OCR: HIPAA Audits in Phase II Will Focus on Business Associates

The Health and Human Services Office for Civil Rights has begun its second phase of HIPAA audits for Covered Entities and their Business Associates. In Phase 2 of the HIPAA Audit Program, the OCR will review the Policies and Procedures adopted and employed by Covered Entities and their Business Associates in order to meet selected standards and implementation specifications of the Privacy, Security and Breach Notification rules. 

According to HHS, “HIPAA established important national standards for the privacy and security of protected health information and the Health Information Technology for Economic and Clinical Health Act (HITECH) established breach notification requirements to provide greater transparency for individuals whose information may be at risk.”

The law means periodic audits of Covered Entities and Business Associates must be conducted. OCR also conducted an extensive evaluation of the effectiveness of the pilot program. According to the opinion of Modern Healthcare, Business Associates are the heart of the audit cycle; organizations that it claims are at the heart of the multimillions of breaches in the healthcare for the better of the current decade.

The feds appear to be preparing to clamp down on the sometimes porous flow of patient data handled by contractors, whose security failures have been linked to the exposure of nearly 33 million individuals' medical records since 2009,” the magazine states. “These contractors, termed ‘business associates’ under HIPAA, will be included as primary audit targets in the second round of HIPAA audits by HHS' Office for Civil Rights.”

According to HHS, the audit program assesses the HIPAA compliance efforts of a range of entities covered by HIPAA regulations, and presents the feds “an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches.”

The 2016 Phase 2 HIPAA Audit Program, currently underway, will review the policies and procedures adopted and employed by Covered Entities and their Business Associates with the primary goal of attempting to monitor every organization or Covered Entity eligible for an audit.

According to TechTarget, HIPAA audits are required to protect patient health information. The audit mandate is serious, and the consequences can be steep, so preparing for an audit is crucial or you could face hefty fines if you're found in violation of HIPAA. “The audits of compliance with the HIPAA Privacy, Security and Breach Notification rules are intended to enforce observance of the federal healthcare privacy law,” the site notes.

For this phase of the audit program, HHS said it is identifying pools of Covered Entities and Business Associates. Before audits can begin, it is verifying the primary contacts and email addresses of HIPAA-covered entities.

According to an HHS statement on the subject, once entity contact information is obtained, a questionnaire designed to gather data about the size, type and operations of potential auditees will be sent to Covered Entities and Business Associates. As a part of the pre-audit screening questionnaire, HHS is asking that entities identify their Business Associates.

The audit protocols are designed to work with a broad range of Covered Entities and Business Associates, but their application may vary depending on the size and complexity of the entity being audited.

There’s little veiled in the HHA announcement however and organizations that employ Business Associates should take notice. It's important to review your Business Associate agreements, especially if you are unsure of the status of a particular individual. Just because a partner is not listed as a Business Associate does not mean they are not or that they can’t ultimately be audited or fined. This new audit cycle will likely clarify greatly the roles of such organizations and what they can do with health’s protected data.

Scott Rupp's picture

Scott Rupp


Scott E. Rupp is a writer and an award-winning journalist focused on healthcare technology. He has worked as a public relations executive for a major electronic health record/practice management vendor, and he currently manages his own agency, millerrupp. In addition to writing for a variety of publications, Scott also offers his insights on healthcare technology and its leaders on his site, Electronic Health Reporter.

comments powered by Disqus

Related Articles