More Fines Ahead for HIPAA Business Associates
As HIPAA business associates (BAs), managed service providers (MSPs) doing work in the healthcare space are at risk of increased enforcement efforts from the federal government.
In 2016 alone, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued almost $24 million in fines.
Among those fines was the first ever settlement reached with a HIPAA business associate. Catholic Health Care Services of Philadelphia (CHCS) was fined for a failure safeguard electronic protected health information (ePHI). ePHI is considered any protected health information (PHI), such as patient names, dates of birth, Social Security numbers, financial information, or medical data that is transmitted, created, stored, or maintained electronically.
Business associates were first mandated to be HIPAA compliant in 2013 when the Omnibus Rule was passed. OCR investigations take an average of 2-4 years to reach settlement, which is why the CHCS settlement was only announced last year.
BA enforcement is set to become just as commonplace as covered entity (CE ) enforcement in the years ahead now that BA investigations are starting to reach settlements.
HIPAA Enforcement on the Horizon for MSPs
HIPAA enforcement actions targeting MSPs in the healthcare space are also likely to increase.
In November of 2016, OCR began a series of random audits aimed at business associates. These audits are a part of OCR’s ongoing Phase 2 HIPAA Audit Program.
These Phase 2 Audits are meant to gather data from a variety of healthcare verticals and specialties in order to assess the state of HIPAA compliance in the market. According to official releases, OCR is specifically targeting BAs within the healthcare IT industry, which puts MSPs and IT consultants squarely in the crosshairs of upcoming enforcement action.
Data privacy and security have taken national stage within the past few years. More and more organizations are reporting data breaches to OCR. Settlements have reached into the millions of dollars, but many professionals in the industry posit that the worst is yet to come.
The HIPAA Compliance Solution
Compliancy Group gives business associates confidence in their HIPAA compliance with The Guardâ„¢. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coachesâ„¢ field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, allowing business associates working in the healthcare field to attract new clients with HIPAA compliant offerings.
With The Guard, business associates can focus on running their practice while keeping their clients’ data protected and secure.
Find out more about how Compliancy Group can help simplify your HIPAA compliance today!