The Office for Civil Rights (OCR) is undecided whether to include business associates (BAs) in its HIPAA-compliance audit plans per a $9.2 million contract it awarded last month.
Susan McAndrew, JD, OCR’s deputy director of health information privacy, says the contractor, KPMG, LLP, will be developing protocols to support business associate audits.
However, “OCR has not yet determined whether it will audit business associates in addition to covered entities during the audits that are anticipated to take place in 2012,” McAndrew says.
KPMG is a consulting firm with a global network of professional firms that provides audit, advisory, and tax services. The contract calls for up to 150 audits of organizations varying in size before December 31, 2012.
McAndrew says the audit program will occur in three steps. OCR will work with KPMG to develop audit protocols and an initial round of audits to field test the program. If these test audits return positive results, OCR will launch a full range of onsite audits and an evaluation process.
OCR awarded Booz Allen Hamilton (the McLean, VA, consultant it originally hired to evaluate and compare different audit methods) a $180,000 contract to identify audit candidates.
BAs are involved in 57 of the 292 breaches affecting 500 or more individuals listed  on the OCR website as of Thursday afternoon; that’s about 20%. The top two breaches include BAs (1,900,000 and 1,700,000 patients affected; see details at the end of this story).
The website list is required by HITECH and has been live since February of 2010, dating back to breaches that occurred on or after September 22, 2009.
Phyllis A. Patrick, MBA, FACHE, CHC, of Phyllis A. Patrick & Associates LLC in Purchase, NY, says she “most definitely would encourage OCR to audit BAs, especially those of high priority/potential risk to the privacy and security of confidential information in that they work with the covered entity’s PHI and confidential information on a regular basis.”
Patrick cites examples such as IT vendors, billing companies, coding companies, accounting firms, and disposal companies (media, shredding, etc.).
Kate Borten, CISM, CISSP, president of The Marblehead Group in Marblehead, MA, says BAs play a “key role” in healthcare and should be looped in to OCR audits.
“Given the key role that many BAs play in healthcare—as well as the vast amount of PHI entrusted to BAs—it is very important that OCR also audit them,” Borten says.
Frank Ruelas, director of compliance and risk management at Maryvale Hospital and principal of HIPAA College in Casa Grande, AZ, says OCR should audit BAs in the next round and focus on covered entities now.
“In my mind, OCR auditing BAs is like climbing a falling tree: There may be some activity in trying to get somewhere, but at the end of the day, one really hasn’t gained any ground,” Ruelas says. “Historically, BAs have taken their direction from their client covered entities, so by OCR focusing on covered entities, I am confident any BA-related findings will be shared between the covered entity and the BAs it contracts with.”
Top business associate breaches
Per individuals affected, according to OCR website:
Covered entity: Health Net, Inc. (Shelton, CT)
Date of breach: January 21, 2011
Approx. individuals affected: 1,900,000
Type of breach: Unknown
Location of breached info.: Other
More information 
Covered entity: New York City Health & Hospitals Corporation’s North Bronx Healthcare Network (New York, NY)
Date of breach: December 23, 2010
Approx. individuals affected: 1,700,000
Type of breach: Theft
Location of breached info. Electronic Medical Record, Other
More information 
IRON MOUNTAIN DATA PRODUCTS, INC. (NOW KNOWN AS ARCHIVE DATA SOLUTIONS, LLC)
Covered entity: South Shore Hospital (Weymouth, MA)
Date of breach: February, 26, 2010
Approx. individuals affected: 800,000
Type of breach: Loss
Location of breached info. Portable Electronic Device, Electronic Medical Record, Other
More information