167 HIPAA Audits Under Way; MSP Business Associates At Risk?

Nearly 170 HIPAA audits are under way, and these latest efforts from the Health and Human Services Office for Civil Rights (OCR) could ultimately extend to thousands of business associates — including VARs and MSPs — across the country.


Marc Haskelson

Indeed, OCR sent emails to 167 covered entities on July 11, alerting them that they’re about to be audited. Those organizations have until July 22 to respond to document requests, including the list of the entity’s business associates — which can include VARs, MSPs and CSPs, among other types of channel partners.

Not sure what all this means? Check in with businesses like The Compliancy Group, which educates MSPs about HIPAA compliance. One key point that most pundits overlook: The mass majority of fines don’t involve lost or stolen devices or security hacks, says Compliancy Group CEO Marc Haskelson. Instead, the fines typically involve a failure to have comprehensive administrative/privacy audits or lack of policy and procedures in place, he adds.

HIPAA Audits: Don’t Panic, Do Prepare

Of course, the current audits may not reveal any issues. But IT service providers that are business associates linked to the HIPAA ecosystem can’t afford to let their guard down.

OCR in early 2016 launched Phase 2 HIPAA Audit Program. As part of the effort,OCR will “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will be conducted.”

HIPAA, the Health Insurance Portability and Accountability Act, seeks to protect patient healthcare information (PHI). Healthcare providers and partners in their ecosystem must carefully guard against a range of potential HIPAA violations.

Return Home



    Ronald Tomlinson:

    Article hits on several items that are of great interest. We have one that has just opened the door to some possible problems. Currently our BAA with a Dental Office has changed and we are at a loss to determine how to fix this. The Dental Office now has two separate Dentist working in the same office location, we work with one Dentist and a new Technician is now working with the other Dentist in the same office. This would not be of any problem excepting the new Technician is here because the Dentist both have there own staff and are separate from each other. Let’s make sense of this, same network, multiple computers and different servers. Dentist have there staff sharing reception area, billing locations and same DHCP router, switches and equipment. There is no current protection from viewing on Dentist computer screens – being both Dentist have their own staff, it is like the public looking at your computer patient screens. To make this a little shorter – does the second Technician need to have a BAA signed by our Dentist?

      Joe Panettieri:

      Hey Ronald: I will loop in some HIPAA experts to see if they can offer guidance. Thanks for taking the time to reach ChannelE2E and for describing the issue.


        Bobby Kuzma, CISSP:

        There should be a BAA with each covered entity.

        The two dentists should also have at a minimum some kind of memorandum of understanding apportioning responsibility for the shared network, as it will factor into BOTH practices compliance postures.

    Marc Haskelson:


    This happens from time to time. The issue is compliance in a whole. As a patient you have a right to privacy. When sharing systems that privacy is compromised. When you have two offices that are not connected, you have the likely hood of one seeing hearing touching Patient Information of the others that a Patient would not appreciate.

    With that said, if you do not have mutual compliance and proper documentation, you breach data everyday. Only solution is as follows, you both become HIPAA compliant, you both have Agreements in place with each other about Security and Training. They are not BA’s, this is way more in depth.

    The agreement that you put forth needs to state that each office will become and maintain HIPAA compliance that includes yearly HIPAA 101 training. Also each and every employee on both sides should sign Confidentiality Agreements that have strongly worded sanctions for inappropriate access to either side that would include termination.

    If one side balks you will need to sever your info and move to another site otherwise you open yourself to an employee or patient reporting you and you facing fines.

    I hope this helps.


    Ronald Tomlinson:

    Thank you very much for your concern and input. We have since the last question changed some of the methods that data is being past over the network – the other doctor now has a separate router and switch setup that is using different IP addresses that make their data and the other doctors data a little more safe. We still have the public side of the router coming in from the same internet provider – this still stands as a problem.

    We still have the problems with the front reception desk, patient payment area and space that is not protected against viewing of each doctors patient information.

    Now there are outside people involved – attorney type people. Much of what they are doing is out of my area of information needed.

    It will more than likely end up with either one or the other doctor moving on. By the way we are talking about brother and sister doctors.

      Joe Panettieri:

      Hey Ronald: Thanks for looping back and sharing that info. Keep us posted and let us know if there’s a potential ChannelE2E case study looming here.

Leave a Reply

Your email address will not be published.