In August, Advocate Health Care Network agreed to pay a $5.55 million settlement with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), for multiple HIPAA violations. In addition, HHS also recently announced a $650,000 resolution settlement against the Catholic Health Care Services of the Archdiocese of Philadelphia.
These multi-million dollar penalties should be a warning for all covered entities or business associates. Especially, with the next phase of audits now underway. During this phase, OCR is reviewing the policies and procedures utilized by covered entities and their business associates to ensure they meet the standards and specifications of the Privacy, Security, and Breach Notification Rules. These will mostly be desk audits. However, there will be some on-site audits conducted as well.
The audit process began in May 2016 when OCR audit sent emails to verify entity’s address and contact information. The next step was a pre-audit questionnaire that was used to gather information about the size, type, and operations of the facilities. Those who participate in the desk audits are required to provide a list of their business associates and their contact information. Emails will go out to the chosen business associates, who are expected to respond promptly. The audits are expected to focus heavily on breach responses. If a business associate does not respond within the timeframe, they will be scheduled in January 2017 for the comprehensive audits.
Some frequently asked questions regarding audits include:
Who Will Be Audited?
Every covered entity and business associate are eligible for an audit, including covered individual and organizational providers of health services; health plans, health care clearinghouses; and a range of business associates of these entities.
What is a Business Associate?
Business associates are considered any third-party contractor that performs work or activities on behalf of a healthcare organization or covered entity that involve the use or disclosure of protected health information (1). A few examples may include:
What are Business Associate Agreements?
HIPAA and HITECH require practices to sign a business associate agreement (BA) with business associates that ensures they will protect all patient's PHI. The contract protects personal health information (PHI) by HIPAA guidelines. Business associates can be held accountable for any data breach and penalized for noncompliance (1).
Why are Business Associates Agreements important?
Business associate contracts are not only necessary for staying in compliance; they are crucial for the adequate protection of patient PHI. The following are HIPAA requirements for business associate agreements:
How Will Auditees Be Selected?
OCR is identifying groups of covered entities and business associates that represent a broad range of health care providers, health plans, health care clearinghouses and business associates. According to HHS, the sampling criteria for selection will include the size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.
What If an Entity Doesn’t Respond to OCR’s Requests for Information?
If an entity does not respond to requests for information from OCR, they will utilize publicly available information about the entity to create its audit pool. An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.
If your organization or practice has a question regarding HIPAA audits or business associate agreements, contact the experts at MedSafe at 1-888-MEDSAFE or visit our website at www.medsafe.com.