If you run a healthcare organization that stores and transmits sensitive electronic patient health information (ePHI), you’re probably aware of your responsibilities as a covered entity under HIPAA, HITECH and Omnibus. When it comes to compliance and security, you may feel that you’ve got your healthcare business pretty well under control.
But did you know that you may also be responsible for your managed IT services provider’s compliance under HIPAA and HITECH?
Under this latest round of HIPAA audits, the Health and Human Services Office for Civil Rights (OCR) has extended their investigation across the country to thousands of business associates and channel partners (like MSPs, VARs, and CSPs).This new round of audits could include your managed IT services partner—which by default, might extend to you. Under Omnibus, the OCR will look to audit ALL Covered Entities and Business Associates that have a business relationship to an organization that fails an audit.
What is a Business Associate and How Am I Responsible for Them?
In 2010, the HITECH Act extended HIPAA security and privacy compliance provisions to include business associates of covered entities. It also includes those subcontractors who conduct business with ePHI “downstream” of the business associates that were included in the 2010 HITECH Act.
Current regulations define a business associate as a person or entity that creates, receives, transmits, or maintains ePHI for an activity or function that is regulated by HIPAA. This includes data analysis, claims processing and administration, quality assurance, billing, benefits management, repricing, and patient safety activities.
The definition of business associate also includes anyone who provides managed IT services, legal, consulting, data management and aggregation, administrative, or financial services to a covered entity when the service involves the potential disclosure of ePHI. Covered entities are required to have a contract written in the form of a business associate agreement to ensure that their business associate is HIPAA compliant and aware of the need to protect any ePHI that it might encounter.
Business associate agreements (BAA) are vital in determining who is liable for what in terms of damages and apportioned fault in the event of an incident or breach that results in sanctions, fines, or court judgments.
Latest Round of HIPAA Audits Began July 11, 2016
On July 11, OCR contacted 167 covered entities to alert them that they would be audited. The organizations had until July 22 to respond to OCR’s request for information, which included the list of the covered entity’s business associates. The document request also addressed provisions of HIPAA’s Privacy, Security, and Breach Notification rule, including the requirements for breach notification for patients whose ePHI may be at risk.
A covered entity that has had trouble proving their HIPAA compliance through the earlier desk audits and documentation requests is likely setting themselves up for a field audit late in 2016. IT service providers and other business associates that are integrated with the HIPAA environment should be able to prove their compliance to the covered entities that they serve in preparation for the second round of audits and documentation requests.
Most HIPAA Fines Result From a Lack of Proper Procedures in Place
Industry experts warn that the majority of fines assessed through these audits don’t involve cybercrimes, hacks, and lost or stolen devices. Instead, the penalties and sanctions usually result from a covered entity’s failure to maintain comprehensive internal privacy audits or a lack of policies and procedures for the handling of sensitive ePHI. It is likely that this latest round of audits will also result in fines and sanctions for business associate issues where a covered entity is held responsible for failing to comply.
And now those steep penalties and sanctions may be imposed on business associates as well, and potentially to the covered entities that they serve.
Outsource My IT is your local HIPAA/HITECH compliance and managed IT services expert. We specialize in managed IT services for healthcare organizations of all sizes. Contact us at (973) 638-2722 or send us an email at firstname.lastname@example.org for more information.