When the Meaningful Use process started, practices started being more diligent in collecting Business Associate Agreements from all their contractors who had access to their software. However, many practices that did not participate in the Meaningful Use process have not reviewed or paid enough attention to these BA agreements. As I visit with providers, I discover managers that are not well educated in the HIPAA process, and do not understand they are required to do an annual Security Risk Audit and review of their practice even if they do not have an EMR.
New Audit guidelines were released for 2016 by the Office of Civil Rights (OCR), which is the government agency tasked with auditing both covered entities and vendors that interact with covered entities.
The new focus as outlined on the HHS.gov website makes it clear that they will do more random audits.
“In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will be conducted.”
Most of the audits previously have been in response to breaches and complaints. In this next phase they will be targeting businesses that may not have experienced any reported breach and have not had any complaints issued against them for a random audit. One of the key things that will be audited will be your business associate agreements. Recently an orthopedic practice was fined $750,000 for not having the appropriate business associate agreements with their vendors, so there is real risk in not reviewing these documents yearly.
So, you went through your book and made sure that there is an agreement in place, now you’re good right? Not even close! Here are some suggestions in reviewing your documents and keeping accurate records associated with your BA agreements.
First – do you have an agreement with ALL the vendors that have access to PHI in your office? Some examples are your software vendor, the clearinghouse that processes your claims, the cloud based provider that hosts your software, the company that does your reminder calls, the company that manages your IT services, which might also include monitoring your network. This is not intended to be an exclusive list, but give you a starting point to think about all the companies you interact with and share data.
This does not include your lab because they are a covered entity, but you do need a contract that outlines their responsibility to notify you if they experience a breach of data that includes your patients. It does not include your cleaning company, since you are required to protect your data in your office. You do however need to have a confidentiality agreement that outlines to all employees they are to report an instance when they accidently come in contact with PHI (Personal Health Information) will help protect your business. This document would be similar to the confidentiality agreement you have your own employees sign.
Second – check the date of your current BA agreement with your vendor. It is not unusual for me to find a BA that was signed several years ago when services were initiated, but no documentation that it has been reviewed annually as required in your Security Audit. It is not enough to just have a document in your binder; you must also review that document with the vendor on an annual basis.
Finally, you must question the vendor about their HIPAA Security Risk assessment and review. You might have a simple questionnaire that you send the provider asking them to provide you with documentation that they have completed the following things:
- Security Risk completed and Plan updated – ask for a copy of their report.
- Documentation of the training that was done for their staff.
- Verification they have the appropriate policies and they have they been reviewed.
- List of their subcontractors who will have access to your data and verification that they have reviewed HIPAA compliance of these subcontractors. For example, your Practice Management software vendor may have a contract with a clearinghouse, and an IT company, plus a Cloud based Storage Company to maintain the security of their co-locations for data storage.
If you are contacted for a desk audit by OCR, the expectation will be that you have done your due diligence in making sure that your vendors are HIPAA compliant in their services. They are not going to accept a group of BA agreements that have no documentation the status has been reviewed with the vendor. You should keep that documentation with the Security Risk Audit since the audits can go back multiple years.
For those of you who have not been taking the risk of these audits seriously; now is the time to start. As part of your current Security Risk, identify the BA agreements as an area that needs to be enhanced and document your plan to bring them into compliance. Notify all your vendors immediately that you need information to show they have completed their own Security Risk Audit. They need to provide you with documentation of their own compliance. Start reviewing your own policies and your Security Risk Assessment to identify other areas where documentation may be requested by an OCR Audit.
Compliance with regulatory guidelines has to become an everyday discussion in your healthcare business. Staff needs to be reminded of their responsibility in maintaining the confidentiality of PHI in your practice and be engaged in the process of protecting it every day. Documentation of these training sessions, as well as, all compliance documentation needs to be kept to support any future audit requests. You might have a binder with BA agreements and training documents, plus you should be scanning all that information on to your server.
Bottom line, start now collecting data and reviewing your policies as if you have a desk audit request by OCR. Also consult your insurance agent to determine what value is on your breach insurance. Would it be enough to cover the cost of a breach or your work in responding to a HIPAA complaint?