OCR “Chomping On The Bit” To Audit Business Associates For HIPAA Hi-Tech Compliance

March 9, 2012

By Jack Anderson CEO Compliance Helper

Here is a quote from Rebecca Herold, CIPP, CISSP, CISM, FLMI, in the February 2010 edition of Compliance Today:

“CEs are now accountable for more active validation of BA security and privacy program compliance, beyond just having a BA contract in place. It is more important than ever for CEs to take proactive measures to ensure BAs establish and maintain effective and appropriate information security and privacy policies and other supporting actions. Simply depending upon a security questionnaire answered once a year (or even less often), with no validation that the information provided is even accurate, isnot effective. CEs must take a more proactive approach to ensuring BAs have effective and compliant programs in place. After all, CEs are ultimately responsible for ensuring the security and privacy of the information they collect from their own clients, patients, customers, and employees.”

Now more than two years later the rest of the privacy and security world is realizing that she was right.  Compliance Helper and Rebecca Herold & Associates have collaborated on developing a solution called BA Tracker.  Using the cloud computing model this service allows a CE to monitor their business associates, cost effectively and efficiently.  With our Compliance Metertm the business associate is able to demonstrate their HIPAA HITECH compliance on an on-going basis.  Take a look at www.compliancehelper.com/batracker

To view the original article please click here.

Here is Doug Pollack’s article:

Office for Civil Rights to Focus on Business Associate Security Risks

By Doug Pollack March 8, 2012

Kirk Nahra, an attorney with Wiley Rein, today interviewed Leon Rodriguez, Director for the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) at the IAPP Global Summit 2012. The session really illuminated that OCR is stepping up their volume and breadth of enforcement actions.

Director Rodriguez noted that 63% of the individuals affected by healthcare data breaches reported to OCR were a result of a security breach at a Business Associate rather than a Covered Entity. He commented that he and OCR are “chomping at the bit” in order to directly target Business Associates for violations of the Security Rule and take enforcement actions.

When asked why it is that Business Associates are responsible for a majority of the individuals affected by reported data breach incidents, he suggested that it wasn’t obvious that they were any less rigorous in their security programs, vis-à-vis Covered Entities, although that is a possibility. But he did comment that many Business Associates tend to work with many Covered Entities and as a result will aggregate large quantities of confidential personal health information, in many cases more than any one particular hospital or other provider.

When looking at the targets of enforcement actions, he indicated that their primary focus is on situations where there was an “abject failure” of organizations in terms of trying to comply with the privacy and security rules. He indicated that situations such as the Massachusetts General breach, where sensitive patient information was left on mass transit, and the CVS and RiteAid cases where patient information was placed in a dumpster, are good examples illustrative of such abject failure of a security and privacy program.

An interesting additional comment was made that it is the Covered Entities that are working very hard to comply diligently with the security and privacy rules that are asking OCR to take aggressive enforcement actions on their brethen as well as Business Associates that are not working hard at all on implementing reasonable security measures. Also these lines, he also commented that he expected that there would be an enforcement action before too long for “failure to notify” in a situation where a breach should have led to notification but where the Covered Entity did not take such action. Be forewarned.

So in terms of takeways from this interview.

First, healthcare organizations need to get their acts together in privacy, but especially security.  If you haven’t taken actions that demonstrate that you’ve tried to comply, you will be extremely exposed.

Second, if you are a HIPAA Business Associate, you’re on notice that OCR is going to be, starting very soon, scrutinizing your security posture, and that violators are likely to be facing stiff monetary penalties.

And third, if they conclude that a breach was the result of an “abject failure” of security systems and procedures and focus, that the entity is likely to be dealt with harshly.