Business Associates the Target of HIPAA Audits

For the first time since HIPAA was enacted in 1996, vendors and other business partners such as law firms and billing companies who handle health information on behalf of healthcare providers can be held directly liable for violations of the HIPAA laws. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) began its second phase of HIPAA audits on January 1, 2016. This time, OCR is looking at healthcare providers and their business associates. The OCR has already begun the selection process and will include both healthcare providers and their “business associates.” Healthcare providers will be receiving emails from OCR asking them to verify contact and other information. These inquiries will include requests for a list of the provider’s business associates. A representational group of healthcare providers and business associates will be selected for audit. Desk and onsite audits will be conducted. Auditors will share their draft findings with the providers and business associates once the audits are completed.

Initially, OCR will select small and large healthcare providers for desk audits, focusing on specific aspects of security, privacy, or breach notification. Providers and business associates will be notified of the specific subject of their audit. Desk audits of business associates will follow in a second round of audits. A third group of both healthcare providers and business associates will be selected for onsite audits which will look at a larger range of HIPAA requirements and compliance issues. OCR forecasts that these desk audits will be completed by the end of 2016.

Failure to comply with the HIPAA laws can result in civil money penalties ranging from $100 to $50,000 per violation with a maximum of $1.5 million in a given year for identical violations. Criminal penalties may also be imposed, depending on the circumstances. Business associates are not exempt from civil and criminal penalties.

These HIPAA audits present the opportunity for healthcare providers and their business associates to examine their compliance programs and policies and procedures, identify best practices, discover risks and vulnerabilities that may not yet have come to light, and prevent problems before they result in HIPAA breaches and the stringent penalties that can result from violations.

Sullivan Stolier Schulze & Grubb has assisted its clients for many years with compliance and other healthcare regulatory issues.