Office for Civil Rights is Looking at Business Associates

Office for Civil Rights is Looking at Business Associates

Live Compliance – EZClaim’s trusted HIPAA Compliance Experts

It is often, small companies who work in healthcare falsely assume that HIPAA pertains to large organizations and hospitals, when in fact, a Business Associate, is a person or entity that works with Protected Health Information. Many organizations don’t realize that the fundamentals of a compliance program are Business Associate Agreements, and performing Security Risk Assessments. 

In fact, an Indiana-based Business Associate, Medical Informatics Engineering, was recently fined $100,000 for “failing to perform a comprehensive risk assessment before its server was hacked in May 2015” resulting in what was concluded to be “one of the largest breaches in recent healthcare history!” According to the Resolution Agreement, MIE must assess whether its existing security measures are sufficient to protect its ePHI, and must revise its Corrective Action Plan, Policies and Procedures, and training materials, as needed. 

In May of 2019, in an effort to make the HIPAA Privacy Rule as easy to understand as possible, the Office for Civil Rights (OCR) has come up with a list of rules that clearly explain what Business Associates are now “directly liable” for. As OCR Director Roger Severino explains, “We want to make it as easy as possible for regulated entities to understand, and comply with, their obligations under the law.” 

The list consists of ten rules that, if failed to follow, can result in penalties and monetary fines. 

The OCR has made it very clear that even so much as simply “[failing] to comply with the requirements of the Security Rule” can result in immediate penalties as well. 

To this end, one of the most important rules also includes information about Business Associate Agreements and their need for proof of Satisfactory Assurance when the Covered Entity requests this of them. 

Satisfactory Assurance is crucial because it ensures the Business Associate is HIPAA Compliant and therefore, must also be in the form of a contract. Because it is so often overlooked, the fact 

sheet points out that there would be penalties associated with “Failure to enter into business associate agreements.” 

Are you ready when asked by your clients to provide your statement of Satisfactory Assurances? 

Checking off your Business Associate requirements, including those listed in the OCR’s fact sheet, is very easy with EZClaim’s trusted HIPAA Compliance Experts, Live Compliance. 

First, it is most important that all Business Associates and Vendors have proof of Satisfactory Assurance at least annually, as well as a Business Associate Agreement outlining their roles, functions, and notification requirements. 

Second, Business Associates and Vendors must complete an accurate and thorough Security Risk Assessment. A Security Risk Assessment will target vulnerabilities related to what is potentially exposing Protected Health Information. Failing to do so could also result in a penalty under ‘willful neglect’. This category alone is $50,000 per violation! These fines are huge, but the reputational damage to your billing company and the covered entity is expensive and difficult to overcome. (Live Compliance has a 100% audit pass rate!) 

Lastly, employees should be HIPAA trained with relevant course material to their role and your organization. Your workforce is your first line of defense. Completely built into your portal, Live Compliance training is custom, online, and role-based. Training is delivered and monitored within the Live Compliance portal, anytime and from anywhere.

If you enjoyed this article, please click here to stay up to date with our most recent blog posts! We thank you for reading.