By Mike Semel
Twitter: @SemelConsulting
HIPAA Audits Have Begun. Will Your Business Associates Cause You to Fail?
The Office for Civil Rights (OCR) announced that the new permanent audit program has started. On July 11 letters were sent BY E-MAIL (check your junk mail folders!) to 167 health plans, health care providers, and health care clearing houses (all HIPAA Covered Entities) notifying them that they have to send in documentation for a ‘desk audit.’ They will have 10 days to send in the required materials for review. Of the 176 potential audit items the first covered entities will have to provide documentation proving their compliance with the following 7 HIPAA sections:
Requirements Selected for Desk Audit Review
- Privacy Rule
- Notice of Privacy Practices & Content Requirements [§164.520(a)(1) & (b)(1)]
- Provision of Notice – Electronic Notice [§164.520(c)(3)]
- Right to Access [§164.524(a)(1), (b)(1), (b)(2), (c)(2), (c)(3), (c)(4), (d)(1), (d)(3)]
- Breach Notification Rule
- Timeliness of Notification [§164.404(b)]
- Content of Notification [§164.404(c)(1)]
- Security Rule
- Security Management Process — Risk Analysis [§164.308(a)(1)(ii)(A)]
It’s not surprising that the audits are looking for compliance across all of HIPAA’s rules.
Privacy Rule
Considering the fact that the federal government believes privacy and confidentiality are basic CIVIL RIGHTS, the focus on the Notice of Privacy Practices (NPP) and how you handle medical records requests is expected. Many practices are still using old NPP’s and following outdated processes that were changed in the 2013 HIPAA Omnibus Final Rule. Many practices still do not have their NPP prominently displayed on their website. The fastest way to fix this is to adopt the free Model Notice of Privacy Practices available here.
Breach Notification Rule
Many practices claim they have never had a breach, which in my experience is impossible, because we always hear stories about a patient being handed another patient’s record; someone mailing a bill to the wrong person; or lab results getting mixed up. Even the breach of one patient’s information requires that they be notified, within time limits, and a report be sent to the Office for Civil Rights. The audits are looking for evidence of compliance, or preparation, showing that you have documented a process to notify patients and have a notification document prepared.
Security Rule
Least surprising of the audit items is the Risk Analysis and Risk Management Process. After 11 years I am still amazed that medical practices don’t take the Risk Analysis seriously. Many think they don’t have to do one or they can do it themselves using checklists and online tools. Some had one done years ago and it sits on a shelf. Some keep up with regular reports but never fix the problems. Worse, the evidence we develop shows that many practices that believe they are secure and compliant are not, because their IT staff or provider is not ensuring that security tools are all working.
Business Associates
Even if you think you are prepared, are your Business Associates?
The OCR announcement said that “Desk audits of business associates will follow this fall.” If you are audited then your Business Associates may also be audited. That’s really scary, considering how few Business Associates have any idea what to do.
If you don’t think this is serious just look at some recent fines related to Business Associates.
- A medical practice paid $ 750,000 for sharing patient information with a vendor without having a Business Associate Agreement in place.
- A hospital paid $ 1.55 million for sharing patient information with a vendor without having a Business Associate Agreement in place, after the vendor breached patient records.
- And, for the first time, a Business Associate paid an OCR penalty – $ 650,000 for breaching just 412 patient records when it lost an iPhone.
This article was originally published on Semel Consulting and is republished here with permission.