In February, the Department of Health and Human Services (HHS) announced it was conducting a pre-audit survey of up to 1,200 organizations deemed covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A notification about an upcoming survey is rarely noteworthy, but this one lays the groundwork for the Office for Civil Rights (OCR) to continue a HIPAA audit program that began in 2012.
The OCR audit program marked the first time that there was a formal, regulator-issued audit protocol under HIPAA. It was also a driver of overall compliance efforts among covered entities because the regulatory scrutiny gave increased priority to their HIPAA-related activities.
Outside of covered entities, however, the audit program received comparatively less attention, especially among business associates. The audits did not extend to business associates, and therefore didn't give them a reason to take notice.
This new round of audits potentially changes the game, because business associates are now specifically cited as targets.
The news is meaningful for compliance officers tied to HIPAA-designated business associates such as healthcare industry consulting firms or hosting providers that have access to Personal Health Information (PHI) or Personal Health Records (PHR). The HITECH Act, signed into law by President Obama in 2009, stipulated that business associates must comply with HIPAA requirements much like covered entities. But unlike covered entities, business associates may have less awareness of what those obligations are and therefore might find it difficult to gain the necessary organizational attention.
The audits could end up being an opportunity for business associates. The fact that OCR takes business associates' obligations seriously enough to explicitly audit them can, in many cases, provide compliance professionals with ammunition to revisit their organization's HIPAA compliance. Much like the case with covered entities in 2012, this increased attention could mean getting resources, traction and budget to shore up compliance and, if done strategically, even improve their security posture.
Open the conversation
Business associates' challenge is that HIPAA is seldom on their short list of recognized regulations. Compare it to a mandate like the Payment Card Industry Data Security Standard, for example. A data center, hosting provider or other technology service is specifically required to comply with PCI DSS 3.0 requirements 12.8 and 12.9.
Under HIPAA, the primary mechanism for communicating responsibilities to business associates has been via business associate agreements (BAAs). Service providers and other third parties will sometimes execute a BAA to gain a HIPAA covered entity's business without necessarily realizing that doing so carries broader obligations. They might, for example, liken it to a confidentiality agreement or a non-disclosure agreement, when in fact the impact is much more significant. In some situations, the fact that there is a BAA in place at all might not even make its way to the compliance team. This leads to a situation where the organization has taken on HIPAA compliance obligations but has not effectively communicated it to those responsible for meeting them.
The first step for these organizations is to determine if the organization is, in fact, deemed a "business associate" under HIPAA. Though difficult to track down, particularly among service providers such as storage providers or datacenters that have limited visibility into the data specifics that customers share with them, there's a useful litmus test: A business must ascertain whether it's signed a business associate agreement in the past. If it has, it's an indicator that someone considers them a business associate. If that's the case, prudence would dictate that they respond accordingly.
Sell it to stakeholders
The next step is getting stakeholders in the organization, particularly senior executives and those with control over the budget and strategy, to understand three pieces of information: They are a HIPAA business associate, they have HIPAA obligations as a result and they must address that fact. This can be harder to do than it sounds, because as every compliance professional already knows, introducing a new regulation into the mix isn't usually received as good news.
One useful approach is to be prepared with a few facts. This includes the justification for why you think the organization is a HIPAA business associate, a concise statement of why that's meaningful (i.e., a brief positioning statement about HITECH/HIPAA using the OCR audits as a proof point) and a plan of action.
Small shops with limited bandwidth and budget might consider doing a preliminary, internal self-assessment to determine where the business meets specific HIPAA requirements and where it does not. Presenting this information at the same time as you present the above material helps stakeholders understand the scope of the proposed compliance program updates. Of course, this self-assessment might take some doing at larger organizations or those strapped for resources and time. In that case, include the self-assessment as part of the original plan of action.
Business associate obligations under HIPAA are very real and should be taken seriously. If this dimension of an organization's regulatory compliance has been off the radar, the specific inclusion of business associates in the upcoming round of OCR audits is a great time to reopen the discussion.
About the author:
Ed Moyle is director of emerging business and technology at ISACA. He previously worked as a senior security strategist at Savvis and a senior manager at CTG. Before that, he served as a vice president and information security officer at Merrill Lynch Investment Managers.