Updated 2025: Looking for a Business Associate Agreement? Download our FREE template

TotalHIPAA Logo

OCR’s Phase 2 of HIPAA Audit Program Focuses on Business Associates

Summary:

The Department of Health and Human Services’ (HHS) announcement that they will begin auditing Business Associates in October motivated a Covered Entity’s compliance officer to call Total HIPAA last week. He had done a Google search on what a Covered Entity should do to monitor their Business Associates and the Business Associate Subcontractors. The only […]

The Department of Health and Human Services’ (HHS) announcement that they will begin auditing Business Associates in October motivated a Covered Entity’s compliance officer to call Total HIPAA last week. He had done a Google search on what a Covered Entity should do to monitor their Business Associates and the Business Associate Subcontractors. The only guidance he could find was a Total HIPAA blog from December 15, 2015.

In that blog, Total HIPAA suggested the following questions be sent to Business Associates:

  1. What is your security program?
  2. How are you educating your workforce?
  3. How do you manage access to and handling of patient/client information?
  4. Do you have policies and procedures for both Privacy and Security?
  5. Have you vetted your Business Associate Subcontractors?

There are many other questions that a Covered Entity can ask a Business Associate. These five questions open the conversation and will help a Covered Entity qualify the HIPAA compliance of their Business Associates.

The phone call continued with this question: How does a Covered Entity determine if the Business Associate is requiring their Subcontractors to be compliant?  Our answer: Request the BA submit the same five questions to the Subcontractors.

Will HHS be satisfied in the case of an audit that the Covered Entity is making a good faith effort to secure their clients’/patients’ PHI? HHS has indicated that they are not sure what they will find during the process of the desk audits. The HHS Office for Civil Rights’ (OCR) will issue preliminary reports to each of the Covered Entities and Business Associates selected.1 We should have more guidance after the audits are completed. Submitting these questions will certainly show HHS that all three categories, Covered Entities, Business Associates and Business Associate Subcontractors, recognize that they all must meet the same set of compliance requirements.

It is important to be sure your Business Associate Agreements are up-to-date and include revisions required under the Omnibus Final Rule in order to stay HIPAA compliant. For the upcoming BA audits in October, OCR will notify 40-50 Business Associates and, unlike Covered Entities, Business Associates aren’t getting any warning. “The time to prepare for the audits is now” says David Holtzman, VP of Compliance at Security Consultancy. He goes on to say “Business Associates should be prepared to produce their policies and procedures for notifying their Covered Entities when there has been a breach incident, as well as samples of when and how they have done so.”1

The best advice to give is Be Prepared! Make sure your BAAs are renewed or modified to include regulations in the HIPAA Omnibus Final Rule of 2013. Ask your Business Associates the 5 questions listed above and suggest they send those same 5 questions to their Subcontractors. Take note that after the desk audits, OCR has plans to conduct on-site audits as well for both Covered Entities and Business Associates.

Now is not the time to worry, rather it is the time to take action. Privacy attorney Kirk Nahra states, “The time to worry will be when there is an actual [breach] investigation, so they should use this opportunity to get their documents and policies lined up.”1 Audits are a great chance to get organized and make sure your documents, policies, and procedures are all in compliance with HIPAA.

For more information on how to quickly and cost-effectively meet compliance requirements, check out this video: HIPAA Prime™

  1. HealthInfoSecurity – OCR Business Associate HIPAA Audits Coming Soon

Sharing is caring!

Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Want to stay informed?

Join our community, stay ahead of the curve on HIPAA compliance and receive free expert guidance.

Related Posts

HHS’ Office for Civil Rights Settles Ransomware Investigation with Health Plan

HHS’ Office for Civil Rights Settles Ransomware Investigation with Health Plan

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a $450,000 settlement with Spencer Gifts LLC Flexible Benefits and Welfare Benefit Plans. Triggered by a 2021 ransomware attack that compromised the electronic Protected Health Information (ePHI) of over 10,000 individuals, the investigation revealed systemic failures to conduct accurate risk analyses and implement proper policies and procedures. This case serves as a massive wake-up call. HIPAA compliance extends far beyond traditional healthcare settings; it applies to any organization managing employer-sponsored group health plans, including self-funded and self-insured arrangements.

Why do we need to test our Disaster Recovery Plan every year?

Why do we need to test our Disaster Recovery Plan every year?

Even if your internal software and servers remain perfectly static, the infrastructure, vendor updates, and cyber threats around them are constantly shifting. Waiting 2 or 3 years to test your backup systems leaves you vulnerable. This post breaks down the four external factors that degrade an untested playbook, explores HIPAA compliance mandates under NIST SP 800-66, and provides a granular, step-by-step example of what a compliant disaster recovery blueprint actually looks like.

How to Maintain HIPAA Compliance in Public Cloud Environments

How to Maintain HIPAA Compliance in Public Cloud Environments

Storing ePHI in the public cloud offers scalability but requires a strict “Shared Responsibility” approach. To remain HIPAA compliant, organizations must go beyond basic Business Associate Agreements (BAAs). The implementation of AES-256 encryption, multi-factor authentication (MFA), and microsegmentation are now required. This guide outlines the essential steps to securing your cloud infrastructure while meeting the latest HHS and OCR standards.

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)