The HIPAA spotlight is beginning to shine brightly on business associates. Covered entities have long had their time to star, so it is only fair to share the stage now. It is likely that covered entities are only too happy to have the Office for Civil Rights (“OCR”) and others focus attention on business associates with all the consequences that come with such attention.
A potentially non-punitive form of attention are the soon to begin desk audits of business associates. Recent statements from individuals in OCR, including Deputy Director for Health Information Privacy Deven McGraw, inform that the desk audits will begin in October. Unlike covered entities who received emails confirming information first, business associates will be thrown right into the response fire. As many will recall, entities only received up to fourteen days to submit responsive information to the desk audits. This means that business associates must be ready to roll now and cannot afford to play catch up if an audit notice is sent. One small sliver of comfort is that only forty to fifty business associates will be audited (for now), though it is nearly impossible to know how extensive OCR’s database of business associates really is and just who is in that database. The only note of comfort, if it can be called comfort, is that OCR will host an informational webinar for business associates who do receive audit notices to help responses. Since the webinar will likely mirror the webinar conducted for covered entities, it is advisable to review materials from that earlier webinar.
The first round of business associate audits will hopefully provide some level of insight into the compliance preparedness of business associates. Such insight is dependent upon OCR publishing results from the audits. No public, or easily findable public, statement has been made as to when or if results will be published. Even though there are no apparent statements on that front, OCR’s recent history of pushing out compliance guidance bodes well in favor of getting such information.
The second action directed at business associates is another non-compliance settlement resulting from a breach. The target, this time, was Care New England Health System (“CNE”). CNE is the parent company to a number of hospitals in Massachusetts and Rhode Island. As the parent, CNE provides centralized support services whereby CNE received and/or accessed protected health information of its subsidiaries. The setup is nothing out of the ordinary. The aspect that cost CNE $400,000 was that the business associate agreement with each subsidiary was executed in 2005 and then not updated until the middle of OCR’s investigation in 2015. Remember, the Omnibus Rule required updates (for the most past) as of September 2013. Disregard for updated compliance requirements will not be tolerated. The CNE settlement is only the most recent example. As has been stated many times before, each OCR settlement is used to emphasize a particular point under HIPAA. The CNE lesson is: do not put an agreement into place and then forget about to never be touched again. That is a sure road to a fine at some point.
Given the second business associate related settlement and very near audits, how comfortable do business associates feel with compliance efforts? For a long time compliance was not necessarily a significant concern for business associates. Such a situation cannot continue. Now is the time to evaluate, update and do what needs to be done.