Recent Article on HIPAA Safeguard Compliance Audits Highlights Need for Tighter Business Associate Agreements

compliments of

compliments of

April 7, 2016. HIPAA Integrity recommends that you read the March 28, 2016, Modern Healthcare article by Joseph Conn entitled: “HHS amps up vendor HIPAA audits,” which focuses on the role of business associates handling covered entity protected health information (PHI). The article notes that since the Office for Civil Rights (OCR) started posting breaches of medical records in September 2009, there have been 1,472 breaches posted, affecting just under 33 million individuals. Of those breaches, 21 percent have involved business associates, which since September 2013 share with covered entities liability for noncompliance with the HIPAA Security Rule and failure to ensure confidentiality for PHI as specified in the covered entity’s business associate agreement with a business associate contractor. Business associate subcontractors to a business associate contractor or to another business associate subcontractor downstream are obligated to implement the HIPAA Security Rule and any privacy requirements specified in the business associate agreement between the covered entity and business associate contractor. In the April 1, 2016, HIPAA Integrity blog post, we identified the March 16, 2016, resolution agreement announcement entitled: “$1.55 million settlement underscores the importance of executing HIPAA business associate agreements.” OCR conducted an investigation of the subject covered entity after the covered entity reported a breach and found that there was not a business associate agreement in place. “’Two major cornerstones of the HIPAA Rules were overlooked by this entity,’ said [OCR Director] Jocelyn Samuels. ‘Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.’”

This and other resolution agreements and corrective action plans are the result of self-reporting a breach, where a follow-on investigation discovers evidence of non-compliance. With OCR’s March 21, 2016, announcement that compliance audits are underway, covered entities and business associates must begin now to ensure that their safeguard compliance activities are in place, in force, and documented, especially a recent risk analysis and business associate agreements, as applicable.


HIPAA Integrity’s Safeguard Compliance Tool Package (Version 3.0), which was released earlier this week, is designed for covered entities and business associates to document and successfully demonstrate safeguard compliance for either a forthcoming desk or onsite audit. It is comprised of an easy-to-follow tabular risk analysis template; 92 written generic safeguard policies and procedures that a covered entity or business associate must have in place and that can readily be tailored to its risk analysis findings; 22 authorization and maintenance forms accompanying safeguard procedures; and the safeguard training curriculum in five lessons with test questions for administration by Privacy and Security Officials to their workforce members. Each component of the package is linked via proprietary code and written in plain language. HIPAA Integrity also includes guidance, online accessible authoritative references—for example, OCR’s Business Associate Contract Webpage—and OCR audit protocols. At an affordable $499 for a year’s membership, including any federal regulatory updates, HIPAA Integrity’s Safeguard Compliance Tool Package (Version 3.0) is a much more cost-effective option than being selected for an OCR desk audit and found non-compliant as the covered entity example above and its cost of settlement clearly demonstrates.




  • October 2017 (1)
  • August 2017 (3)
  • July 2017 (1)
  • June 2017 (7)
  • May 2017 (12)
  • April 2017 (10)
  • March 2017 (2)
  • February 2017 (3)
  • January 2017 (4)
  • December 2016 (4)
  • November 2016 (7)
  • October 2016 (7)
  • September 2016 (2)
  • August 2016 (1)
  • July 2016 (3)
  • June 2016 (1)
  • May 2016 (1)
  • April 2016 (8)
  • March 2016 (6)
  • February 2016 (2)
  • December 2015 (1)
  • November 2015 (1)
  • October 2015 (4)
  • September 2015 (1)
  • June 2015 (8)
  • May 2015 (3)
  • April 2015 (2)
  • March 2015 (1)
  • November 2014 (1)
  • September 2014 (15)
  • August 2014 (6)
  • July 2014 (1)
  • June 2014 (13)
  • May 2014 (11)
  • April 2014 (13)
  • March 2014 (6)
  • February 2014 (12)
  • January 2014 (3)
  • December 2013 (1)