On March 21, 2016, the Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS) announced that it was ready to begin Phase 2 of its audit program for HIPAA compliance, which will include auditing business associates, besides covered entities, as mandated by the HITECH Act. Phase 2 follows the first phase of OCR’s audits and will continue to focus on assessing the compliance efforts of covered entities and business associates, identifying undiscovered risks and vulnerabilities, and pinpointing best practices adopted in the industry. The Phase 2 audits will initially comprise desk audits, which are projected to be complete by the end of 2016, and will be followed by on-site audits.
How the Process Works
The first point of contact in this process will be an email sent by OCR with a request that contact information be provided for a given covered entity or business associate. OCR will request timely responses so it can then send a pre-audit questionnaire asking for basic information about each organization. Specific information about the audit protocols will come later. OCR will likely use the basic information it gathers in these initial contacts with group organizations so that organizations similar in size, operations, affiliations, and other characteristics receive similar audit questions that reflect their operational traits. OCR plans to also compile publicly available information about covered entities and business associates that do not respond to its requests for information, so failing to respond will clearly not insulate an organization from OCR’s scrutiny.
According to OCR, ALL covered entities and business associates are eligible to be audited during the Phase 2 audits. The initial round of desk audits will focus on covered entities, followed by a round of desk audits that will focus on business associates. The on-site audits that follow will focus more on compliance with the specific privacy and security requirements under HIPAA, regardless of the organization’s classification as a covered entity or business associate.
The OCR Road Map for Phase 2 Audits
In the early part of the Phase 2 audits, OCR will ask covered entities to identify their business associates and to provide contact information for each business associate. OCR has not announced how it plans to compile the list of contact points for the initial emails. As it combs through its list of covered entities and business associates, OCR may use the contact information to target other entities, resulting in the contact point for smaller organizations being any person within the organization who has contact with another organization that has provided data to OCR. This means it is critical that all staff of every organization know there may be an email contact from OCR. OCR has posted a sample contact information request letter on the HHS website at http://tinyurl.com/hnh6uze.
What this Means to Providers and Business Associates
Including business associates as primary audit targets in the Phase 2 audits is likely due to the massive number of vendors that provide services to covered entities relating to protected health information (PHI). Nearly 33 million medical records containing PHI being stored or otherwise handled by business associates have been exposed since 2009.
OCR’s approach with the Phase 2 audits should put business associates on notice that responsibility for compliance with the privacy and security rules under HIPAA – and their responsibility for data breaches – will be aggressively enforced going forward. In addition, when covered entities and business associates are negotiating their business associate agreements and any other HIPAA-related agreements, the parties should ensure that all rights and duties under the agreements are aligned with the strengthened privacy and security rules, including audit rights (similar to those of OCR) among and between the entities. A business associate and its subcontractors are viewed as one and the same under HIPAA, so the same contracting principles should apply liability flows to all downstream parties that a business associate subcontracts with regarding its work under an agreement with a covered entity.
Recent OCR enforcement actions, including one settlement of $1.55 million that stemmed from a covered entity’s failure to enter a business associate agreement and institute an organization-wide risk analysis related to PHI (see http://tinyurl.com/zlnhclt), show how costly failing to pay close attention to your organization’s privacy and security practices – including emails from OCR in your inbox – can prove to be.