News From Our Perspective

Navigate the Healthcare System with Ease

Mar 2016

Another Round of HIPAA Audits Targets Business Associates

With April fast approaching, it is not unusual to hear the word “audit” bandied about by the office water cooler. In the healthcare world, more businesses should be preparing for a new round of audits from the federal government looking for HIPAA non-compliance.

In fact, a new round of federal privacy and security audits will target the business associates of healthcare providers, insurers and other HIPAA-covered entities, according to a March 21 Modern Healthcare article. The audit will also target the providers and insurers as well, according to the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS). OCR is responsible for administering and enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

As reported by Modern Healthcare, OCR has already started sending out emails to obtain and verify contact information for covered healthcare entities and business associates of various types for possible selection from the pool of potential audit subjects.

 Why all the audits?

The health IT sections of the American Recovery and Reinvestment Act of 2009 added a number of tougher privacy and security provisions to HIPAA. The federal law also required that HHS initiate a series of audits to verify compliance with the rules.

An additional provision in the 2009 stimulus law placed the businesses that do the data handling, processing and analysis in healthcare on the same legal footing as the hospitals, physicians, insurance companies and claims clearinghouses they are employed to assist. These business associates were largely given a free pass in the first round of audits that were completed in December 2012. According to a 2013 OCR report, roughly 66 percent of the entities audited (47 of 59 healthcare providers, 20 out of 35 health plans) lacked complete and accurate risk assessments.

For example, earlier this month, OCR announced a pair of settlement agreements totaling nearly $5.5 million with the Feinstein Institute for Medical Research in New York and North Memorial Health Care in Minnesota to settle possible HIPAA violations. The North Memorial Health Care case also involved a business associate, the Chicago-based revenue cycle management firm Accretive Health, according to OCR, which said the provider and its contractor did not have a HIPAA-required agreement in place.

So what should a healthcare provider and business associate do to prepare for a HIPAA audit?

If you “win” the audit lottery and receive a letter from Uncle Sam, the letter recipient should pull out the company’s current HIPAA security risk assessment and follow up on open areas.

Provider business associates should be fully prepared to hand over more than just HIPAA policies and procedures if they receive notice of an OCR audit. These healthcare businesses should start thinking about how the company will demonstrate implementation of their written policies and procedures.

  • Sanctions policy. These business entities need to make sure the company not only has an appropriate sanctions policy for a breach, but that the company can also demonstrate consistent implementation of the punishment.
  • Breach notification. To demonstrate compliance with the breach notification requirements, covered business associates should review their breach policies and procedures, workforce training and sanctions, documentation of incidents that have occurred, and documentation of notifications or a breach risk assessment as required by the Breach Notification Rule.
  • Risk analysis. Covered entities should ensure their most recent risk analysis assesses potential risks and vulnerabilities to all information systems, devices and media containing electronic protected health information. Covered entities and business associates should review OCR’s Security Risk Analysis guidance and NIST Special Publication 800-30 as they update their risk analysis and mitigation plan. Smaller entities also may want to consider using the HHS’ Security Risk Assessment Tool.
  • Vendor management. Covered entities also should be thinking about their vendor management process. OCR will ask covered entities for a list of business associates, but covered entities should take this opportunity before they are selected for an OCR HIPAA audit, to go through all vendors and ensure they have identified those that are in fact HIPAA business associates. Covered entities should ensure they have updated business associate agreements to reflect the Omnibus Rule changes.

For many healthcare business associates, an audit letter may be their first interaction with OCR. Business associates should demonstrate compliance with the Security Rule, Breach Notification Rule and Privacy Rule, including documentation of reported breaches to covered entities and business associate agreements with subcontractors.

Covered entities can consider using OCR’s audit protocol to prepare for an OCR audit (found here). Remember, it is never too late to prepare for an audit. Covered entities and business associates that have not already begun preparing for OCR HIPAA audits should do so immediately. Quickly review the company’s HIPAA compliance, update any risk analyses and risk management plans, policies and procedures, business associate agreements, and notices of privacy practices as needed.

Our Partners Have a Combined Legal Experience of Over 100 Years

Meet our experts