167 HIPAA Audits Under Way; MSP Business Associates At Risk?
Nearly 170 HIPAA audits are under way, and these latest efforts from the Health and Human Services Office for Civil Rights (OCR) could ultimately extend to thousands of business associates — including VARs and MSPs — across the country.
Indeed, OCR sent emails to 167 covered entities on July 11, alerting them that they’re about to be audited. Those organizations have until July 22 to respond to document requests, including the list of the entity’s business associates — which can include VARs, MSPs and CSPs, among other types of channel partners.
Not sure what all this means? Check in with businesses like The Compliancy Group, which educates MSPs about HIPAA compliance. One key point that most pundits overlook: The mass majority of fines don’t involve lost or stolen devices or security hacks, says Compliancy Group CEO Marc Haskelson. Instead, the fines typically involve a failure to have comprehensive administrative/privacy audits or lack of policy and procedures in place, he adds.
HIPAA Audits: Don’t Panic, Do Prepare
Of course, the current audits may not reveal any issues. But IT service providers that are business associates linked to the HIPAA ecosystem can’t afford to let their guard down.
OCR in early 2016 launched Phase 2 HIPAA Audit Program. As part of the effort,OCR will “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These audits will primarily be desk audits, although some on-site audits will be conducted.”
HIPAA, the Health Insurance Portability and Accountability Act, seeks to protect patient healthcare information (PHI). Healthcare providers and partners in their ecosystem must carefully guard against a range of potential HIPAA violations.