Spotlight Bright on Business Associates

background-767922_640The HIPAA spotlight is beginning to shine brightly on business associates. Covered entities have long had their time to star, so it is only fair to share the stage now. It is likely that covered entities are only too happy to have the Office for Civil Rights (“OCR”) and others focus attention on business associates with all the consequences that come with such attention.

A potentially non-punitive form of attention are the soon to begin desk audits of business associates. Recent statements from individuals in OCR, including Deputy Director for Health Information Privacy Deven McGraw, inform that the desk audits will begin in October. Unlike covered entities who received emails confirming information first, business associates will be thrown right into the response fire. As many will recall, entities only received up to fourteen days to submit responsive information to the desk audits. This means that business associates must be ready to roll now and cannot afford to play catch up if an audit notice is sent. One small sliver of comfort is that only forty to fifty business associates will be audited (for now), though it is nearly impossible to know how extensive OCR’s database of business associates really is and just who is in that database. The only note of comfort, if it can be called comfort, is that OCR will host an informational webinar for business associates who do receive audit notices to help responses. Since the webinar will likely mirror the webinar conducted for covered entities, it is advisable to review materials from that earlier webinar.

The first round of business associate audits will hopefully provide some level of insight into the compliance preparedness of business associates. Such insight is dependent upon OCR publishing results from the audits. No public, or easily findable public, statement has been made as to when or if results will be published. Even though there are no apparent statements on that front, OCR’s recent history of pushing out compliance guidance bodes well in favor of getting such information.

The second action directed at business associates is another non-compliance settlement resulting from a breach. The target, this time, was Care New England Health System (“CNE”).  CNE is the parent company to a number of hospitals in Massachusetts and Rhode Island. As the parent, CNE provides centralized support services whereby CNE received and/or accessed protected health information of its subsidiaries. The setup is nothing out of the ordinary. The aspect that cost CNE $400,000 was that the business associate agreement with each subsidiary was executed in 2005 and then not updated until the middle of OCR’s investigation in 2015. Remember, the Omnibus Rule required updates (for the most past) as of September 2013. Disregard for updated compliance requirements will not be tolerated. The CNE settlement is only the most recent example. As has been stated many times before, each OCR settlement is used to emphasize a particular point under HIPAA. The CNE lesson is: do not put an agreement into place and then forget about to never be touched again. That is a sure road to a fine at some point.

Given the second business associate related settlement and very near audits, how comfortable do business associates feel with compliance efforts? For a long time compliance was not necessarily a significant concern for business associates.  Such a situation cannot continue. Now is the time to evaluate, update and do what needs to be done.

Advertisements

About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Compliance, HIPAA, HITECH and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s