Finance
e-Newsletter
Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

OCR Undecided on Including BAs in HIPAA Audits

Dom Nicastro, for HealthLeaders Media, August 5, 2011

The website list is required by HITECH and has been live since February of 2010, dating back to breaches that occurred on or after September 22, 2009.

Phyllis A. Patrick, MBA, FACHE, CHC, of Phyllis A. Patrick & Associates LLC in Purchase, NY, says she “most definitely would encourage OCR to audit BAs, especially those of high priority/potential risk to the privacy and security of confidential information in that they work with the covered entity’s PHI and confidential information on a regular basis.”

Patrick cites examples such as IT vendors, billing companies, coding companies, accounting firms, and disposal companies (media, shredding, etc.).

Kate Borten, CISM, CISSP, president of The Marblehead Group in Marblehead, MA, says BAs play a “key role” in healthcare and should be looped in to OCR audits.

“Given the key role that many BAs play in healthcare—as well as the vast amount of PHI entrusted to BAs—it is very important that OCR also audit them,” Borten says.

Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ, says OCR should audit BAs in the next round and focus on covered entities now.

“In my mind, OCR auditing BAs is like climbing a falling tree: There may be some activity in trying to get somewhere, but at the end of the day, one really hasn't gained any ground,” Ruelas says. “Historically, BAs have taken their direction from their client covered entities, so by OCR focusing on covered entities, I am confident any BA-related findings will be shared between the covered entity and the BAs it contracts with.”

1 | 2 | 3

Comments are moderated. Please be patient.

2 comments on "OCR Undecided on Including BAs in HIPAA Audits"


Daniel W Berger (8/6/2011 at 1:15 PM)
Business Associates are most often the largest "surface area" of ePHI breach risk in hospitals. We highly recommend that OCR include BA's in their HIPAA audit program. In fact, this would be one of the most important things OCR do to assist hospitals with maintaining HIPAA compliance and safeguarding ePHI. It helps the hospitals hold their BA's more accountable.

Mark Meade (8/5/2011 at 10:41 AM)
With over 39% of work age Americans not having jobs ,unemployment figures only count those actively seeking work, the government is going on a crusade against business over HIPPA privacy laws. This is the same government that refuses to prosecute violators who publish medical information claiming freedom of the press. One could draw a parallel to arresting homeowners who have been burglarized for allowing a thief to rob them.