Small Providers and Business Associates – The Numbers

This blog focuses on Small Providers and Business Associates because they need help getting the compliance requirements under control and documented properly.  The data included in the Final Rule along with recent presentations by the Office for Civil Rights providing a first analysis of the 2012 HIPAA Audits give the numbers that tell us the need is definitely there.

According to HHS, 90% or more of all healthcare provider entities meet the SBA standard for small business qualification.

Type Entity Est Small Entities
Office of MD, DOs, Mental Health Practitioners, Dentists, PT, OT, ST, Audiologists 419,286
Outpatient Care Centers 13,962
Medical Diagnostic and Imaging Services 7,879
Home Health Service 15,329
Ambulance and Other 5,879
DME Suppliers 107,567

HHS also estimates the number of Business Associates and Subcontractors engaged by all these Covered Entities. 1 Million to 2 Million Business Associates using an Unknown number of Subcontractors is the basis for their analysis. This number is significant since all these businesses and subcontractors are now directly liable for HIPAA compliance under the new rules. The number of encounters we still experience with BAs who don’t understand they are a BA much less what compliance requires of them continues to surprise me.

The hits just keep on coming once the discussion turns to the initial analysis of the results of the OCR Audits completed in 2012. The audits covered CE performance in each of the three rules, Privacy, Security and Breach. Audits were done with CE’s only, no BAs were checked. A total of 115 entities were audited. There were 61 providers chosen and 24 of those were considered Small Providers. While the estimates in the Final Rule consider 90% as Small Providers the Audit program spread across the different types and sizes and only 20% of the selected entities were Small Providers.

The overall number of audit findings and observations (things they have issues with) were 979 issues. 60% of the problems were Security Rule related issues. OCR protocols when they began expected 30% Security related findings. The truth was double their expectations. Providers have more problems than other types of entities and Small Providers struggle to address all the Rules.

Source: HHS Office for Civil Rights
Source: HHS Office for Civil Rights
Source: HHS Office for Civil Rights
Source: HHS Office for Civil Rights
Source: HHS Office for Civil Rights
Source: HHS Office for Civil Rights

Consider these numbers:

  • 20% of the total entities audited were Small Providers
  • 65% of all problems found were in Provider entities
  • 41% of all problems were in Small entities
  • 90% of all Providers are considered Small Providers

Clearly, there are many Small Providers that need Compliance Assistance and we haven’t determined the number of Business Associates and Subcontractors that are likely in the same position.  Experience tells me there are many more determinations to be gleaned from all this data.  It is impossible to look at this information to this point without making the simple assumption that focus on these groups should be a high priority for my team.  Years of working in the Small Provider and Business Associate offices give us a perspective that won’t be found in the average HIPAA consultant.

Filed under: Grab Bag, HIPAA Tagged: Business Associate, Business Associates, Compliance, Health IT, HIPAA, HITECH, information hipaa, Small Provider