Finance
e-Newsletter
Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

OCR Undecided on Including BAs in HIPAA Audits

Dom Nicastro, for HealthLeaders Media, August 5, 2011

The Office for Civil Rights (OCR) is undecided whether to include business associates (BAs) in its HIPAA-compliance audit plans per a $9.2 million contract it awarded last month.

Susan McAndrew, JD, OCR’s deputy director of health information privacy, says the contractor, KPMG, LLP, will be developing protocols to support business associate audits.

However, “OCR has not yet determined whether it will audit business associates in addition to covered entities during the audits that are anticipated to take place in 2012,” McAndrew says.

KPMG is a consulting firm with a global network of professional firms that provides audit, advisory, and tax services. The contract calls for up to 150 audits of organizations varying in size before December 31, 2012.

McAndrew says the audit program will occur in three steps. OCR will work with KPMG to develop audit protocols and an initial round of audits to field test the program. If these test audits return positive results, OCR will launch a full range of onsite audits and an evaluation process.

OCR awarded Booz Allen Hamilton (the McLean, VA, consultant it originally hired to evaluate and compare different audit methods) a $180,000 contract to identify audit candidates.

HIPAA experts call for BA audits

BAs are involved in 57 of the 292 breaches affecting 500 or more individuals listed on the OCR website as of Thursday afternoon; that’s about 20%. The top two breaches include BAs (1,900,000 and 1,700,000 patients affected; see details at the end of this story).

1 | 2 | 3

Comments are moderated. Please be patient.

2 comments on "OCR Undecided on Including BAs in HIPAA Audits"


Daniel W Berger (8/6/2011 at 1:15 PM)
Business Associates are most often the largest "surface area" of ePHI breach risk in hospitals. We highly recommend that OCR include BA's in their HIPAA audit program. In fact, this would be one of the most important things OCR do to assist hospitals with maintaining HIPAA compliance and safeguarding ePHI. It helps the hospitals hold their BA's more accountable.

Mark Meade (8/5/2011 at 10:41 AM)
With over 39% of work age Americans not having jobs ,unemployment figures only count those actively seeking work, the government is going on a crusade against business over HIPPA privacy laws. This is the same government that refuses to prosecute violators who publish medical information claiming freedom of the press. One could draw a parallel to arresting homeowners who have been burglarized for allowing a thief to rob them.