HIPAA Audits 2015
Auditing is to Increase; Increased Contractors; Business Associates at Risk
By: Brian L Tuttle, CHP, CHA, CPHIT, CBRA, CCNA, CISSP
Well D-Day in the Health Insurance Portability and Accountability Act (HIPAA) world (September 23, 2013) has come and gone and we are all still here, the world hasn’t ended, the Feds still haven’t kicked down your doors demanding to comb over your practice or business……yet. As of now the Federal government has a heavy workload in terms of who, what, when, and where will be affected by their new enforcement efforts. Their progress was stunted a bit by the recent government shut down, but as of this writing (November 14, 2013) they are back in business.
As you may or may not know, the enforcement wing of the U.S. Department of Health and Human Services (HHS), which is the Office of Civil Rights (OCR), began a pilot campaign of audits in the summer of 2012. This pilot campaign is to become a full time heavily enforced effort with many more facets involved. Based upon the findings there are many areas that need to be addressed chiefly dealing with the HIPAA Security Rule (65% of fines levied) in comparison with the HIPAA Privacy Rule (26% of fines levied) and the Breach Notification Rule (9% of fines levied). Going forward the OCR plans to evolve this process and give sharp teeth to what’s already going on. Originally the law firm KPMG was given the contract to conduct these pilot audits. According to HHS, the government plans to bring in many more firms (and subcontractors of those firms) to enforce and audit. Leon Rodriguez, director for OCR, stated at the HIMSS Privacy and Security Forum in Boston on September 23, 2013 “We hope to be off and running in the next calendar year.” Additionally, Mr. Rodriguez stated that OCR “will leverage more civil penalties” but more concerning is that fines levied are expected to pay for the audit program and be a revenue generating process for the Feds.
Why the delay? The Federal Government appears to be a little overwhelmed with the task at hand especially with the influx of over 5 million business associates now in the fray with the omnibus changes of September 23, 2013 (hence why they are aggressively ramping up their enforcement efforts and their own training). According to Rachael Seeger, spokesperson for the Office of Civil Rights, she states: “For OCR, September 23rd is business as usual as we have not paused in our compliance efforts. We will, however, begin looking at investigations in a post-omnibus era (September 23, 2013) with a new lens with respect to compliance responsibilities of covered entities and now business associate liability”. No specifics were given in the particular quote but based upon information from the pilot program (and true enforcement is guaranteed to be much more vigorous) the audits should be similar to that used by OSHA. For example: In the past, with HIPAA you were only fined for a reported complaint or a blatant wrongful disclosure. Now it appears you will be fined for not having proper protocols and policies in place to prevent a possible “future” wrongful disclosure. Think of it in terms of OSHA. If a wire is lying on the ground but no one has yet tripped over it, you would be fined. Same concept will be in place with HIPAA.
Let’s not kid ourselves folks I’m going to call a spade a spade here. One doesn’t have to be a news junkie to know that our government is broke and healthcare is a sinking ship hemorrhaging cash that’s just not there. One way for the Feds to mitigate their losses is to quickly ramp up the enforcement of HIPAA and start rendering massive fines upon covered entities (health care providers, health plans, and clearinghouses) and NOW 5 million business associates (those doing business with covered entities and privy to protected health information). That’s exactly what appears to be happening. In the government’s defense, they have been saying for years that this confusing, not very well explained enigma known as “HIPAA” be fully operational at your practice or business. And of course ignorance of the law is never an excuse.
Scared yet? What can you do? The absolute #1 thing you need to do for your practice or business (if you qualify as a business associate) is a Risk Analysis. The lack of a Risk Analysis was the #1 area of non-compliance based upon the findings of the pilot audit program the Feds began back in 2012. This followed closely by lack of written policies consistent with your business, lack of proper system auditing, lack of staff training, and a non-existent contingency plan. Based upon conducting over 300 national HIPAA audits I find the same to be true. It’s not enough to do a risk analysis on just one part of HIPAA, you need to dot your i’s and cross your t’s for all of it. The assessment should cover every facet of the rule and written policies need to be in place for every single implementation specification of the rule. Even aspects that aren’t required must still have a written policy in place indicating why you “don’t” need to implement. I know. Such a pain but doable.
In conclusion we are now in a new world in terms of healthcare. It’s getting more difficult to conduct a business and especially a medical practice under more and more burdensome regulations. But it’s not anything that cannot be worked through with some extra due diligence and entrepreneurial spirit that made this country what it is.
If you have any questions please feel free to email me directly at: brian.tuttle@ingaguehsi.com