The Office of Civil Rights has delayed the implementation of Phase 2 of the HIPAA audit program until 2015 due to complications with their new web portal. While this may be a welcome reprieve from the threat of an OCR audit, you should use your time wisely. Phase 2 of the HIPAA Audit Program will include Covered Entities and Business Associates. If your office must comply with HIPAA, that means your service providers may also be subject to supervision. By doing business with them, they are considered HIPAA Business Associates if they provide services related to any HIPAA or HITECH regulated part of your business.
In many cases, a simple SSAE 16 Type 2 from your service provider will be all you need to prove your BA’s compliance. If your provider can’t supply you with one, you may be in trouble. This new round of audits are considered “desk audits” by the OCR. Essentially, when the OCR performs their examination, they will not be on-site and will not be able to clarify documentation or respond to any questions from you in real-time. Without a Business Associate’s SSAE 16 or SOC 2, this could wreak havoc on your examination. Use this time to make sure your policies and records are in order and your business associates are in good shape. The last thing you want is a service provider to sink your exam.
Atris works extensively with financial institutions who must comply with a myriad of regulations including, but not limited to, GLBA, SOX, and PCI. In addition to financial institutions, Atris has expertise in working with firms covered by HIPAA and HITECH. Because of this, we can demonstrate compliance by providing an SSAE 16 Type 2 upon request. Make sure your provider can do the same.