HIPAA Audits and Penalties for Business Associates

Business associates have been cruising along for years, signing and filing BA agreements, while generally ignoring HIPAA requirements. There was little risk because no one was paying any attention. The covered entities (CE) felt comfortable as long as they had some kind of BA agreement in place and the BAs weren’t really liable for any breaches.

That era is over. Emails and letters are going out from OCR, the enforcement arm of HIPAA demanding information about the relationships between CEs and BAs. From this information desk audits will be sent out to both CEs and BAs demanding further information such as up to date risk assessments. This in turn will lead to on-site audits for both CEs and BAs.

As a further sign, a $650,000 fine and an extensive corrective action plan were the penalties for a business associate losing an unencrypted non-password protected I-Phone with 412 patient records. Oh and by the way this is a non-profit organization so don’t think that you will get mercy if you are a non-profit.

OCR is dead serious about this: “Business associates must implement the protections of the HIPAA Security Rule for the electronic PHI they create, receive, maintain or transmit from covered entities,” says Jocelyn Samuels, OCR director. “This includes an enterprisewide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

Unless you have an up to date risk assessment, security and privacy polices, and documented training of you staff you are non-compliant. Your covered entity may not wait for OCR to audit you, they may decide to do it themselves. A desk audit is pretty easy. Send me a copy of your latest risk assessment, your policies on mobile devices, and documentation of your staff training.

If you are not prepared, our Jumpstart program can get you into initial HIPAA compliance with a few hours of work spread out over 72 hours. Then our Care maintenance program can keep you there on an on-going basis. Take our Free HIPAA Risk Assessment at www.compliancehelper.com and see where you stand. Contact me at jack@compliancehelper.com for more information.