Business Associate HIPAA Compliance to Be Tested By OCR

The next round of OCR HIPAA compliance audits is penciled in to start in the first quarter of 2016. While the audits have been much delayed, it is unlikely that they will be pushed back further. OCR has been heavily criticized for its lack of enforcement of HIPAA, in particular the failure of the audit program to materialize. The next round of audits will see Business associate HIPAA compliance efforts examined, as this will be the first round of audits to be conducted since the introduction of the HIPAA Omnibus Rule.

The HIPAA Omnibus Rule, published on January 25, 2013, introduced a number of provisions of the HITECH Act into HIPAA, one of the major additions being the inclusion of a new set of responsibilities for business associates.

The term Business Associate was updated to include any person or entity that comes into contact with Protected Health Information (PHI), which includes companies that work with or maintain PHI on behalf of a covered entity. Any organization that prints and sends mailings to patients or plan members, billing companies, cloud service providers, and data companies are all included in the HIPAA definition of BA. HIPAA also covers any subcontractors used by Business Associates. BAs and their subcontractors are required to comply with the Privacy and Security Rule, and must ensure PHI is safeguarded at all times.

While Business Associates can be fined directly if they expose PHI or commit HIPAA violations, the covered entity can also be penalized for failing to ensure business associate HIPAA compliance. The next round of compliance audits will include a considerable number of audits for business associates of HIPAA-covered entities. If a covered entity is selected for audit, it will also be assessed on the efforts made to ensure that all of its vendors are in compliance with HIPAA. Business Associate HIPAA compliance will be tested and is expected to be a major component of the next round of audits.

Auditors will expect more than a policy that covers vendors. They will want answers to a number of questions about the efforts made to ensure that safeguards are in place, and that the covered entity in question knows what its business associates are doing with PHI. Auditors will not only want to see evidence of HIPAA on paper. They will need to see evidence of HIPAA in action.

Evidence of Business Associate HIPAA Compliance Must be Provided to Auditors

In order to better prepare for the OCR audits, make sure you have a list of all business associates and vendors. This list must be properly maintained and up to date.

You must be able to produce signed copies of Business Associate Agreements for all of your vendors. Those BAAs must detail the permitted uses and disclosures of PHI, the actions required of BAs must be included, such as the need to conduct risk assessments. It must also be made clear that it is the responsibility of the BA to assess compliance efforts made by any subcontractor they use.

BAs must have been made aware of their responsibilities to report data breaches, and must have a breach response plan that can be actioned as soon as a data breach is discovered. The agreement must also state the actions that will be taken if a vendor is discovered not to be in compliance with HIPAA.

You should have collected evidence that your Business Associates are actually complying with HIPAA Rules. It is not sufficient to just have a signed copy of a BAA. A covered entity is required to conduct reasonable compliance checks, and must be aware of subcontractors being used. Business Associate HIPAA compliance may be tested directly, so even if the covered entity is not selected for audit, HIPAA failures discovered during an audit of a vendor may trigger an investigation of the covered entity.

The penalties for non-compliance can be severe. The pilot round of audits did not result in any financial penalties being issued. Now three years on from those audits, OCR is unlikely to be as lenient. If serious compliance failures are discovered, financial penalties can be expected.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of