April 7, 2016. HIPAA Integrity recommends that you read the March 28, 2016, Modern Healthcare article by Joseph Conn entitled: “HHS amps up vendor HIPAA audits,” which focuses on the role of business associates handling covered entity protected health information (PHI). The article notes that since the Office for Civil Rights (OCR) started posting breaches of medical records in September 2009, there have been 1,472 breaches posted, affecting just under 33 million individuals. Of those breaches, 21 percent have involved business associates, which since September 2013 share with covered entities liability for noncompliance with the HIPAA Security Rule and failure to ensure confidentiality for PHI as specified in the covered entity’s business associate agreement with a business associate contractor. Business associate subcontractors to a business associate contractor or to another business associate subcontractor downstream are obligated to implement the HIPAA Security Rule and any privacy requirements specified in the business associate agreement between the covered entity and business associate contractor. In the April 1, 2016, HIPAA Integrity blog post, we identified the March 16, 2016, resolution agreement announcement entitled: “$1.55 million settlement underscores the importance of executing HIPAA business associate agreements.” OCR conducted an investigation of the subject covered entity after the covered entity reported a breach and found that there was not a business associate agreement in place. “’Two major cornerstones of the HIPAA Rules were overlooked by this entity,’ said [OCR Director] Jocelyn Samuels. ‘Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.’”
This and other resolution agreements and corrective action plans are the result of self-reporting a breach, where a follow-on investigation discovers evidence of non-compliance. With OCR’s March 21, 2016, announcement that compliance audits are underway, covered entities and business associates must begin now to ensure that their safeguard compliance activities are in place, in force, and documented, especially a recent risk analysis and business associate agreements, as applicable.
HIPAA Integrity’s Safeguard Compliance Tool Package (Version 3.0), which was released earlier this week, is designed for covered entities and business associates to document and successfully demonstrate safeguard compliance for either a forthcoming desk or onsite audit. It is comprised of an easy-to-follow tabular risk analysis template; 92 written generic safeguard policies and procedures that a covered entity or business associate must have in place and that can readily be tailored to its risk analysis findings; 22 authorization and maintenance forms accompanying safeguard procedures; and the safeguard training curriculum in five lessons with test questions for administration by Privacy and Security Officials to their workforce members. Each component of the package is linked via proprietary code and written in plain language. HIPAA Integrity also includes guidance, online accessible authoritative references—for example, OCR’s Business Associate Contract Webpage—and OCR audit protocols. At an affordable $499 for a year’s membership, including any federal regulatory updates, HIPAA Integrity’s Safeguard Compliance Tool Package (Version 3.0) is a much more cost-effective option than being selected for an OCR desk audit and found non-compliant as the covered entity example above and its cost of settlement clearly demonstrates.