A new round of federal privacy and security audits will target the business associates of healthcare providers, insurers and other HIPAA-covered entities along with the entities themselves, according to the Office for Civil Rights at HHS.
HHS' Office for Civil Rights has started sending out e-mails to obtain and verify contact information for covered entities and business associates of various types for possible inclusion in the pool of potential audit subjects.
The health IT sections of the American Recovery and Reinvestment Act of 2009 added a number of more stringent privacy and security provisions to HIPAA. The law also required that HHS initiate a series of audits to verify compliance with the rules.
Another new provision in the 2009 stimulus law placed the businesses that do data handling, processing and analysis in healthcare on the same legal footing as the hospitals, physicians, insurance companies and claims clearinghouses they work for.
These so-called “business associates” were largely given a pass in the first round of audits in completed in December 2012.
According to a 2013 report by the OCR, two-thirds of the entities audited—including 47 of 59 healthcare providers, 20 out of 35 health plans—lacked complete and accurate risk assessments.
Last week, the office announced a pair of settlement agreements totaling nearly $5.5 million with the Feinstein Institute for Medical Research in New York and North Memorial Health Care in Minnesota to settle possible HIPAA violations. The Memorial Health Care case also involved a business associate, the Chicago-based revenue cycle management firm Accretive Health, according to the OCR, which said the provider and its contractor did not have a HIPAA-required agreement in place.
With the advent of outsourcing health data analytics, business associates today are handling much larger volumes of patient data than just a few years ago when the first round of audits occurred, so the expanded reach is logical, according to Deborah Gersh, partner and co-chair of the healthcare practice group at the law firm Ropes & Gray. “We're also seeing covered entities becoming increasingly more sensitive to relationships they're having with business associates,” with those agreements including audit rights and indemnifications that are “more heavily negotiated than in the past,” she said.
Getting an audit letter, even if it's only for confirmation of a covered entity's contact information, should serve as notice to healthcare leaders, said Timothy McCrystal, partner and Gersh's co-chair at Ropes & Gray.
“You're in the audit lottery,” McCrystal said. He advises letter recipients to pull out their current HIPAA security risk assessment (which typically produces a work plan) and follow up on open areas. “Now is the time to be spending internal time and resources remediating those issues.”