can ask a Business Associate. These five questions open the conversation and will help a Covered Entity qualify the HIPAA compliance of their Business Associates.

The phone call continued with this question: How does a Covered Entity determine if the Business Associate is requiring their Subcontractors to be compliant?  Our answer: Request the BA submit the same five questions to the Subcontractors.

Will HHS be satisfied in the case of an audit that the Covered Entity is making a good faith effort to secure their clients’/patients’ PHI? HHS has indicated that they are not sure what they will find during the process of the desk audits. The HHS Office for Civil Rights’ (OCR) will issue preliminary reports to each of the Covered Entities and Business Associates selected.1 We should have more guidance after the audits are completed. Submitting these questions will certainly show HHS that all three categories, Covered Entities, Business Associates and Business Associate Subcontractors, recognize that they all must meet the same set of compliance requirements.

It is important to be sure your Business Associate Agreements are up-to-date and include revisions required under the Omnibus Final Rule in order to stay HIPAA compliant. For the upcoming BA audits in October, OCR will notify 40-50 Business Associates and, unlike Covered Entities, Business Associates aren’t getting any warning. “The time to prepare for the audits is now” says David Holtzman, VP of Compliance at Security Consultancy. He goes on to say “Business Associates should be prepared to produce their policies and procedures for notifying their Covered Entities when there has been a breach incident, as well as samples of when and how they have done so.”1

The best advice to give is Be Prepared! Make sure your BAAs are renewed or modified to include regulations in the HIPAA Omnibus Final Rule of 2013. Ask your Business Associates the 5 questions listed above and suggest they send those same 5 questions to their Subcontractors. Take note that after the desk audits, OCR has plans to conduct on-site audits as well for both Covered Entities and Business Associates.

Now is not the time to worry, rather it is the time to take action. Privacy attorney Kirk Nahra states, “The time to worry will be when there is an actual [breach] investigation, so they should use this opportunity to get their documents and policies lined up.”1 Audits are a great chance to get organized and make sure your documents, policies, and procedures are all in compliance with HIPAA.

For more information on how to quickly and cost-effectively meet compliance requirements, check out this video: HIPAA Prime™

  1. HealthInfoSecurity – OCR Business Associate HIPAA Audits Coming Soon

Sharing is caring!

Documents

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.


Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

State of HIPAA Compliance in 2024

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!

Document

Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

In today's digital world, protecting sensitive data is paramount. This is especially true for organizations that handle electronic Protected Health Information (ePHI), whether you're a healthcare...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)