HIPAA phase 2 audits are here. Are business associates ready?
October 4, 2016
The United States Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) has begun Phase 2 of its audit program. Phase 2 will address both Covered Entity and Business Associate compliance with the Privacy, Security, and Breach Notification Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Phase 2, which follows OCR’s initial Phase 1 Pilot audits of 115 Covered Entities in 2011 and 2012, further continues OCR’s effort to conduct periodic compliance audits, mandated by HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”) and the HIPAA Omnibus Final Rule (“Omnibus”). OCR has announced that it is considering a broad spectrum of audit candidates to better assess HIPAA compliance across the health care industry. The Phase 2 audits seek to enhance industry awareness of compliance obligations. Based on the information obtained in the Phase 2 audits, OCR plans to develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches. The results will be used to develop OCR’s permanent audit program. What does this mean for the myriad of businesses who work with Covered Entities, such as health care providers, insurers, and many employee-sponsored group health plans? It means those businesses now need to prepare for HIPAA audits in the same way that Covered Entities do. This need to prepare applies equally to subcontractors of Business Associates who may not have direct contact with the Covered Entity. Equally important, it means that many businesses, who have historically not recognized that they qualify as Business Associates or who have proactively avoided signing Business Associate Agreements and argued that they are not Business Associates, will be subject to HIPAA requirements and the concomitant liability for failure to comply.