The second phase of the Department of Human Services HIPAA Audit program got underway last summer with a little over 200 desk audits; your number wasn’t picked out of the hat, so you must be off the hook, right? In early December, an Office of Civil Rights (OCR) official stated that on-site audits for a small number of hospitals (perhaps up to 50) would occur in 2017. Great news, you’re not a hospital, so you’ve dodged the bullet again, right? The reality is that of the tens of thousands of Covered Entities that exist today, the odds were extremely low to begin with that you would have been picked for the HIPAA Phase 2 audit. No worries.
Per HHS.gov, “the audits are primarily a compliance improvement activity,” and they tell us that one of their main objectives is to leverage the audit information gathered to “develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.” Perhaps the audit itself was never anything to fear due to their good intentions (the OCR Director stated clearly on a webinar that this is not a punitive process), but don’t miss the rest of their website copy: “Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate.” The fact that an audit can lead to a compliance review is cause for concern as it is from these that enforcement actions ensue and fines result. But again, no audit, no worries, correct?
Incorrect. A compliance review isn’t just the result of an audit gone wrong. Remember the data breach you are required to report at the end of the year? That can trigger a HIPAA compliance review. Historically it seems that mostly larger breaches (involving 500 or more individuals) were pursued, but as we mentioned in an earlier article, the OCR announced last summer that it was increasing its efforts in investigating breaches involving 500 or fewer individuals and that these events would be subjected to closer scrutiny by their regional offices. Moreover, a HIPAA compliance review can be triggered by a HIPAA related complaint that is filed against a Covered Entity, and it’s easy for someone to do.
So, you didn’t get caught in the HIPAA Audit program phase two drag net, but that doesn’t mean that compliance should not be a top of mind concern for you. Here are 7 steps you should take to prepare anyways.
- Formally review your compliance program to ensure that you are in proper alignment with the HIPAA and HITECH Act. Be sure to document what you do, and make necessary changes to your current policies and procedures.
- Closely related to this is to conduct a formal risk analysis. If you’ve done one in the past, but it has been a while, another analysis is likely prudent. It will help ensure compliance with HIPAA’s administrative, physical, and technical safeguards, and will also help reveal areas where your organization’s protected health information (PHI) could be at risk. You can download the free analysis tool here, and check out the tutorial here.
- List every outside company that helps run your organization and evaluate whether they handle any PHI. Be sure that Business Associate Agreements are in place, and take the time to evaluate their risk of HIPAA breaches as you may still suffer legal consequences for their mistakes.
- Train. Train every new hire. Train when you update policies and procedures. Train at least once per year. Document all of it. Here’s a great article to get you up to speed on training.
- Make sure you have a subject matter expert on staff, or get a staff member some specialized training to make them a subject matter expert. This person can be responsible for spear heading the completion of the aforementioned steps, and be point person when compliance issues or audits arise.
- Get legal advice or hire a consultant. These support teams can help ensure HIPAA compliance as well as help ensure that a HIPAA compliance review will not result in any fines. In short: peace of mind.
- A final consideration is to ensure that you buy software and technology that will meet HIPAA standards. The last thing you want to do is invest in technology that will set you backwards in your compliance efforts. You want to move forward. Disclosure management software such as ChartRequest, which streamlines the ROI workflow, can help you meet HIPAA standards. For instance, many practices feel that simply adding a note in the patient’s chart that says something to the effect that “records were sent to John Smith Law Firm today on this date” fulfills the accounting of disclosures requirement. This is not compliant and ChartRequest can automate this process to provide an accounting of disclosures which fully meets HIPAA standards (see § 164.528 Accounting of Disclosures of Protected Health Information, and this AHIMA article for more information).
According to the “Overall Cause Analysis” presented by the OCR following Phase 1, the leading cause for non-compliance was unawareness of the requirement. Other causes noted were incomplete implementation, and complete disregard. If you are currently being audited, those factors may give way to a HIPAA Compliance Review. However, if you’re not currently being audited, why not make sure that you’re fully informed, and fully implementing policy and procedures which conform to current compliance standards. These measures will help you to declare with a different paradigm and with a better kind of confidence, “no audit – no worries.”