OCR Uncertain on Business Associates Audit Plan Coverage
The US Office for Civil Rights (OCR) has admitted the federal agency could not decide on whether to include business associates (BAs) in its HIPAA-compliance audit plans.
The OCR has awarded last month a $9.2 million contract to business consulting firm KPMG, LLP, which will develop protocols to support business associate audits according to Susan McAndrew, JD, OCR’s deputy director of health information privacy.
However, McAndrew said the “OCR has not yet determined whether it will audit business associates in addition to covered entities during the audits that are anticipated to take place in 2012.”
The contract entails up to 150 audits of organizations with different sizes before December 31, 2012.
According to McAndrew, the audit program consists of three steps. First, the OCR will work with KPMG to develop audit protocols and initial audits to field test the program. If these test audits turn out positive, OCR will launch a full-range onsite audits to be followed by an evaluation process.
Selection and identification of audit candidates was done by Booz Allen Hamilton, which previously performed the evaluation and comparison of different audit methods, in a $180,000 contract.
More than 500 individuals listed in OCR’s website were affected by 57 breaches involving Business Associates last week.
HITECH required the website list, which has been online since February 2010.
Phyllis Patrick of Phyllis A. Patrick & Associates LLC in Purchase, NY, urged “OCR to audit BAs, especially those of high priority/potential risk to the privacy and security of confidential information in that they work with the covered entity’s PHI and confidential information on a regular basis.”
Patrick cited examples such as IT vendors, billing companies, coding companies, accounting firms, and disposal companies.
Kate Borten, president of The Marblehead Group in Marblehead, MA, said Business Associates should be “looped in to OCR audits” since they play a “key role” in healthcare.
“Given the key role that many BAs play in healthcare—as well as the vast amount of PHI entrusted to BAs—it is very important that OCR also audit them,” Borten said.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ, proposed the BAs audits to be conducted in the next round, which he said must focus on covered entities.
“In my mind, OCR auditing BAs is like climbing a falling tree: There may be some activity in trying to get somewhere, but at the end of the day, one really hasn’t gained any ground,” Ruelas said.
“Historically, BAs have taken their direction from their client covered entities, so by OCR focusing on covered entities, I am confident any BA-related findings will be shared between the covered entity and the BAs it contracts with,” he added.
According to OCR’s website, the entities affected by the breaches included Health Net, Inc. (Shelton, CT) affecting 1,900,000 individuals; New York City Health & Hospitals Corporation’s North Bronx Healthcare Network (New York, NY), affecting 1,700,000 individuals; and South Shore Hospital (Weymouth, MA), affecting 800,000 individuals.