Expect HIPAA noncompliance fines for BAs soon, attorney says


We should expect to see a HIPAA noncompliance enforcement action soon against a business associate, according to privacy attorney Adam Greene, a partner at Davis Wright Tremaine LLP in the District of Columbia.

Greene, in an interview with HealthcareInfoSecurity, says that's because the Department of Health and Human Services' Office for Civil Rights generally takes two to three years to settle cases, and business associates first became directly liable for HIPAA compliance in September 2013.

"I wouldn't be surprised that within the next year we see our first business associate [enforcement] action from something that happened in 2013 or 2014, but I wouldn't be surprised if it takes longer," Greene said.

He advises business associates to pay attention to the issues involving OCR settlements with covered entities.

For instance, OCR recently fined Indiana-based radiation oncology practice Cancer Care Group $750,000 for potential HIPAA violations stemming from the 2012 theft of a laptop that contained information for 55,000 patients.

Business associates share many of the same issues as covered entities, he said.

"The risk assessment continues to be the biggest challenge, and a lot of it is not having a risk assessment that aligns with OCR guidance," Greene said, explaining that they're looking at specific HIPAA or International Organization for Standardization (ISO) requirements.

"OCR is really looking at all the places you have PHI, all the threats to that, all the vulnerabilities and all the corresponding risks, which is very different from a gap assessment," he said.

Greene points to a settlement a year or two ago on returning copying machines with their hard drives intact that contained PHI. As a BA, does your risk assessment include fax machines, copying machines? These are the things to be paying attention to, he says.

OCR keeps warning that the second round of its HIPAA audit program is coming, which will include business associates. A vendor--Ashburn, Virginia-based FCi Federal--was selected for the much-delayed program, OCR Director Jocelyn Samuels announced earlier this month.

To learn more:
- listen to the interview

Related Articles:
OCR reaches $750,000 settlement with Cancer Care Group following 2012 breach
BAs and HIPAA: Who they are, how to assess them and the importance of compliance structure
OCR picks vendor for second phase of HIPAA audit program
Healthcare ranks poorly on third-party risk management
EHR vendors, users: Beware the attorney general breach investigation