Expect HIPAA noncompliance fines for BAs soon, attorney says

We should expect to see a HIPAA noncompliance enforcement action soon against a business associate, according to privacy attorney Adam Greene, a partner at Davis Wright Tremaine LLP in the District of Columbia.

Greene, in an interview with HealthcareInfoSecurity, says that's because the Department of Health and Human Services' Office for Civil Rights generally takes two to three years to settle cases, and business associates first became directly liable for HIPAA compliance in September 2013.

"I wouldn't be surprised that within the next year we see our first business associate [enforcement] action from something that happened in 2013 or 2014, but I wouldn't be surprised if it takes longer," Greene said.

He advises business associates to pay attention to the issues involving OCR settlements with covered entities.

For instance, OCR recently fined Indiana-based radiation oncology practice Cancer Care Group $750,000 for potential HIPAA violations stemming from the 2012 theft of a laptop that contained information for 55,000 patients.

Business associates share many of the same issues as covered entities, he said.

"The risk assessment continues to be the biggest challenge, and a lot of it is not having a risk assessment that aligns with OCR guidance," Greene said, explaining that they're looking at specific HIPAA or International Organization for Standardization (ISO) requirements.

"OCR is really looking at all the places you have PHI, all the threats to that, all the vulnerabilities and all the corresponding risks, which is very different from a gap assessment," he said.

Greene points to a settlement a year or two ago on returning copying machines with their hard drives intact that contained PHI. As a BA, does your risk assessment include fax machines, copying machines? These are the things to be paying attention to, he says.

OCR keeps warning that the second round of its HIPAA audit program is coming, which will include business associates. A vendor--Ashburn, Virginia-based FCi Federal--was selected for the much-delayed program, OCR Director Jocelyn Samuels announced earlier this month.

To learn more:
- listen to the interview