The recently released Office for Civil Rights protocols for the next round of HIPAA audits appears to be informed by the confluence of two threats to health information: electronic Protected Health Information (ePHI) accessed or hosted by Business Associates and insufficient cybersecurity safeguards. This round of audits will target Covered entities (healthcare providers and health plans) as well as their Business Associates (third parties who access or otherwise use or store ePHI in performance of tasks for the Covered Entity). Both should prepare for these audits now, before the audit questionnaire arrives.
The audit protocols indicate broad areas of inquiry but a key focus of these audits is whether Covered Entities have appropriate documentation of their relationships with their Business Associates, and “how management identifies and engages Business Associates.” Look for the auditors to inquire about selection criteria, and perhaps how Covered entities vet Business Associates with regard to the Business Associates’ cybersecurity safeguards.
Similarly, Business Associates selected for audit will be required to respond to a number of cybersecurity questions, including:
- Is a current HIPAA Security Risk Analysis available?
- Has the Business Associate “implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?”
- Does the Business Associate have policies and procedures for “regular review of information systems activity,” and does it regularly review that activity?
- Does the Business Associate have procedures to “guard against, detect and report malicious software?”
- Has the Business Associate conducted security awareness training, including specific training for new employees and cybersecurity reminder notices?
Business Associates are under the direct jurisdiction of the U.S. Department of Health and Human Services and are subject to HIPAA proceedings in the event the audits unearth violations of the Privacy or Security Rules. Covered Entities, in turn, should pay special attention to their relationships with the Business Associates that access ePHI. These relationships are a renewed focus of OCR and violations can be costly. A Covered Entity in Minnesota recently settled an OCR proceeding in which ePHI was stolen from the trunk of a Business Associates’ car for $1,550,000. The basis of the proceeding was that the Covered entity did not have a signed Business Associate Agreement with the Business Associate.
If you have questions regarding readiness for a HIPAA audit, or have received an audit questionnaire, please contact Kenneth N. Rashbaum.
