During HIMSS 12, Mac McMillan, chair of the HIMSS Privacy and Security Task Force (and CEO of Austin, Texas-based CynergisTek, Inc.), said that business associates will come under increasing scrutiny in HIPAA audits by the HSS Office of Civil Rights.
The focus of the audits is on learning and assessing compliance in general, he said. The OCR is not looking at audits as punitive tool at this point in time, he said. Audits are supposed to help the OCR determine how the industry is doing, and where the gaps are regarding security of data, he said.
One group that will come under increasing attention is business associates, he said. “Smaller hospitals can have tens to hundreds of business associates, and larger hospitals can have thousands,” he said. The range of business associates is large and varied, McMillan says. While some business associates have access to only a limited amount of data, others have access to large amounts of data.
OCR is still trying to get a handle around business associates, he said. The HIPAA Omnibus rule that is due out will provide more guidance on business associates, McMillan says.
By the end of 2012, the audits should provide the OCR with a substantial database of results from provider organizations of all sizes. This should give a good idea of whether compliance is working, or whether more enforcement is needed, McMillan said.
Where funding will come from after 2012 is an open question, McMillan says. If there is a need for more enforcement, one thought is that fines may support future activities. In that case, it is possible that after 2012 the audits could take on a more punitive role.
The healthcare industry should be concerned about security audits collectively, because it has a lot at stake on their results, and will live with the outcomes.
