OCR Audit Program Targets Business Associates: Are You Ready?
It’s time for covered entities and their business associates to get their respective houses in order. During phase 2 of the HIPAA Audit program, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will be paying attention to the relationships between HIPAA covered entities and their business associates (BAs).
At the 2016 Health Care Compliance Association’s Orange County Regional Conference, in their presentation, Effective Strategies for Managing Business Associate Relationships, Shirley Komoto and Leeann Habte say that OCR will ask:
- Does the covered entity have contracts with business associates?
- Do the business associate agreements (BAAs) contain all the required elements?
- How does management identify and engage business associates?
- Do the BAs involve onward transfer of protected health information (PHI) to subcontractors?
- Has the covered entity become aware of a pattern or practice of the business associate that constitutes a material breach or violation of the business associate’s obligation?
Based on these questions, it appears that OCR is focusing on two major elements of the covered entity-business associate relationship:
- Properly identifying a business associate
- Ensuring an appropriate business associate agreement is in place
How Do I Know if It’s a Business Associate?
In a healthcare ecosystem, with hundreds or even thousands of third-party vendors, it’s not always easy to identify who is a business associate, and who is not. It does no good in the middle of an audit to find out you should have had a BA agreement with a particular vendor, and you don’t. Komoto and Habte provide a decision framework for identifying business associates:
- Step 1: Does the arrangement involve PHI?
- Step 2: Are the functions or services defined as business associate functions/services?
- Step 3: Are the functions or services provided for or on behalf of the covered entity?
As Komoto and Habte point out, exceptions apply, and there are many gray areas. The U.S. Department of Health and Human Services (HHS) provides some guidance in this area.
What Should Be Included in a Business Associate Agreement?
Once you’ve properly identified a business associate, an agreement must be created. In part, these agreements ensure that business associates properly safeguard PHI in accordance with the HIPAA Rules. The Department of Health and Human Services (HHS) provides a sample of the provisions for a business associate agreement.
OCR recommends that these agreements should include guidelines for the use and disclosure of PHI. The business associate will report to the covered entity any use or disclosure of PHI not spelled out in the contract. The agreement should also establish notification timelines and content. It should be noted that meeting these contractual obligations is just as important as abiding by the notification requirements of state and federal laws.
The Cost of Noncompliance
OCR is cracking down on covered entities that share PHI with business associates without an agreement in place. It’s these kinds of lapses that cause costly and potentially harmful data breaches.
At the 2016 Health Care Compliance Association’s Seattle Regional Conference, OCR’s Sun Lee cited recent enforcement against Triple-S Management Corporation, which had several breaches. The company agreed to pay a $3.5 million settlement and adopt a corrective action plan for potential multiple HIPAA violations, including failure to have a business agreement with a vendor with which it shared PHI.
Jocelyn Samuels, director of OCR, said, “This case sends an important message for HIPAA Covered Entities…about…compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”
What You Can Do
As this recent phase of audits demonstrates, business associates are a high priority for OCR.
It’s important to remember that for business associates to successfully demonstrate compliance with the HIPAA Rules, covered entities have much to do. They have to correctly identify their business associates, execute legally compliant agreements, and demonstrate ongoing compliance through monitoring and appropriately documenting.
All of this can be overwhelming.
Like HHS, I would recommend that covered entities seek the help of reliable counsel when it comes to business associate agreements. Covered entities and their business associates should find a solution that helps them manage the complexity of meeting these contractual obligations.
When OCR comes to call, both covered entities and business associates need to quickly and promptly show compliance. And that means having your house in order.