Phase 2 HIPAA Audits Arrive: Are IT Service Providers Ready?
The HHS Office of Civil Rights (OCR) today launched phase two of its HIPAA audit program. For IT service providers, it’s an ideal time to check in with healthcare customers as well as technology vendors to double-check a range of HIPAA-related variables, including s0-called business associate agreements.
For starters, make sure spam filters don’t accidentally block emails from the Office of Civil Rights (the address to allow for: OSOCRAudit@hhs.gov) to your clientele in the healthcare vertical. Generally speaking, it sounds like organizations targeted for potential audits will have 14 days to reply to the initial OCR outreach. Not replying doesn’t excuse an organization from an audit.
OCR started sending out email address verification letters on March 21, 2016 and will continue the process throughout the week. Those letters will be followed by a questionnaire, FierceHealthIT reported. Roughly 200 desk and on-site audits are expected to occur in 2016, the site added, and it sounds like on-site audits will extend beyond that time.
As part of the process, government regulators will be checking to see how each organization addresses privacy, security and breach notification rules.
Recent HIPAA Fines
Even before Phase Two audits started, HIPAA-related fines have been surfacing in recent weeks — though many of the alleged violations occurred several years ago.
For instance, North Memorial Health Care of Minnesota paid a $1.55 million fine after a laptop with patient data was stolen in 2012, putting protective data at risk, HealthData Management reported. About 30 organizations now have agreed to such sanctions after OCR determined they were essentially ignoring HIPAA, the site added.
On the one hand, 30 organizations taking a hit is a small figure — considering the thousands of healthcare-related businesses and entities that must comply with HIPAA. But on the other hand, healthcare organizations and their partner ecosystems can’t rest on their laurels when the stakes are so high.
In recent years, many IT service providers have struggled to understand whether they are at risk for erroneously handling customers’ patient data. Many of the concerns surfaced in 2014, when so-called Omnibus Rule changes involving “business associates” kicked in.
Those rules showed that IT service providers could face penalties of $100 to $50,000 per violation involving a HIPAA customer.
As the OCR launches new audits now, it’s prime time for IT service providers to double-check their business associate agreements while working in the healthcare vertical. IT service providers can also reach out to HIPAA-centric organizations like Compliancy Group for potential guidance.