In August, Advocate Health Care Network agreed to pay a $5.55 million settlement with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), for multiple HIPAA violations. In addition, HHS also recently announced a $650,000 resolution settlement against the Catholic Health Care Services of the Archdiocese of Philadelphia.
These multi-million dollar penalties should be a warning for all covered entities or business associates. Especially, with the next phase of audits now underway. During this phase, OCR is reviewing the policies and procedures utilized by covered entities and their business associates to ensure they meet the standards and specifications of the Privacy, Security, and Breach Notification Rules. These will mostly be desk audits. However, there will be some on-site audits conducted as well.
The audit process began in May 2016 when OCR audit sent emails to verify entity’s address and contact information. The next step was a pre-audit questionnaire that was used to gather information about the size, type, and operations of the facilities. Those who participate in the desk audits are required to provide a list of their business associates and their contact information. Emails will go out to the chosen business associates, who are expected to respond promptly. The audits are expected to focus heavily on breach responses. If a business associate does not respond within the timeframe, they will be scheduled in January 2017 for the comprehensive audits.
Some frequently asked questions regarding audits include:
Who Will Be Audited?
Every covered entity and business associate are eligible for an audit, including covered individual and organizational providers of health services; health plans, health care clearinghouses; and a range of business associates of these entities.
What is a Business Associate?
Business associates are considered any third-party contractor that performs work or activities on behalf of a healthcare organization or covered entity that involve the use or disclosure of protected health information (1). A few examples may include:
- Example of business associates: lawyer’s working on a case, a medical transcription or medical billing companies, document storage or disposal companies, answering services, software vendors, and consultants, patient safety and accreditation organizations, health information exchanges, etc.)
- Examples NOT typically considered business associates: an employee, maintenance or repair personnel, a financial or banking institution that only performs payment activities or a janitorial service.
What are Business Associate Agreements?
HIPAA and HITECH require practices to sign a business associate agreement (BA) with business associates that ensures they will protect all patient’s PHI. The contract protects personal health information (PHI) by HIPAA guidelines. Business associates can be held accountable for any data breach and penalized for noncompliance (1).
Why are Business Associates Agreements important?
Business associate contracts are not only necessary for staying in compliance; they are crucial for the adequate protection of patient PHI. The following are HIPAA requirements for business associate agreements:
- Establish the permitted and required uses and disclosures of protected health information by the business associate.
- Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.
- Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule about electronic protected health information.
- Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information.
- Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings.
- To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation.
- Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule.
- At termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity.
- Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information.
- Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements. (1)
How Will Auditees Be Selected?
OCR is identifying groups of covered entities and business associates that represent a broad range of health care providers, health plans, health care clearinghouses and business associates. According to HHS, the sampling criteria for selection will include the size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.
What If an Entity Doesn’t Respond to OCR’s Requests for Information?
If an entity does not respond to requests for information from OCR, they will utilize publicly available information about the entity to create its audit pool. An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.
If your organization or practice has a question regarding HIPAA audits or business associate agreements, contact the experts at MedSafe at 1-888-MEDSAFE or visit our website at www.medsafe.com.