With the next round of HIPAA compliance audits on the horizon, physicians should ensure they are prepared for both on-site and off-site privacy investigations.
The Office for Civil Rights (OCR) concluded its first pilot of HIPAA audits in 2012 after reviewing the practices and compliance of 115 health care entities. The assessments included health care providers, health plans, and clearing houses. Round two of the audits, originally scheduled for 2014, is expected to begin in early 2015. The next phase will be based on preaudit surveys of 800 covered entities and 400 business associates of covered entities, according to a May announcement in the Federal Register.
The first wave of HIPAA audits revealed weaknesses in the internal controls and compliance programs of many health care entities, particularly small group practices, said Anna C. Watterson, a Washington-based health information privacy and securities attorney and a former OCR policy analyst. Practices of 10-50 providers (Level 4) made up 41% of findings by the OCR and “struggled” with all three focus areas – breach notification, privacy, and security, according to audit results . Findings were generated only for entities that did not meet audit criteria or had potential compliance violations.
“Small providers generally have struggled more with compliance than other organizations,” Ms. Watterson said in an interview. “It’s largely a resource issue. Having a full HIPAA security program is very resource-intensive.”
Understanding the differences between on and off-site audits and what may be required is key to preparing for inquires, said Ms. Watterson, who spoke about HIPAA audits at the American Health Lawyers Association’s health fraud and compliance forum. Off-site audits refer to documentation requests by phone or electronic means. These audits often are limited in scope and pertain to one or two provisions under HIPAA. On-site audits are frequently more intensive and include visits by federal investigators to the provider’s premises.
It is essential to make certain that all compliance and sanction policies are well documented and to reply to requests in a timely manner, Ms. Watterson said. All documentation must be current as of the request date and cannot be created after the inquiry.
During on-site audits, doctors should be prepared to answer questions and have inquires directed at their staff. For example, HIPAA investigators may ask employees about their HIPAA privacy officer, whether they can bring work laptops home and if so, what privacy safeguards are in place.
“Be prepared for OCR to ask employees about actual practices,” Ms. Watterson said. “It’s something organizations want to think about.”
For the first time, phase 2 of the audits will include business associates. Under the omnibus rule , a business associate is defined as any person or entity that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. The regulation includes patient safety organizations, data transmission organizations, personal health record vendors, entities that transmit and need routine access to PHI, and data storage vendors – paper based and cloud based.
“OCR will be asking all covered entities for a list of their business associates,” Ms. Watterson said. “Vendor management is something organizations should be [considering]. Have they identified all their vendors? Do they have agreements?”
Business-associate agreements should confirm that associates comply with all measures of the Security Rule for electronic PHI and that business associates report any breach of unsecured PHI.
Having an IT consultant or third-party company perform a security risk analysis is one way to address security weaknesses before an audit, Ms. Watterson said. For doctors in smaller practices with fewer resources, the Office of the National Coordinator for Health Information Technology provides a free, downloadable security risk assessment tool . The National Institute of Standards and Technology also has a free HIPAA Security Rule toolkit for health care organizations.
While preparing for a HIPAA audit may seem daunting, physicians within all practice sizes can plan by reviewing and improving compliance one step at a time, Ms. Watterson stressed. “For a lot of organizations, it’s difficult to set aside the time and resources to just look at all of the compliance. Providers need to prioritize and take a few things that they can tackle” at a time.
On Twitter @legal_med
