Covered Entities and Business Associates Linked in Audits

February 17, 2016

A long time ago I wrote a blog about “am I my brothers keeper?” (Genesis 4:8-10) in reference to the relationship between covered entities and business associates. The 2016 audit program from HHS seems to answer the question in the affirmative.

OCR announced it will distribute letters to 1,200 “covered entities” in the healthcare industry, surveying them on the accuracy and compliance of their patient data. These companies will have 10 - 14 days to comply with the requests in the letters. According to the HIPAA Journal, “any covered entity receiving a survey may have a 50% chance or higher of being audited.” These letters are being readied for distribution to start what will be a permanent audit program. The new program will include both “desk audits” requiring the submission of documents, and site visits where auditors will inspect and observe the organization. For the first time, if a HIPAA Covered Entity is audited, its business associate vendors will also be included. If the business associate fails, then the covered entity also fails.

For covered entities this is a signal that the old rules of just getting your business associates (BA) to sign a BA agreement will not suffice. You need to get “satisfactory assurances” that they are in compliance which means you need to actively seek documented proof that they are compliant. This could be in the form of a recent risk assessment, copies of updated policies and procedures, and documented security awareness training of their staff.

For business associates this is a signal that you need to be prepared to go beyond signing a BA agreement. You need to have available for communication with your covered entity, an uptodate risk assessment, updated policies and procedures, and documented staff training. And, no, sending them a copy of your 3 year old compliance manual will not suffice.

If you are not currently ready to meet these requirements you might want to take a look at our Jumpstart program which could deliver all of these requirements to your organization in 72 hours or less with about 4 hours of work on your part. Come and see what we have to offer at www.compliancehelper.com


Back to News