Over the last few weeks, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released notices to Covered Entities and the Business Associates that they work with on a NEW 2016 Phase 2 HIPAA Audit Program. The announced Audit Program covers some new HIPAA Privacy, Security and Breach federal rules.
HHS OCR has sent notifications to Covered Entities regarding the request for a HIPAA Desk Audit that will request a list of their Business Associates.
The HIPAA Desk Audit will NOW include a requirement to send a list of their Business Associates to the OCR.
If you are reading this it may be you! Any Health care providers, health care clearinghouse, health plan and health care individual service provider who transmit or store health information electronically.
A business associate is any individual or company that supports the covered entities or comes in contact with Electronic Patient Health Information (ePHI) managed by the covered entity. This means your IT provider, maybe a software vendor, possibly your accountant or lawyer..
You may want to pay special attention to sub-contractors you are using to augment your salaried work-force.
Did you know that your BA's need to be HIPAA compliant?
Once you receive an Audit request from the OCR you are required to respond within 10 Days.
Your response will include your compliance to Policies, Procedure and Evidence.
A list of all of your business associates contact information will be required to send them.
Lack of HIPAA risk assessment can lead to very expense data breaches. In a recent IBM report stated that Healthcare data breached have reached a loss of $402 per record between Breach Notifications, Penalties and Lost Business. In a breach of 10,000 records can lead to a $4,020,000 in losses. A example of this can be found in the recent news when the OCR fined a Business Associate for $650,000 from the theft of an unencrypted SmartPhone, click here on the details of the case http://goo.gl/JDl291
The first step is to conduct a HIPAA Risk Assessment and gap analysis to see where you are lacking with your compliance program.
DCS can assist you with your HIPAA Compliance by leveraging our HIPAA Risk Assessment to be ready when HHS comes calling and also to prevent future data breaches.
Remember internal self assessment may not catch all the critical items can will result in expensive fines and possible non compliance.