Be prepared for HIPAA audits!

Posted on by

The Office for Civil Rights is looking to audit providers of all sizes and in all parts of the country — so be prepared! HIPAA compliance is something they are taking very seriously.

 
OCR’s senior advisor for health information privacy, Linda Sanches told attendees at the recent HIMSS Media and Healthcare IT News Privacy and Security Forum that her best piece of advice about preparing for audits is to actually be in compliance and to conduct comprehensive risk analysis. “If you don’t do a periodic risk analysis,” Sanches explained, “you won’t know where you stand”.

 
Though it comes across as somewhat obvious, many healthcare organizations are still pondering whether they really need to conduct a risk analysis before an audit, or if it just makes more sense to wait. Sanches acknowledged that it requires heavy-lifting to perform such an analysis but that it’s better to have one in hand than scramble and pull it together come audit time. Sanches added that when deciding whether or not to audit a provider or investigate a reported breach, OCR looks for patterns. If the office receives information about a given provider having several similar breaches and it appears they are not doing anything about them, that manner of evidence suggesting the provider is not in compliance or does not have proper procedures set up would weigh heavily into OCR’s decision.as to who to audit or investigate, and subsequently, how much to fine.

 
“The onus is on you to prove you had the proper systems in place,” Sanches explained. “If you did a comprehensive risk analysis and took the necessary steps, that’s what you need to show us.” Organizations that fail to do the proper analysis are susceptible not only for investigations but also settlement fines, which range from, perhaps $215,000 on the low-end right up into the millions of dollars.

 
Many industry observers are curious as to how the recent Community Health Systems breach, involving some 4.5 million patient records, will play out in terms of a fine. The factors in determining the size of a fine are laid out in OCR’s rule, Sanches said, including how much harm was done and how many provisions were violated.“The sky is not the limit,” Sanches said of fine totals. “It’s basic math. How many people were affected?”

 
How many covered entities and business associates does OCR intend to audit — and when will it all begin? OCR originally planned to conduct 400 desk audits and “a large number of on-site audits,” Sanches said. Now they’re looking at “fewer than 200 desk audits” and she didn’t confirm a specific number of on-site audits for covered entities, but another wave of Business Associate audits will follow those. As for when OCR will kick-off the audits? The announcement should be coming soon….“Stay tuned,” she said.

Leave a Reply

Your email address will not be published. Required fields are marked *