Early 2016 heralds Phase 2 of the Office for Civil Rights (OCR) HIPAA auditing program, according to the National Law Review. Covered entities will be scrutinized for their measures to protect patients’ privacy and security, and to fulfill breach notification requirements when necessary.
But are medical providers ready? According to a study conducted by the Daniel Brown Law Group, NueMD and Porter Research, not really.
Sixty-six percent of respondents didn’t even know the HIPAA audits were happening. But ignorance of the law will be no defense if they’re found in violation. Fines range from $100 to $50,000 per violation, maxing out at $1.5 million annually.
Why so tough?
The Department of Health and Human Services Office of the Inspector General published a report in September, 2015 recommending that the OCR strengthen its oversight of covered entities. The report claimed OCR had a reactive style of only investigating after receiving complaints, a subpar system for tracking past complaints, and insufficient follow-up on whether the covered entities took corrective measures after being found non-compliant.
The report suggested that OCR take the following five measures:
- fully implement a permanent audit program
- maintain complete documentation of corrective action
- develop an efficient method in its case-tracking system to search for and track covered entities
- develop a policy requiring OCR staff to check whether covered entities have been previously investigated
- continue to expand outreach and education efforts to covered entities
This report set the stage for a fresh round of HIPAA audits.
How should a medical practice prepare?
To prepare for an audit, medical practices should perform a thorough risk analysis and ensure they have a DR plan in place. This involves examining physical, technical and administrative safeguards which guard patient health information. Examples of physical safeguards are alarms, two factor authentication for gaining access to PHI and ePHI and careful control of paperwork. Administrative safeguards include training the workforce about compliance procedures and documentation, and making sure HIPAA policies and procedures are adopted on all levels. Technical safeguards focus on authentication, secure transmission of patient health information through encryption, and protection of data to avoid corruption. Covered entities also need to have a plan for handling any security breaches in a HIPAA-compliant fashion. Vulnerabilities uncovered during risk assessment must be addressed immediately.
Risk analysis also extends to business associates. Make sure all business associate agreements are current. If your business associates fail to protect patient health information, you could both be liable. Grill your business associates about their compliance knowledge and adherence. At CoreSpace, we have a long list of HIPAA compliant features to ensure we sustain the highest level of HIPAA compliance for your secure environment.
Be sure to partner with business associates who have a proven track record in HIPAA compliance. At CoreSpace, we’re highly experienced in HIPAA compliance and protecting sensitive data. Our long list of physical and technical safeguards keep health information as private as it should be.
Call CoreSpace today to help with your HIPAA Compliant efforts.