This content is part of the Essential Guide: Guide to healthcare compliance resources and agencies

HIPAA audits to affect healthcare business associates

HIPAA privacy expert David Holtzman says healthcare business associates will be audited. Patient access to health data will be part of audits.

It's not only healthcare providers that should get ready for the upcoming round of HIPAA audits by the U.S. Department of Health and Human Services Office for Civil Rights (OCR).

David Holtzman, a lawyer and vice president for compliance for health data privacy and security consulting firm CynergisTek, Inc., warns that healthcare business associates, such as insurers and claims processing firms, should also be on guard.

"The prospects are very great that business associates will find themselves subject to enforcement of HIPAA privacy and security rules," Holtzman says in this podcast, the second of a two-part series. "This has been on OCR's radar for a long time, and I expect they are going to be rather aggressive in making sure business associates are in compliance and are safeguarding health information."

It is still unclear, however, whether healthcare business associates will be subject to fines.

Meanwhile, Holtzman, a former senior OCR official, says providing patients with timely access to their own health information helps them make more informed decisions about their healthcare.

Also, such health data transparency can allow third parties to better evaluate the business processes of provider organizations, Holtzman says.

Therefore, such access, which is required by the HIPAA omnibus rule, will also be fodder for audits expected in 2015 and 2016, he says.

Let us know what you think about this story about HIPAA audits for healthcare business associates; email Shaun Sutner, news and features writeror contact @SSutner on Twitter.

See transcript below:

How significant is the prospect of business associates being audited and possibly fined by OCR?

David Holtzman: I think the prospects are very great that business associates are going to find themselves subject to enforcement activities for compliance with the HIPAA privacy and security rules. In addition, OCR has indicated that they will include business associates in a separate review that will take place as, sort of, a second step in their process for doing desk audits. My understanding from OCR is that they are actively engaged in investigations of business associates who have been responsible for breaches that have been reported, as well as complaints from consumers alleging that the business associate has not complied with the requirements for the HIPAA security rules or the use and disclosure provisions of the privacy rule.

I know that OCR was anticipating that when the rules came into effect, or the compliance date in 2013 took effect, that there [would] be opportunities to look at the practices of some business associates. And, in fact, between the time the HITECH Act was passed into law and the compliance date of the Omnibus Rules expanding the jurisdiction of the HIPAA rules to business associates, a number of cases came up involving breaches and other allegations of inappropriate use and disclosure of protected health information by business associates. Information regarding those cases was shared with other federal agencies who had enforcement power over the use of information like health information.

So this has been on OCR's radar for a long time, and I expect that they are going to be rather aggressive in making sure that business associates are in compliance and are safeguarding health information as they are required to do through the HIPAA security rule and the provisions of the privacy and breach notification rules.

Are patients' rights to protected health information (PHI) as important as the privacy of that data? How do we weigh the relative importance of those two issues?

Hotlzman: I don't think that the privacy of health information is distinctly different from an individual's rights regarding the use and disclosure of or access to their protected health information. I think they're part of the same, and they really support each other. So the HIPAA privacy rules essentially put controls on health care providers, business associates and health plans [to restrict] how they use and disclose protected health information, so as to not interfere with the provision of treatment -- but to allow individuals some ability to understand how their information is used and disclosed for payment purposes, as well as for health care operations and other activities like fundraising and marketing.

[The goal is] to make it more transparent and to allow individuals choices in how their information is used outside of the usual, [like in the] everyday business of health care, in which they are receiving treatment. Their health insurers are paying for that treatment. Health care, as a business, carries on its activities and planning and engaging in forecasting how it can provide services to patients better.

Next Steps

HIPAA in place to lock down protected health information

Done with pilot audits, OCR gears up for "Phase 2"

HIPAA omnibus changes breach reporting for healthcare business associates

Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)