It has been over two decades since the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA or Act), but only in the past six years have enforcement actions demonstrated the fervor with which the government intends to compel compliance. With trends leaning toward a continued increase in enforcement activities, entities governed by HIPAA must be aware of their duties under the Act.
Prior to 2009, HIPAA applied exclusively to “covered entities,” such as health plans and providers, but as a result of the Health Information Technology for Economic and Clinical Health Act (HITECH) and other amendments to HIPAA, business associates are directly governed by HIPAA and its requirements.
A business associate is an individual or entity that creates, receives, maintains or transmits Protected Health Information (PHI) for, or on behalf of, a covered entity. Additionally, a business associate is one who provides management, consulting, and/or accounting services to a covered entity, where the provision of service involves the disclosure of PHI. Any accounting firm that provides services to a health care provider, and receives or maintains PHI as part of its engagement, will be swept within HIPAA’s definition of a business associate.
In order to maintain compliance with HIPAA, a business associate must implement a reasonable and appropriate policy and procedure manual that includes adequate administrative, physical, and technical safeguards, much the same as is required for a covered entity. Creating and adopting this compliance plan can become a daunting task, especially if assigned to internal resources that are not well versed in HIPAA requirements. For example, without a breadth of knowledge in HIPAA, a compliance plan may fail to include an accurate and thorough risk analysis.
For any accounting firm that services a health care provider, and particularly those who specialize in the representation of health care providers, a comprehensive HIPAA compliance plan is mandatory—and a law firm experienced in HIPAA compliance is best suited to guide the development and implementation of such a plan.
Compliance is an expense to any business; there is an immediate investment with no tangible return. However, the cost to implement a comprehensive HIPAA plan is a small fraction of the cost of noncompliance. In 2016, the Office for Civil Rights (OCR), the entity responsible for enforcing HIPAA, entered into more resolution agreements, and issued costlier fines, for violations of HIPAA than any other time in HIPAA’s twenty-plus year history. Compared to 2015, the total fines assessed for violations of HIPAA in 2016 were almost triple, netting more than $23 million in civil money penalties, which included an historically large fine of a single entity of $5.5 million. Moreover, many of these fines were issued as a result of inadequate compliance measures, irrespective of the volume of PHI involved in any particular breach.
Concurrently, in 2016, OCR began an audit program to review HIPAA compliance of both covered entities and business associates. The audit program, which is currently operating within its second phase, is focused on evaluating the compliance measures of randomly selected businesses. While OCR has suggested that the audit is intended to be a “compliance improvement activity,” to develop appropriate assistance and corrective action measures, it also provided that audits that uncover serious compliance issues may trigger a complete compliance review. This audit program can force a business associate of any size to provide evidence of its HIPAA compliance within ten days of a demand from OCR. Preparation is crucial to surviving such a request. If a business associate is lackadaisical in its compliance measures, it will likely be apparent within the audit and subsequently may result in a time consuming—and expensive—compliance review by OCR.
Any accounting firm that reviews a health care provider’s data as part of providing accounting services is likely to be provided with PHI. In accepting this data on behalf of its client, the accounting firm becomes a business associate and is required to comply with HIPAA directly. To achieve appropriate compliance, the business associate must develop a comprehensive policy and procedure manual, conduct a thorough risk analysis, train its workforce, and enforce its manual.
Frier Levitt is experienced in advising both covered entities and business associates on their duties under HIPAA, and is prepared to aid your business in developing a detailed, tailored compliance plan. In particular, Frier Levitt has assisted accounting firms with large healthcare practice groups in achieving HIPAA compliance. Contact Frier Levitt to speak to an attorney for more information.
