HIPAA OCR Audits Q&A (Part 3)

Welcome to Part 3 (Part 1, Part 2) of our HIPAA OCR Audit Series where I answer all of your questions taken from our most recent HIPAA webinar, "OCR Audits: What To Expect And How To Prepare."

Watch our on-demand webinar, and follow this HIPAA OCR Audits Q&A series to find out what your organization can do to meet compliance before you’re targeted.

Q22. We have been told that housekeeping/cleaning services were not BAs. Is this correct? and Q23. It was my understanding that since Housekeeping Services are not hired to handle a Covered Entity's PHI, any exposure to PHI would be incidental and would not require a BAA. and Q24. HHS.gov says that you generally do NOT need a BAA for a janitorial service, with a couple of exceptions.

We received several more comments like the above. Great catch!

We misspoke during the presentation regarding housekeeping/janitorial staff. Housekeeping vendors are NOT considered Business Associates and generally any exposure to PHI is considered incidental. A Business Associate's Agreement is not needed for these vendors. However, it is important that you have your housekeeping vendor sign a Confidentiality Agreement that prohibits inappropriate access to PHI or snooping.

Q25. If the physician’s spouse is part owner of the business, and also functions as the IT department, does there need to be a BA agreement?

It would depend on whether the spouse is employed by the physician. If the spouse is an employee, then a BAA would not be required. However, if the spouse operates a separate business providing IT services, then a BAA would be required. If the spouse is acting as a contract employee, then there is some discretion as contractors can be treated as vendors or as employees depending on the policy of the covered entity.

Q26. I work for a physical therapy group. Our patients are referred by their surgeons, etc. Do we need business associate agreements with all of the referring physicians?

No. Disclosures between covered entities for purposes of treatment do not require a BAA.

Q27. Do BAA’s have to be re-signed every year?

No. However, make sure all your BAA’s have been updated since the 2013 Omnibus updates became law and reflect the new requirements. In addition, it is a good practice to get a signed annual “statement of compliance” from your business associates. The statement could include affirmations from the vendor related to training of employees, conducting of risk analysis, reporting of incidents and breaches, etc.

Q28. How does this apply to LTC/SN Organizations?

Most long term care and skilled nursing facilities are provider-covered entities and must comply with the HIPAA regulations. In addition, they will likely be targeted for audits like other providers.

Q29. We have some recent turnover in our compliance department, including the main compliance officer. How do you recommend getting the most current contact information to OCR to make sure the right individual receives the all important email, without "putting yourself on the radar" so to speak. I wouldn't want that email to get lost in some spam folder or be sent back as undeliverable etc. due to that original contact being gone.

The contact form contains this email address: OSOCRAudit@hhs.gov. I would send an email to that address with the correct email contact. Make sure that you use the exact, correct nomenclature of the business name when you submit the email. Since the list was derived from breach reports and if you still have the record of the report you submitted online, you could match the name in the email to the breach report name. OCR has had a considerable number of contact forms in which the name of the entity that did not match their records.

Q30. Have you seen "Ransomware" trigger an audit or be considered a "Breach"?

We are not aware of a ransomware attack triggering an audit. OCR wouldn’t necessarily even know about it unless it was determined to be a breach and was reported. As discussed above, a breach report database was used to generate the list of contacts for contact requests. 

“Would a ransomware attack be considered a breach?” All potential breaches require an investigation and a risk analysis. In the case of a ransomware attack, the investigation would likely need to include a forensic analysis. A forensic analysis would determine how the attack was carried out and whether data was compromised. If the attack was carried out in such a way that security controls (such as access controls) were not compromised and it is determined that no data was stolen, or very unlikely to have been stolen, the entity might be able to determine it was not a breach. However, we see this as an unlikely scenario. In most cases, ransomware attacks will be classified as breaches and will need to be reported.

Q31. I am following the Optum360 Toolkit and their P&P samples do not have the corresponding Regulation # identified on the P&Ps. Do P&Ps need to have the Regulation # written in the policy?

Yes. It is not necessarily a regulatory requirement but they really should. The reference is used to formally “map” the policy to the regulation and to prove to an auditor that the policy in question meets a particular regulation. If Optum360 policies use a one-to-one approach where there is one policy for each regulation, then it isn’t quite as essential. But as we said during the webinar, this is not the preferred method. The one-to-one approach leads to a huge number of policies that all have to be internally consistent. 

Q32. Do you have a link to the actual Risk Analysis template? I've been using the toolkit I found online, but I'm not sure if it's the real thing....

There isn’t an official Risk Analysis template. There are tools that are okay and tools that we do not recommend. Tune into our upcoming webinar, Risk Analysis Essentials, Simplified, for more detailed information on Risk Analysis. 

Q33. The Audit pre-screening questionnaire question #7 asks for the type of provider you are. How do you answer if you are a healthcare system with hospital and clinics?

Unless the contact request made it clear it was for the clinic and not the hospital or vice versa, I would complete all the data for the applicable sections. You may want to complete the pre-audit questionnaire twice, once as a representative of the hospital and the second as a representative of the clinics. 

Q34. If people have received the request for audit, is everyone receiving the same requests for information or does it vary by location?

It appears to be a standard template regardless of location. 

Q35. Could you recommend a good source for policy templates for a small organization? Would templates that could be edited to include company specific requirements?

Yes. At the end of the webinar, we mentioned our HIPAA Compliance Bundle which includes 1) A Virtual Risk Analysis, 2) HIPAA Manager which is a policy and procedures tool and 3) Training. If you’d like more information or a demo, click the button below for details:

We hope that this Q&A series has made you feel a little more prepared for the upcoming audits. If you have further questions that we haven’t covered, feel free to add them to the comments below.