New Round of HIPAA Audits For Business Associates and How to Survive Them

As the role of analytics and electronic health records systems grows in healthcare, the number of vendors interacting with patient data has grown exponentially. Because of the numerous access points to patient data, the federal government appears to be clamping down on the sometime porous flow of patient data handled by contractors, whose security failures have been linked to the exposure of nearly 33 million individuals' medical records since 2009.

Under HIPAA, these contractors are referred to as “business associates.” And now, these business associates will be included as primary audit targets in the second round of HIPAA audits by the Department of Health and Human Services’ Office for Civil Rights.

The audit of business associates is necessary to keep out firms who are insincere about becoming HIPAA compliant, and are thus reckless with patient data.

According to Adam Greene, a partner in the Washington, D.C., office of Davis Wright Tremaine, some larger healthcare organizations have employed hundreds and in some cases as many as a thousand business associates.

In one sense, by including the business associates, the civil rights office is simply catching up with privacy and security rules it issued three years ago. But the OCR announcement also means that enforcement of these more stringent rules could give healthcare organizations more leverage to get stronger agreements with their contractors.

Upgrades to the HIPAA privacy and security rules in the health IT provisions of the American Recovery and Reinvestment Act of 2009 puts BAs on an equal legal footing with HIPAA covered entities – hospitals, physician practices, health plans and claims clearinghouses. That means vendors that violate the rules are subject to civil monetary penalties of up to $1.5 million a year.

The first phase of audits will involve OCR staff and special hires conducting “desk audits,” not requiring agents to go into the field. Covered entities will be asked to provide basic information about their business associates. “It won't be a complete list,” Green said, but it will provide a starting point for identifying business associates to audit.

Just as business associates now share equal legal liability under HIPAA, they've long shared culpability for data breaches, according to federal records.

That said, how can business associates “survive” a HIPAA audit? According to Hayes Management Consulting, there are six key steps to getting through a HIPAA audit successfully.

First, prepare and practice. Before the OCR audit, conduct an internal round of HIPAA compliance audits and risk assessment. To impress OCR, show proof of conducting such assessments on a regular schedule.

Second, evaluate your privacy and security policies. Perform an in depth assessment of your current privacy and security policies and procedures, or active HIPAA compliance program. Similarly, designate a HIPAA Compliance Officer. HIPAA privacy compliance should focus on PHI access, administrative requirements, uses and disclosures. For security compliance, concentrate on administrative physical and technical safeguards.

Third, perform an internal review of electronic files. Encrypt all electronic files, especially patient sensitive data. Verify and validate which electronic files are being encrypted, and which are not. Do this before any external audits are done.

Fourth, assess organization compliance risks. OCR Phase 1 HIPAA Audits revealed two-thirds of organizations could not demonstrate they were performing complete and accurate HIPAA security risk assessments. To ensure that your organization can meet compliance standards, start by inventorying all of the organization’s systems that handle ePHI, and develop some remediation action plans.

Fifth, compile a list of all vendors and business associates. OCR will ask to see all business associates that have access to your organization’s PHI. Include anyone that works behind the scenes with your hospitals, health plans or providers. For example, such associates include contractors, consultants, software vendors, and data storage companies.  

Sixth and finally, evaluate, evaluate, evaluate. Inspect your HIPAA policies and procedures, most importantly employee access, new hire employee training, ePHI policies, eFILE sharing procedures, faxing, emailing, notice of privacy policies, data breach mitigation, disaster recovery, data backup and be sure to update policies and procedures regularly.  

The original article by Joseph Conn can be found at the following address: http://www.modernhealthcare.com/article/20160323/NEWS/160329942?utm_source=modernhealthcare&utm_medium=email&utm_content=20160323-NEWS-160329942&utm_campaign=am