How Confident Are You That Your Service Organization Could Pass a HIPAA Audit?

by | Sep 9, 2019

Did you know that all business associates of healthcare providers are subject to the same regulatory requirements for securing protected health information (“PHI”) as their clients? This includes subcontractors of business associates. In other words, if your service organization (or subcontractor) obtains PHI as part of a relationship with a hospital, physician practice, nursing home, lab, or any other type of patient-facing organization, then you are required by law to be compliant with all the regulations that make up the Health Insurance Portability and Accountability Act (“HIPAA”) Privacy, Security, and Breach Notification Rules.

This was not always the case. In the early stages of HIPAA rollout, back in 1996, all the responsibility (and potential liability) fell to the covered entity (i.e., provider organizations). This changed with the enactment of the HIPAA Omnibus Rule in 2013. Now business associates can face random audits with potential non-compliance penalties up to a maximum of $1.5 million per violation.

While most service providers are aware of these requirements, we find that many are struggling with how to put a compliance plan in place. We are also finding that many healthcare providers are asking potential business associates for a copy of their last HIPAA Security Risk Analysis, or other high-level evidence of compliance, as a minimum threshold for doing business.

This is one of the many reasons why we started WaveFire. The WaveFire platform helps service organizations assess their current state of HIPAA compliance, generate a HIPAA Security Risk Analysis, and prepare reporting for their clients or for the Office of Civil Rights (OCR). This level of analysis and preparation is critical for organizations wishing to become audit-ready, and for those wanting to protect their bottom line from steep financial penalties.

WaveFire was designed by HIPAA experts with many years of experience working for providers, business associates, and as consultants. We have the regulatory expertise necessary to help organizations achieve compliance faster and with fewer resources.

If you are concerned about your organization’s current state of HIPAA compliance, we can help. We invite you to contact us at or 877-583-2477.