HIPAA “Desk Audit” for Small and Mid-Sized Providers and Business Associates

HIPAA Desk Audit

HIPAA Analytics Desk Audit is a valuable and cost effective way to receive an assessment of current HIPAA privacy and security compliance efforts for small to mid-sized providers and business associates. The Desk Audit is conducted remotely, applying risk analysis guidance methods of the Office of Civil Rights (OCR) Audit Program Protocol and guidance from the National Institute of Standards and Technology (NIST) in assessing provider or business associate HIPAA privacy and security documentation. The Desk Audit covers the HIPAA Privacy Rule, Security Rule and Breach Notification Rule.

Document Collection and Compliance Clarification

The Desk Audit is accomplished through a comprehensive compliance document review and a clarification worksheet, which allows the audit participant to detail specific information regarding the implementation of its HIPAA privacy, security and breach notification requirements. At the conclusion of the Desk Audit, the provider or business associate will receive a preliminary report outlining findings and recommended remediation efforts to address compliance weaknesses. As a part of the remediation efforts, HIPAA Analytics will offer actionable guidance on improving the compliance program.

Because no on-site review of audit participant facilities is required, the Desk Audit is streamlined by collecting participant documentation and clarification input to cost effectively assess current HIPAA privacy and security compliance levels.

Contact us to learn more on how your organization can obtain a cost-effective assessment of its HIPAA privacy and security compliance level.

Based in Minneapolis/St. Paul, MN we are centrally located to serve national clients.

Business Associate Strategy and the HITECH Act

Expanded Scope and Enforcement of HIPAA

Whether you are a hospital, insurance company or a vendor to healthcare, recent federal legislation has dramatically changed the rules regarding privacy and security compliance.

On February 17, 2009, President Obama signed into law the American Recovery and Reinvestment Act of 2009 [PDF], which contained provisions comprising the Health Information Technology for Economic and Clinical Health Act, or HITECH Act (“Act”). The Act makes sweeping changes to the privacy and security regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The Act imposes additional privacy and security rules on business associates. For example, The Act provides for the business associate’s compliance with the terms of the business associate agreement a direct requirement of HIPAA. The Act also applies the administrative, physical and technical safeguard requirements of the security rule to business associates, including obligations related to policies, procedures and documentation.

Additionally, new data security breach notification requirements within the Act now apply to both covered entities and business associates, requiring patient notification of any unauthorized acquisition, access, use or disclosure of their unsecured protected health information. Moreover, increased civil and criminal penalties now apply to violations of HIPAA privacy and security requirements and authorize state attorneys general to bring civil actions on behalf of state residents adversely affected or threatened by such violations.

Healthcare organizations are faced with a growing trend of sharing confidential health information with vendors (business associates) in order to meet critical business needs, yet from a risk management perspective, little if any measurement of business associate compliance knowledge is evaluated, leaving little assurance of sound compliance practices by the business associate handling patient confidential health information.

Privacy violations and security data loss by business associates and their sub-contractors have also become a strategic liability issue for healthcare organizations. For example, new security breach notification rules of the require patients be notified of any unauthorized acquisition, access, use or disclosure of their unsecured protected health information. New security breach notification requirements apply to covered entities and require business associates to notify covered entities of any unauthorized acquisition, access, use or disclosure of their unsecured protected health information they hold on behalf of the covered entity, including the identity of each individual who is the subject of the unsecured protected health information.

According to the Ponemon Institute [PDF], a privacy and information management research firm, the data breach incident cost to U.S. companies is $202 per compromised customer record in 2008. Cost factors include, expensive outlays for detection, escalation, notification and response, along with legal, investigative and administrative expenses, customer defections, opportunity loss, reputation management, and costs associated with customer support such as information hotlines and credit monitoring subscriptions.

Bottom line. Make sure you have updated business associate agreements* in place by February 17, 2010.

*To view a sample HITECH Act Business Associate Agreement, view the RECENT ARTICLES section above entitled Healthdatamanagement.com—February 9, 2010 — New Model BA Agreement, or simply click here to go directly to the site.

Grant Peterson, J.D. leads the HIPAA Analytics team. For questions or comments, please refer to Contact Us