Compliance

HIPAA Audits Now a Reality

Federal regulators on Monday launched a new round of audits to gauge compliance with patient privacy provisions of the Health Insurance Portability and Accountability Act.

The launch is starting off with emails to so-called covered entities — health care providers, insurance plans and clearinghouses — and to business associates that handle patient information on behalf of those entities. The emails will simply ask to verify contact information, after which recipients will receive a “preaudit questionnaire” seeking details on their business size and operations.

From there, the Office for Civil Rights at the U.S. Department of Helath and Human Services will create a log of audit targets. The log will be created “in coming months” and will “represent a wide range of health care providers, health plans, health care clearinghouses and business associates,” the OCR stated..

If an audit turns up a “serious compliance issue,” the OCR said, further investigation may occur, which could trigger financial penalties and a formal agreement to improve HIPAA compliance.

More broadly, the agency said that it will use its findings to develop new guidance and policies aimed at strengthening adherence to HIPAA rules aimed at safeguarding the confidentiality of so-called protected health information.

It was not immediately clear how many audits the OCR intends to conduct. The agency did say that most of the reviews will be remote “desk audits,” although some in-person audits will take place. All the desk audits will be finished by the end of 2016, according to the OCR.

The OCR had performed pilot audits in 2012, but funding for further inquiries dried up. As a result, the agency has relied on tips and disclosures of breaches to police HIPAA compliance. That has given the agency plenty of material, but government watchdogs have still criticized the lack of proactive oversight.

On Monday the OCR promised to release its audit protocols — instructions on how audits are conducted — later this year, when the agency is closer to actually performing the audits. The protocols are being updated to reflect policies in a 2013 final rule that expanded HIPAA’s reach.

Companies selected for an audit will receive a detailed overview of the audit process and an outline of their obligations, according to the OCR. Generally, companies will have 10 business days to submit the requested information, and the OCR will then review the information and respond with its findings. Companies will then have a chance to respond to the findings before a final audit report is completed.
 
Notification from OCR on March 21, 2016
As a part of its continued efforts to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun its next phase of audits of covered entities and their business associates.  Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews.  These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).
 
In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.
 
The 2016 audit process begins with verification of an entity’s address and contact information.  An email is being sent to covered entities and business associates requesting that contact information be provided to OCR in a timely manner.  OCR will then transmit a pre-audit questionnaire to gather data about the size, type, and operations of potential auditees; this data will be used with other information to create potential audit subject pools.
 
If an entity does not respond to OCR’s request to verify its contact information or pre-audit questionnaire, OCR will use publically available information about the entity to create its audit subject pool.  Therefore an entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.  Communications from OCR will be sent via email and may be incorrectly classified as spam.  If your entity’s spam filtering and virus protection are automatically enabled, we expect entities to check their junk or spam email folder for emails from OCR.
 
The audit program is developing on pace and OCR is committed to transparency about the process.  OCR will post updated audit protocols on its website closer to conducting the 2016 audits.  The audit protocol will be updated to reflect the HIPAA Omnibus Rulemaking and can be used as a tool by organizations to conduct their own internal self-audits as part of their HIPAA compliance activities.
 
OCR’s audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits.  Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.  We will evaluate the results and procedures used in our phase 2 audits to develop our permanent audit program.
 
To learn more about OCR’s Phase 2 Audit program, please visit our website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.
 
Follow OCR on Twitter at http://twitter.com/HHSOCR.

AMA Suggesting You Report Payers

Are any of your payers not accepting the 2013 CPT codes? Some payers may not be prepared to accept the new CPT codes.  We have noticed this with payers dealing with psychiatric codes because the AMA deleted all the old psychiatric codes, added new ones along with add-on codes.  This is presenting a challenge for many payers that deal with this mental health.

Read more: AMA Suggesting You Report Payers

HIPAA Settlement of $4.8 Million Due to Data Breach

The monetary payments of $4,800,000, in these cases, include the largest HIPAA settlement to date.Two health care organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients' electronic protected health information (ePHI) held on their network.

Read more: HIPAA Settlement of $4.8 Million Due to Data Breach

Is Your Practice HIPAA Safe?

In the prior decade, most data breaches were caused by human error (such as lost devices or records being exposed in insecure ways). Now, breaches have become more targeted and sophisticated with a large and growing number of breaches being caused by hackers and cyber criminals. Because data can now reside in multiple locations, including unsecured smartphones, laptops and tablets, and can be transported to an infinite number of locations, thieves have more areas to target. Most experts agree that the problem of data breaches will get worse before it gets better, with breaches expected to become not only more frequent, but also more severe.

Read more: Is Your Practice HIPAA Safe?

Stolen Laptops Lead to Important HIPAA Settlements

Two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.  These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.