By Diane Korbel, client solutions advisor, MediTract Inc.
There’s an auspicious anniversary coming up for everyone in health care. Sept. 22 is the third anniversary of the Office of Civil Rights declaring that HIPAA privacy rules extend to business associates of hospitals, health care institutions, and other organizations, and that those organizations must have a Business Associate Agreement that is fully compliant with federal law.
That might not sound like an anniversary you would celebrate with your spouse at a fancy restaurant, but it’s critically important if you want to avoid time-consuming and potentially expensive involvement or investigation with the federal regulatory agencies.
Ad Statistics
Times Displayed: 120730
Times Visited: 6941 MIT labs, experts in Multi-Vendor component level repair of: MRI Coils, RF amplifiers, Gradient Amplifiers Contrast Media Injectors. System repairs, sub-assembly repairs, component level repairs, refurbish/calibrate. info@mitlabsusa.com/+1 (305) 470-8013
Last year the OCR, which acts as the enforcement arm of HIPAA, announced the inauguration of Phase 2 of its HIPAA audit process, conducting “desk audits” and on-site audits of these business associate agreements.
These are not “toothless tigers.”
Last year the OCR took six enforcement actions against covered entities (hospitals, health care providers, insurance agencies, and data clearing houses), the largest of which cost the offender $3.9 million. Being small or in ignorance of the law is no defense. In April of this year a small, nonprofit provider in Illinois was fined $31,000 for not having a Business Associate Agreement with a long-standing supplier.
We believe OCR will get even more aggressive as they establish protocols for these compliance audits. OCR HIPAA audits can cover far more than Business Associate Agreements, but it’s a great place to start your own review.
What is a business associate?
A business associate is an outside individual or agency that performs certain functions or activities for the covered entities that involve the use of protected health information. These associates include lawyers, accountants, administrators, and consultants of all stripes.
A Business Associate Agreement calls for the associate to protect the information, train their employees and any of their contractors in this area, have a notification system in place in the event of a breach, and agree to return or destroy the information when the contract expires.
What happens in an audit?
The OCR will inform you by email that you are being audited. The Phase 2 HIPAA Audit Program uses a comprehensive audit protocol to review the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. You will be required to provide a list of all your Business Associates, with primary and secondary points of contact and a description of the services they provide, along with your policies and related documents—all within as little as 10 business days.
