OCR Audits of Business Associates

• Connie Emery, Director Compliance and Enterprise Risk Management, Privacy Official

The Office for Civil Rights (OCR) defines business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” If you fall into this category, this blog post is for you.

Business associates, under the HITECH Act, must implement administrative, physical and technical safeguards to protect the patient healthcare data of their customers. In 2013, the Health Insurance Portability and Accountability Act (HIPAA) Final Omnibus Rule expanded the definition and security responsibility for business associates so that more suppliers fall under this category.

The OCR is currently auditing covered entities (e.g. hospitals, health systems) and their business associates to determine if they are in compliance with HIPAA requirements. And while your company might not get hacked, it will get audited (by your internal audit department, by external auditors, by your customers, by the OCR, etc.).

Are you ready for an OCR audit? Do you have appropriate security measures in place to safeguard your customers’ protected health information (PHI) in compliance with the HIPAA rule? Consider the following:

• Shifts in Technology: With increased use of mobile devices and cloud services to transmit and store data, do you have measures in place to control these new perimeters?

• Reactive Versus Proactive: Are you in reactive or proactive mode when it comes to data security? Are you consistently reviewing your logs? Hackers are getting smarter – make sure you are too.

• Within Your Four Walls: Employees are your biggest risk. For example, there have been data breaches that resulted from an employee’s stolen or misplaced laptop, tablet or smart phone containing PHI. Be sure to provide training to employees on how to protect your customers’ valuable data.

• Place a Patch: Be proactive with operating system and application patches. In a recent survey of CIOs, half (50%) identified out-of-date security patches as one of the top three common information system vulnerabilities related to application security.¹
  

• Encryption Excellence: Identify the data most valuable to you and be sure to encrypt it. Case in point: A leading provider of senior living services that provided management and information technology services as a business associate to six skilled nursing facilities, reported a PHI breach resulting from the theft of an employee-issued iPhone that was unencrypted and not password protected. According to information posted at HHS.gov, at the time of the incident, the organization had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident; OCR also determined that the organization had no risk analysis or risk management plan.

• Have a Plan in Place: Do you have a security control and incident response plan in place to detect and address an attack? In the event of a breach, a company that detects it can typically react much faster than if a customer or outside entity detects it first. The time that elapses between identification of a breach and remediation allows hackers to inflict greater damage on your systems and steal more patient data.

Your customers are actively preparing for the OCR audits and identifying/reporting their business associates as part of the process.

Also more on this topic Being Prepared in the Age of HIPAA Audits

¹http://www.information-age.com/industry/software/123459579/why-your-business-cant-afford-not-patch

Connie Emery

Director Compliance and Enterprise Risk Management, Privacy Official