Overly Quoted on HIPAA Audits Targeting Vendors

23 March 2016 Modern Healthcare News
Partner Mike Overly was quoted in a Modern Healthcare article, “Wider HIPAA Audits May Drive Stronger Vendor Contracts,” on March 23, 2016. The article discussed the announcement that vendors of healthcare organizations, termed “business associates,” will be included as primary targets in the second round of HIPAA audits by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). The audits are intended to clamp down on vendors handling patient data for healthcare organizations to ensure HIPAA-compliance and minimize security failures that could lead to a data breach. The announcement also suggests that enforcement of the OCR’s more stringent privacy and security rules could give healthcare organizations more leverage to get stronger agreements with their vendors.

Overly was quoted saying, “It will force greater visibility into what’s going on – and greater accountability. In many instances, covered entities don’t have the right to go in and audit what a business associate is doing.” He continued to explain, now that business associates are legally liable to the feds for compliance with HIPAA privacy and security rules, “covered entities will insist on having some kind of audit rights” when they sign HIPAA-mandated agreements with these vendors.