Why you shouldn’t panic about the upcoming HIPAA audits
On March 21, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) announced additional HIPAA audits, signifying the beginning of the second phase of the audit program.
Now, before the word “audit” causes you to panic, take a deep breath. Here are several reasons why you should be prepared, but shouldn’t overreact to this news.
- We knew these audits were coming.
This announcement shouldn’t come as a surprise. The OCR completed a pilot program of audits back in 2011 and 2012, with the promise that additional audit programs would happen in upcoming years. And, while the announcement on March 21 signified the beginning of the audits, the OCR actually made an announcement in October 2015 (http://www.natlawreview.com/article/hipaa-phase-2-audits-to-start-early-2016-ocr-states-response-to-oig-recommendations) that phase 2 would begin in early 2016.
- The sample size is extremely small.
According to Healthcare-Informatics.com, 200 audits will be conducted — 150 so-called “desk audits” and 50 on-site audits (http://www.healthcare-informatics.com/article/ocr-ramping-200-hipaa-audits-2016). The OCR website says that any covered entity is eligible, and the agency plans on auditing a wide sampling of the industry — providers, health plans, clearinghouses, and business associates of all sizes. That means that there will be 200 audits conducted … out of more than 3 million covered entities. The odds of being chosen for an audit are remarkably small.
- Corrective action is heavily encouraged.
If your practice or network is chosen for an audit, the immediate fear becomes financial penalties. Will any potential violation result in a huge fine? While the answer can’t absolutely be no, there is a great deal of comfort in a statement made by a former OCR technology advisor.
Adam Greene, currently a law partner at a private practice, said during the PHI Protection Network Conference in Philadelphia in March that the OCR is much more interested in corrective action than financial penalties.
“In over 99 percent of cases where [the OCR] could impose a penalty, they work on voluntary corrective action,” he said (http://www.healthcare-informatics.com/article/ocr-ramping-200-hipaa-audits-2016).
Barbara Holland, the OCR’s Mid-Atlantic regional manager, confirmed this during the same conference, saying that preventative action would be incentivized, especially in common problem areas. Monetary penalties would be most likely for covered entities with “recurring problems.”
In other words, the OCR plans to be as helpful as possible while still having a lower tolerance for repeat offenders.
- You’re already compliant, right?
We’ve already emphasized the importance of maintaining HIPAA compliance within your practice, regardless of size (http://www.duxware.com/duxware-blog-newsletters/121-why-hipaa-compliance-is-an-issue-for-all-practices-regardless-of-size). So, if you haven’t taken the opportunity to monitor your systems and have your documentation in place, now is absolutely the time to do so. Have a plan in place for risk management and complete a breach risk assessment.
Greene also recommends that you make sure your notices on privacy and patient right of access have been updated as well.
So, there’s no reason to panic. Ensure that your systems and documentation are in proper order now. And in the extremely rare chance that an audit happens, be helpful and cooperative and take corrective action if necessary.