Hobson's Choice: HIPAA Audit by OCR or Business Partner?

June 20, 2014

If I was a HIPAA business associate who had signed a BA agreement but was not HIPAA compliant, I would fear the news that my covered entities or HIPAA business associate partners were going to begin monitoring my HIPAA compliance more than the threat of an HHS audit.

Both were in the news today; In an interview with Healthcareinfosecurity.com, Rocco Grillo, a managing director at the consulting firm Protiviti, suggests healthcare entities conduct periodic audits of business associates to help ensure they are taking appropriate security steps.

During a recent American Bar Association conference, Jerome B. Meites, a chief regional civil rights counsel at the Department of Health and Human Services (“HHS”) told attendees he expects the past 12 months of enforcement to pale in comparison to the next 12 months. According to Mr. Meites, HHS’ Office of Civil Rights (“OCR”) desires to send a strong message to the industry through high-impact cases.

Lets review the two possible scenarios: An HHS audit can be triggered by a number of different actions; a patient complaint, a whistleblower, an unannounced audit by OCR or one of their contractors, or a breach. If the breach is for more than 500 patients you can expect an on-site audit but generally this takes a couple of years to play out. At the end of the audit there can be simply suggestions on how to improve your compliance, a minor fine, or in the case of “willful neglect” a major fine. Willful neglect is the case where you knew what you were supposed to do but didn’t do it or you refused to cooperate with the auditors.

If your business partner monitors your HIPAA compliance and they detect what HIPAA rules call “a pattern of non-compliance” they must ask you to remediate or mitigate that risk and if you can’t or won’t they must “sever the business relatiohship”. This not only can cause an immediate drop in revenues but can cast a very negative impression in the marketplace because your competitors are sure to find out and exploit it.

So how do you protect your company from these risks? Of course you want to get HIPAA compliant but also you want to be able to quickly and definitvely prove that you are HIPAA compliant on an on-going basis. Documentation of your HIPAA compliance acitivities is critical. Good organization and presentation of this documentation will head off deeper inquiries or on-site audits.

Our solution has been to establish compliance metrics, document activities, present the evidence initially through our Compliance Meter® and to offer complete transparency through the ability to let your business partners drill down and see all of your HIPAA compliance activities.

Take a look at these solutions at www.compliancehelper.com and download our free HIPAA Compliance Checklist.

Back to News