OCR Audits Place Business Associates Under the Microscope

“60 percent of business associates have experienced data breaches.”1 With cybercrime on the rise, especially in the healthcare industry, healthcare organizations and their third parties (business associates or BAs) need to become more cognizant of how they handle sensitive patient data. 2016 saw the first-time OCR fined a BA for failing to safeguard PHI. As a result, digital health vendors are feeling the pressure with every mention of health data breaches.


Some covered entities are not shy about naming their BAs as the back door (remember Massachusetts General?) The Healthcare Informatics report said in 2016 that “30 percent of breaches reported to HHS public breach portal are a direct result of third parties.” These reports are nerve-wracking. The healthcare industry is more vulnerable to breaches than other industries. The combination of lots of valuable data, combined with a lack of stringent regulation means that it’s extremely attractive to cybercriminals. BAs and healthcare organizations need to work together to ensure sensitive ePHI is protected. No one wants to be the weak link – or get fined by OCR. Due to a record number of healthcare data breaches in 2016, hospitals and healthcare systems are getting much more vigilant about vendor oversight.


So, what’s the best way to prepare for an OCR audit? If you have the right information security management program in place, and track to it, you can weather any audit – plus prove yourself a reliable vendor partner. Importantly, in recent cases, the size of a breach has not been as important as proven lack of compliance. Use Ostendio’s MyVCM to demonstrate that you take adequate steps to protect PHI.


Are you at risk for a breach? We’ve partnered with Intel to offer a complimentary Security Breach Assessment. 


You don’t have to recreate the wheel to prepare for an audit. Both the ONC and the OCR provide tools to help with information security. Check out ONC’s 7-step approach in the Guide to Privacy and Security of Electronic Health Information.

Getting ready for a HIPAA audit

It’s all about monitoring and gathering evidence. When you look at your information security

program, ask yourself:

  • Have I documented my information security processes?
  • Have I tracked results?
  • Can I show the steps I have taken to remedy any shortcomings?
  • Can I demonstrate that my organization takes Information Security seriously?
  • Do I have all of the evidence at hand?

If you can answer all of the above with a resounding, “Yes!” now and always, then you’re likely in good audit shape.

1 Ponemon Institute Study, May 2016


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *