In August, Advocate Health Care Network agreed to pay a $5.55 million settlement with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), for multiple HIPAA violations. In addition, HHS also recently announced a $650,000 resolution settlement against the Catholic Health Care Services of the Archdiocese of Philadelphia.<\/p>\n\n\n\n
These multi-million dollar penalties should be a warning for all covered entities or business associates. Especially, with the next phase of audits now underway. During this phase, OCR is reviewing the policies and procedures utilized by covered entities and their business associates to ensure they meet the standards and specifications of the Privacy, Security, and Breach Notification Rules. These will mostly be desk audits. However, there will be some on-site audits conducted as well.<\/p>\n\n\n\n
The audit process began in May 2016 when OCR audit sent emails to verify entity\u2019s address and contact information. The next step was a pre-audit questionnaire that was used to gather information about the size, type, and operations of the facilities. Those who participate in the desk audits are required to provide a list of their business associates and their contact information. Emails will go out to the chosen business associates, who are expected to respond promptly. The audits are expected to focus heavily on breach responses. If a business associate does not respond within the timeframe, they will be scheduled in January 2017 for the comprehensive audits.<\/p>\n\n\n\n
Some frequently asked questions regarding audits include:<\/strong><\/p>\n\n\n\n Who Will Be Audited?<\/strong><\/p>\n\n\n\n Every covered entity and business associate are eligible for an audit, including covered individual and organizational providers of health services; health plans, health care clearinghouses; and a range of business associates of these entities.<\/p>\n\n\n\n What is a Business Associate?<\/strong><\/p>\n\n\n\n Business associates are considered any third-party contractor that performs work or activities on behalf of a healthcare organization or covered entity that involve the use or disclosure of protected health information (1). A few examples may include:<\/p>\n\n\n\n What are Business Associate Agreements?<\/strong><\/p>\n\n\n\n HIPAA and HITECH require practices to sign a business associate agreement (BA) with business associates that ensures they will protect all patient’s PHI. The contract protects personal health information (PHI) by HIPAA guidelines. Business associates can be held accountable for any data breach and penalized for noncompliance (1).<\/p>\n\n\n\n Why are Business Associates Agreements important?<\/strong><\/p>\n\n\n\n Business associate contracts are not only necessary for staying in compliance; they are crucial for the adequate protection of patient PHI. The following are HIPAA requirements for business associate agreements:<\/p>\n\n\n\n\n
\n