News & Insights  |  Media Mentions

Related Professionals

Practice Areas


Patricia O'Connell
Senior Communications Manager

Kirk Nahra Discusses HIPAA Audits of Business Associates; OCR Guidance on Ransomware

Healthcare Info Security
September 16, 2016

Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in a September 15 HealthCare Info Security article about the first-ever round of compliance audits for business associates of entities covered by the Health Insurance Portability and Accountability Act (HIPAA).

Starting in October, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will notify 40 to 50 business associates that have been selected for remote desk audits, according to the article.

While the audit process will be challenging for the business associates that are selected, “I do expect that this effort is primarily an information gathering effort for OCR and not an enforcement process,” Mr. Nahra said. OCR “knows very little about business associates at this point, and this is likely to alert them to the enormous variations among business associates.”

He added that business associates need to be thoughtful and complete in their responses, but there shouldn’t be any particular reason to worry at this point. “The time to worry will be when there is an actual [breach] investigation, so they should use this opportunity to get their documents and policies lined up,” he said.

Mr. Nahra also commented on recent guidance from OCR that aims to clarify when health care organizations must notify patients and OCR of ransomware attacks. “I think it is important to remember that every potential breach needs to be analyzed on its own facts,” he said. “I think the guidance pushes towards more notice but it does not say every time. It will depend on a variety of factors that are encompassed in the risk assessment elements.”

To read the article, please click here.