I Did Not See That Coming!
On March 21, 2016, providers added a new regulatory compliance assessment to their checklist of HIPAA accountability. The Department of Health and Human Services, Office for Civil Rights announced the start of the Phase 2 HIPAA Audit Program to ensure that “policies and procedures adopted by covered entities and their business associates meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”
Earlier this year, many provider organizations received notice that they potentially would be on the list for desk or onsite audits. Indianapolis- based Eskenazi Health, one of the largest safety net health systems, that provides care to nearly 1 million outpatient visitors each year, was one of those organizations. According to OCR, the criteria for organizations most likely to be audited this year include: the size of the entity; affiliation with other health care organizations; the type of entity and its relationship to individuals; whether an organization is public or private; geographic factors; and present enforcement activity with OCR.
The challenge for all provider organizations is the continuous review of vendor relationships to determine which qualify as business associates, and then to request Business Associate Agreements that comply with HIPAA regulations. For many organizations this process is largely manual. For Eskenazi, solving that challenge included working with GHX to help centralize business associate management via one electronic solution, giving the organization greater visibility and control over these relationships. In 2008, Eskenazi Health had only a small number of vendors classified as business associates. Today, the organization manages hundreds of business associates, and the list is only growing.
The key to surviving OCR reviews is that an organization must have control of its contractual relationships (including purchase orders) in order to be HIPAA compliant. The challenge is in how to do it. The consequences for being noncompliant are too significant to ignore or to delay implementing best practices. What follows are some of the approaches that have helped Eskenazi to be prepared and compliant with the new regulations.
Use a comprehensive vendor and contract management process.
This should be the source of truth for all vendor relationships. Route each new contract through the privacy and security officers for BA evaluation. Then obtain a BAA, if necessary. All BAAs should be maintained in a central location, managed and signed by a privacy officer in collaboration with supply chain, purchasing and finance. If a contract is not in place with a vendor, the process should allow the privacy officer to vet the relationship during the on-boarding process to determine if a BAA is necessary.
Use the OCR 2016 Audits Protocol to check your work.
The OCR has guidelines for complying with the BAA requirements on its website. Use those guidelines to create a checklist to help ensure all required elements are covered. Ask yourself:
• What will the auditors be looking for with respect to audits?
• Does the covered entity enter into business associate contracts as required?
• Do these contracts contain all required elements?
Obtain and review policies and procedures related to the identification of BAs and the creation and establishment of BAAs.
An important part of this review is to evaluate whether or not policies and procedures accurately identify BAs and to determine BAAs that are consistent with the established performance criteria. Further, review a sample of BAs to evaluate whether or not the agreements are consistent with the established performance criteria the covered entity has established in its policies and procedures. Finally, review a sample of BAAs between the CE and such BAs for compliance with the most current provisions required by OCR, such as language requiring subsequent BAs/subcontractors to provide adequate assurances that they will abide by the HIPAA privacy and security regulations.
Inquire whether there is any knowledge of a pattern or practice of the BA that constitutes a material breach or violation of the BA’s obligation.
Obtain and review documentation of reports from the BA to the CE of any uses or disclosures not provided for in the BAA or the underlying contract. If so, notify the BA in writing of the breach and request a cure. If a cure is not forthcoming within the time frame allowed by the BAA, the BAA and the underlying relationship must be terminated. Alternatively, the CE can notify the Secretary of Health and Human Services or the OCR of the breach. Organizations must get their house in order with regard to contracts and vendors. Know who those vendors are and make sure all the necessary documentation is accurate and up to date. Since vendor information lives in several departments across the organization, one of the most helpful approaches is to funnel all vendor information through one department and centralize the information.
About the authors: Phyllis Garrison is the health privacy director at Eskenazi Health. Jackie McGuinn is the senior strategic marketing manager for GHX.