HIPAA audits have expanded and while Covered Entities may be able to oversee a BA to ensure HIPAA compliance, in reality, they often don’t have the time or resources, which is why Business Associates should autonomously assess and keep up to date on their HIPAA compliance. BAs must be proactive about this; no one else will examine their compliance until it is too late and a HIPAA audit has already been requested.
Expanded Audit Program.
It is more important than ever to be HIPAA compliant given that Phase 2 of the Office of Civil Right’s (OCR) HIPAA Audit Program has now been launched, expanding scrutiny to a much broader array of Covered Entities and Business Associates. Previously, Business Associates and smaller Covered Entities often flew under the radar of HIPAA audits, but with Phase 2, this is no longer true. Covered Entities and Business Associates of all sizes now face the real possibility of audits.
Business Associate Agreements are more than just HIPAA compliance.
Although, Business Associates now must comply directly with HIPAA security and privacy rules, Business Associate Agreements (BAAs) with Covered Entities often impose more restrictions and propositions as well. Some BAAs include provisions about alerting Covered Entities if there are dramatic changes in the way the BAs conduct business. It is common for BAAs to stipulate that BAs must inform Covered Entities of breaches within 15 days of the discovery of the breach. Business Associates should be cognizant of their BAA obligations in addition to compliance with HIPAA security and privacy rules.
It is unlikely a Covered Entity will thoroughly audit or oversee a BA’s compliance.
Business Associates should be aware that after a BAA is finished, Covered Entities generally don’t audit or oversee Business Associates’ compliance. Unless a Business Associate is considered high risk, Covered Entities generally feel the costs outweigh the benefits and smaller Covered Entities don’t have the resources. This means that is up to the Business Associate to be sure they are HIPAA compliant. Although Covered Entities can audit and mandate that BAs have written security policies and procedures, there is a good chance they won’t check it.
Covered Entities can tell which Business Associates are sophisticated about HIPAA.
Sophisticated BAs are aware that they fall within the definition of a Business Associate and have processes in place to comply with HIPAA, and a specific person responsible for the organization’s compliance. Business Associates confident in HIPAA compliance reported a theme of employee training like annual mandatory refresher courses and established training and compliance programs. They understand they must enter in BAAs with appropriate subcontractors. Covered Entities can be hesitant about entering into BAAs with unsophisticated Business Associates.
Things that may change for Business Associates in the future:
- Business Associate Agreements: Some doubt the need for BAAs since Business Associates are now directly regulated under HIPAA whereas others still see them as worthwhile.
- More standardization: Currently, there are no certification bodies accepted as the gold standard. Third party certification processes can help ensure BAs continuously meet a baseline level of HIPAA compliance, but they are not always comprehensive or accepted by Covered Entities. If a certification process were widely accepted by Covered Entities’, then due diligence, audits, and questionnaire requests from CEs could be reduced. Even without a gold standard certification process, standardization of these things may become more common.
- Compliance Officer Peer Network: The training materials available through OCR is often not user-friendly as well as generic and vague. A compliance peer officer network where Compliance Officers from different companies could exchange information seems a possible and helpful prospect.
- Development of Assessment Tools: More tools may be made to assess HIPAA compliance more easily.