HIPAA audit preparation and compliance: BA effects on CEs

Author Name Nicole Freeman   |   Date March 10, 2014

While the timetable for 2014 HIPAA audits has not been released, the Office for Civil Rights (OCR) has begun surveying covered entities and business associates (BAs) to gauge organizational preparedness for the upcoming OCR HIPAA Audit Program. The audit criteria have not been disclosed, but it’s possible that OCR will follow up on 2012’s major shortcoming on risk and security assessments.

Since the HIPAA Omnibus became enforceable on September 23, 2013, BAs have gained more responsibility for securing protected health information (PHI) beyond HIPAA’s Privacy and Security rules. As the Audit Program comes closer, BAs and covered entities should begin preparing for a HIPAA audit. Jeff VanSickel, senior consultant at SystemExperts, offered five tips to help BAs get ready, and elaborated on a few of these points in a recent interview. While he believes that there is a benefit to covered entities ensuring the downstream protection of their data, that doesn’t mean BAs and their subcontractors can skimp out on their end of the agreements. Here is what is he had to say on three critical points.

Establish operating controls
 BAs and covered entities work together to create business associate agreements (BAAs), and in this process, covered entities should have list of security requirements for each respective BA. Controls vary widely depending on the type of services being provided, and many controls may not be obvious to decision makers, for example, the cleaning companies that serve providers.

VanSickel offers this advice: You have the cleaning company that comes in to clean your office. They might have access to information. What you want to make sure is this outside party that’s doing the cleaning services does appropriate background checks on their employees. That would be important because you wouldn’t want somebody who was a convicted felon of identity theft to be going through your offices at night and cleaning out your bins.

Ensure continued system availability
Covered entities need to be certain that their BAs provide secure access to data at all times, regardless of system outages, power failures, and other unforeseen circumstances.

You’re going to want to make sure that they have and they perform assessments on their network connectivity to the internet and vulnerability assessments to make sure that people can’t break into that data center and potentially get to the data. Then you’re going to want to make sure that you have business continuity aspects like back-up power, back-up internet services, those types of things, all the standard stuff that you would go to an outside data center to ask for, and that it’s all defined within that set of security requirements.”

The responsibility doesn’t rest entirely on the vendor to ensure these services.

On the covered entity side, you’ve got to have a program in place to say, “All right, I’ve got 30 outside vendors that provide something to me where PHI is involved, and over the course of the year, I’ve got to go tap on the door of each of those 30 and say, ‘Demonstrate to me that you’re complaint with all of those requirements that I gave you in our contract.’

Put documented controls in place
 Typically when meeting with clients, VanSickel will work with a lawyer or data privacy officer, an IT team member, and an information security team member, and is often asked why a blanket statement BAA requiring HIPAA-compliance demonstration isn’t in their best interest.

It makes sense that the covered entity has to put together a list of ‘security requirements’ that are aligned for the type of service that is being provided by that service provider. To accommodate these differences, a standard BAA can be adapted by adding a client-specific appendix. “That appendix contains those security requirements that we want to have demonstrated to us on an annual basis, then it’s much more customized to the relationship.

He also advised covered entities to identify all business and client data that falls under HIPAA and what data falls outside the scope of HIPPA, since not all information a BA will handle is PHI, and some BAs, depending on their services, may only handle limited amounts of PHI, perhaps limited to insurance information or billing data. Entities should also understand where confidential data is located both within the organization and outside the organization (third parties). BAs and covered entities should be aware of what information is going where.