With the first round of HIPPA Audits behind us, the Office of Civil Rights (OCR) indicated back in March that it would finally launch the long-awaited round 2 of HIPAA audits in 2016. As we near the end of the year and start preparing for the Merit Based Incentive Payment System, physicians and practices must also be preparing for the next phase of HIPAA audits expected to take place in early 2017.
The Audit Mandate
As an extension of the HITECH Act, which became effective on February 18, 2009, the audit mandate exposed health care providers that must adhere to HIPAA regulations to the possibility of being audited for compliance to privacy, security and breach notifications. The second round of HIPAA audits will measure the degree to which not only practices, but also covered entities such as health care providers and insurance companies, in addition to their business partners and associates are in compliance with the above HIPAA rules and regulations.
Audits are done in order to further enforce regulations to ensure that practices are remaining fully compliant. HIPAA compliance is extremely important to enforce, due to the delicacy with which Protected Health Information (PHI) is needs to be handled. Therefore; the audits become a tool for maintaining privacy of such information, and ensuring that the right policies are put into place to continue to protect this sensitive data.
While it is clearly important to remain compliant so as to avoid penalties for failing to adhere to HIPAA regulations, it is equally as important to understand the value of keeping private health care information secure. With so many threats to patient information in this age of technology, it has become extremely difficult to safeguard against identity theft and other threats to PHI.
The Ponemon Institute released its fifth annual study on medical identity theft earlier this year which states, "The majority of medical identity theft victims will find themselves paying around $13,500 to resolve their identity theft-related issues (in payments to insurance companies, providers, and obtaining legal counsel and access to identity service providers.)" Not only is your sensitive and private health information at risk, but a data breach can also result in a host of financial issues as well.
For this reason, OCR isn't the only one paying attention to how well you're protecting PHI. Your patients are making decisions about where to go for health care based on your performance in these areas as well, so it's in your best interest to work on improving your HIPAA compliance procedures on every level.
Here are some ways to be prepared for future audits that are inevitably coming down the pike:
In many cases, the second round of audits will be done off-site, and you will be expected to prove your practice's compliance by way of written documentation such as training procedures, memos, and a list of staff duties and policies. Therefore, it will be important to review existing documentation to ensure it is accurate, up-to-date, noted with a history of implementation, and easy for auditors to follow. The less you have to verbally explain and/or provide additional backup for, the easier the whole process will be.
Because the second round of audits is centered around business associate compliance, you will need to have a good understanding of the business associates your practice works with regularly. In addition, you should be able to describe how PHI is communicated between your practice and business associates on a regular basis in compliance with HIPAA regulations.
Although it's important to enforce HIPAA compliance at any time, it is especially important to reiterate the importance of compliance to your staff at this time. Remind everyone who handles PHI of how to safely work with sensitive patient health data, and the importance of following practice policies. The more HIPAA regulations are enforced, discussed, and training resources are provided, the more likely your operations are to be in 100% compliance.
PHI is at a high risk when emailed, whether internally or externally. If you don't need to send sensitive patient data to a business associate over email, then don't. Encourage staff members to limit email transmission of PHI whenever possible.
Even when all HIPAA regulations are adhered to, PHI is still at risk whenever stored in an online database or transmitted via email. By maintaining up-to-date security software and ensuring that all computers and additional data storage hardware are protected by anti-virus applications, you can limit the risk to your patient PHI.
In the event of an audit, OCR will request specifically what they need to review. By sharing only what is requested and nothing more, you will avoid any possible confusion and/or cause for a more detailed and in-depth audit of your practice's HIPAA polices.
The next and last phase is currently scheduled for 2017, and promises to be centered around facility access control, encryption and decryption of sensitive data, and additional high-risk areas that have not yet been specified.
By following compliance procedures and continually preparing for each phase of HIPAA audits, your practice can move smoothly through the process with minimal challenges.
Subscribe to blog updates below and stay tuned for more blog posts surrounding HIPAA audits and how you can best prepare your practice.