Home  |   Subscribe  |   Resources  |   Reprints  |   Writers' Guidelines

August 2016

Subject to Review
By Selena Chavis
For The Record
Vol. 28 No. 8 P. 18

Phase 2 HIPAA audits ramp up for covered entities and business associates.

Like film sequels, the anticipation for the second phase of HIPAA audits has left audiences both anxious and skeptical. In response to criticism from the Office of Inspector General about its enforcement of the law, the Office for Civil Rights (OCR) has embarked on a plot focused on policies and procedures adopted by covered entities (CEs) and their business associates (BAs).

"Undoubtedly, the biggest change to these latest audits is the inclusion of BAs," says Gene Fry, compliance officer and vice president of technology at Texas-based Scrypt. "Both BAs and CEs would be wise to familiarize themselves with OCR's updated audit protocol, which offers extensive guidance on precisely what action needs to be taken for each type of audit and by whom."

Paula Stannard, JD, a health care attorney with Alston & Bird LLP, notes that OCR has requested CEs provide a list of BAs and their contact information prior to the audit requests. "It is fairly easy to identify CEs because on the health care side, you have national provider identifiers. On the health insurance side, now that HHS [Health and Human Services] is regulating private insurers as well as Medicare Advantage, they know who the big players are," she says, adding that it's much more difficult to identify BAs. "One of the things that they were requiring the CEs to do is to provide a list of their BAs, and my assumption is that if a CE was not able to do so—or not able to do so easily—that that could suggest a larger issue."

Deven McGraw, deputy director for health information privacy at OCR, says following the initial process of data gathering, "desk audits" began reviewing organizational policies and procedures in June. More comprehensive on-site audits are slated to begin next year, she says.

Selected CEs received a notification letter along with a request to provide documents demonstrating compliance with selected privacy, security, and breach notification provisions. "Entities should continue to monitor their e-mail accounts for notifications from OCR requesting them to verify their contact information," McGraw says, adding that both CEs and BAs should check spam and junk folders regularly to ensure HHS e-mails are not inadvertently directed to those folders. "In addition, some CEs and BAs have received a request to complete our preaudit screening questionnaire."

CEs must respond to requests for information by uploading documents to OCR's secure web portal within 10 days. Once auditors review the provided documentation and submit their draft findings, CEs have another 10 days to respond to the initial findings. According to McGraw, auditors then develop a final report within 30 to 60 days, incorporating comments from the CE, which OCR reviews and submits back to the CE.

McGraw notes that OCR is examining a select set of provisions for the desk audits, including the following:

• security: risk analysis and risk management;
• breach: content and timeliness of notifications; and
• privacy: notice and access.

"OCR will conduct a more comprehensive review of the privacy, security, and breach notification provisions during onsite audits of both CEs and BAs," McGraw says. "Those provisions have yet to be determined."

Entities should consult the audit protocol to view the inquiry types auditors may ask about each provision.

BAs: The Ins and Outs
Sheba E. Vine, JD, CPCO, senior director of regulatory compliance at First Healthcare Compliance, defines a BA as "any vendor that the CE allows to create, receive, maintain, or transmit protected health information (PHI)." The HIPAA Privacy Rule considers any vendor that performs the following functions, activities, or services to be a BA:

• claims processing or administration;
• data analysis, processing, or administration;
• utilization review;
• quality assurance;
• billing;
• benefit management;
• practice management;
• repricing;
• legal services;
• actuarial services;
• accounting services;
• consulting services;
• data aggregation;
• management services;
• accreditation services; or
• financial services.

Stannard says the BA definition can extend to "anyone, from lawyers like myself to accountants, billing services, consultants, data analytics companies, practice management companies, and practically any service that is performed under a CE that involves the use of PHI."

To comply with HIPAA, a BA must enter into a BA agreement (BAA), a written document that ensures PHI will be safeguarded in accordance with HIPAA guidelines. "It details exactly how the BA will handle the information they have access to and the measures they will take in order to protect it," Fry explains. "The onus is on the CE to ensure BAAs are in place with all BAs and that they are reviewed periodically. A failure to do so can significantly increase the chances of a breach occurring."

A couple of exemptions exist within the BA rule, according to Stannard. For instance, when a health care provider receives PHI from another provider in order to provide treatment services, a BA is not necessary. Also, there is a HIPAA exemption for payment processing activities conducted by financial institutions.

The conduit exception rule was added in 2013 to address vendors providing courier services by transporting or transmitting PHI without actually accessing the information on a routine basis, Vine says. "In determining whether this fairly narrow exception applies, a factual determination must be made on the nature of the transmission services provided and the extent of PHI access," she explains. "An important distinction to be made is whether the opportunity to access PHI is transient vs persistent. A vendor that transmits or transports PHI but also maintains the PHI is not a conduit."

Fry notes that the conduit exception rule applies primarily to entities such as the United States Postal Service, couriers, and internet service providers. "The HIPAA rule explicitly states that the conduit exception only applies to entities that provide 'mere data transmission services.' Other than these named examples, there are very few entities that can lawfully claim to be a conduit," he points out.

Even with rules in place, Stannard says it's easy to unknowingly transition from an exempt service to one that would make an entity a BA. "That happens all too frequently where neither the CE nor the other entity recognizes that there has been a change in the nature of their relationship," she says.

For example, a financial institution that has been processing payments and then begins providing billing services for a CE may not think anything of the new dynamic, Stannard says. However, such a shift in responsibilities makes the financial institution a BA.

How data are used plays a pivotal role, Stannard says. A health care provider may receive PHI from a cohort to assist in diagnoses or treatment. While this activity alone does not establish the need for a BA, should the provider receiving the information want to use it later for data analytics, it would necessitate a BA for compliance.

Recognizing Potential Pitfalls
Failing to enter into a BAA can have disastrous consequences, notes Fry, who cites the case earlier this year when a North Carolina orthopedic practice agreed to pay a $750,000 fine after failing to execute a BAA prior to handing over more than 17,000 X-rays to a potential business partner. "The message here is clear: Do not do business with any external party without first entering into a BAA," he says.

Noncompliance often occurs when there's a failure to recognize that an entity is maintaining PHI on a CE's behalf, Stannard says. For example, there tends to be confusion around whether cloud and software service providers qualify as BAs. Because data stored by cloud providers are often encrypted and inaccessible, some CEs assume those factors eliminate the need for a BAA. Not so fast, Stannard says. "There is some guidance out there that says that that vendor is a BA because they are maintaining the data even though they cannot access it," she explains.

Vine notes that managing all of the relationships within a health care organization can be a daunting task. Because making the determination of which entities are BAs is not always straightforward, many CEs simply get confused. For this reason, she stresses that "it is crucial to look at each vendor relationship individually in order to determine whether a BA relationship exists, requiring a written BAA, as noncompliance can be costly."

This being the first time BAs have been subjected to this type of OCR audit, preparation is key to successfully surviving unscathed, Vine says. "This is especially true due to the aggressive audit timetable, as organizations will have limited time to respond once identified as an auditee," she points out, emphasizing that by now both CEs and BAs should be adequately prepared to participate. "Internal policies and procedures relevant to HIPAA should be reviewed and updated accordingly, documentation of compliance efforts should be readily available, the OCR's updated audit protocol should be reviewed, and staff should be educated on their responsibilities in the event of an audit."

Stannard points out that OCR is still finding CEs and BAs that have failed to conduct a risk assessment, one of HIPAA's basic requirements. "Many CEs and business associates have not taken the time to understand the [BA rule] or quite frankly don't have the time to spend a lot of time thinking about who their vendors are and whether they are an official business associate," she says.

OCR plans to use the findings of the phase 2 audits to develop tools and guidance to assist organizations with compliance efforts, Vine says, adding that CEs may have to pay a steep price should they be found noncompliant. "OCR has indicated that violations uncovered through an audit will be investigated through a separate compliance review that can lead to legal liability," she says.

In addition to satisfying the requirement that a CE have BAAs in place with vendors handling PHI on their behalf, there is an issue as to how much oversight a CE should have over their BAs once an agreement is signed, Stannard says. "Technically, HHS has said you are not required to do proactive monitoring, but there is a lot of incentive and a lot of reasons why CEs should be more proactive with some BAs," she says, adding that CEs that conduct due diligence with a BA prior to an agreement and periodically make sure the organization is abiding by BAA terms will be in a better position to meet compliance demands.

Stannard points out that managing BAs proactively helps mitigate against other potential complications stemming from Federal Trade Commission regulations and litigation should a BA suffer a major breach affecting the CE's patients or beneficiaries. "Despite what HHS has said, CEs probably should in some instances be more proactive about monitoring their BAs," she says.

— Selena Chavis is a Florida-based freelance journalist whose writing appear regularly in various trade and consumer publications, covering everything from corporate and managerial topics to health care and travel.


To comply with HIPAA, a business associate (BA) agreement must contain specific language, says Sheba E. Vine, JD, CPCO, senior director of regulatory compliance at First Healthcare Compliance. Each BA agreement must include the following stipulations:

• establish the BA's permitted and required uses and disclosures of protected health information (PHI);

• ensure that the BA will not use or further disclose PHI other than as permitted or required by the agreement or as required by law;

• require the BA to implement appropriate safeguards to prevent unauthorized use or disclosure of PHI, including implementing the requirements of the HIPAA Security Rule with regard to electronic PHI;

• require the BA to report to the covered entity (CE) any use or disclosure of the information not provided for by its agreement, including incidents that constitute breaches of unsecured PHI;

• require the BA to disclose PHI as specified in the agreement to satisfy a CE's obligation with respect to individual requests for copies of PHI, as well as make PHI available for amendments and accountings;

• to the extent the BA is to carry out a CE's obligation under the Privacy Rule, require the BA to comply with the requirements applicable to the obligation;

• require the BA to make its internal practices, books, and records relating to the use and disclosure of PHI available for any Health and Human Services investigations;

• require the BA to return or destroy, if feasible, all PHI at termination of the agreement;

• require the BA to ensure that any subcontractors it may engage on its behalf that will have access to PHI agree to the same restrictions and conditions that apply to the BA with respect to such PHI; and

• the agreement may be terminated by the CE should the BA violate a material term.

— SC


Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) has agreed to settle potential HIPAA violations after the theft of a CHCS mobile device compromised the protected health information (PHI) of hundreds of nursing home residents. CHCS provided management and IT services as a business associate (BA) to six skilled nursing facilities. The total number of individuals affected by the combined breaches was 412. The settlement includes a monetary payment of $650,000 and a corrective action plan.

"Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities," says Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels, JD. "This includes an enterprisewide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule." OCR initiated its investigation on April 17, 2014, after receiving notification that CHCS had experienced a breach of PHI involving the theft of a CHCS-issued employee iPhone. The iPhone was unencrypted and was not password protected. The information on the iPhone was extensive, and included social security numbers, information regarding diagnosis and treatment, medical procedures, names of family members and legal guardians, and medication information. At the time of the incident, CHCS had no policies addressing the removal of mobile devices containing PHI from its facility or what to do in the event of a security incident; OCR also determined that CHCS had no risk analysis or risk management plan.

In determining the resolution amount, OCR considered that CHCS provides unique and much-needed services in the Philadelphia region to the elderly, developmentally disabled individuals, young adults aging out of foster care, and individuals living with HIV/AIDS.

OCR will monitor CHCS for two years as part of this settlement agreement, helping ensure that CHCS will remain compliant with its HIPAA obligations while it continues to act as a BA.