Are Your Privacy Practices Fully Compliant? HIPAA Audits are Here

(December 28, 2011)

I.          Introduction:

The Office of Civil Rights (OCR), an agency of the Department of Health and Human Services (HHS), is the central organization responsible for enforcing compliance with the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).  As OCR’s website reflects, the agency:

“. . [I]nvestigates complaints, enforces rights, and promulgates regulations, develops policy and provides technical assistance and public education to ensure understanding of and compliance with non-discrimination and health information privacy laws.”

II.         Development of HIPAA Audits and Protocols:

After witnessing the effectiveness of Medicare contractors in identifying and recovering improper payments, Congress chose to include a similar compliance measure for HIPAA privacy as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009. Under HITECH, HHS and OCR were mandated to create an auditing program designed to help ensure that covered entities and their business associates were meeting HIPAA Security and Privacy Rule requirements.

In response, OCR contracted with a large nationally-recognized government contractor last year to develop and assess several HIPAA auditing methodologies for possible implementation. While that assessment was reportedly completed in August 2010, neither the contractor’s report nor the specific method chosen to conduct the upcoming audits has been publicly disclosed.

III.        Timeframe of Initial HIPAA Audits:

In July and August 2011, OCR and the contractor worked to develop their initial audit protocols and the standards they would assess provider compliance against. A national accounting firm was selected to conduct these HIPAA audits in September, 2011. Initially, they are expected to only examine a few providers in order to test the audit protocols and standards which have been developed. Once the accounting contractor documents its initial observations, OCR will work with the contractors to modify the protocols, as necessary.  This is expected to occur during the first quarter of 2012. Starting in May 2012, the remaining initial HIPAA audits are anticipated to be conducted.

Importantly, neither OCR nor its contractors have indicated that there are any limits in terms of the size and / or types of providers to be audited.  Physicians, practice groups, home health agencies and other small to mid-sized providers should not expect audits to solely be conducted on hospitals and other large institutional providers. At this time, all providers are eligible to be subject to audit. Furthermore, you can expect that once the HIPAA audit demonstration project is completed, Congress will more than likely make it permanent and expand the scope of the audit program.

IV.        Recommendations for Effective HIPAA Compliance:

If you have not already done so, now is the time to ensure that your practice remains fully compliant with HIPAA and HITECH requirements. Auditors will primarily be looking for compliance with the HIPAA Privacy and Security Rules.  You should also expect them to examine the security of your electronic transmissions and physical security safeguards.  Additional areas of inquiry are likely to include whether business associate relationships are being properly handled and whether or not providers are fully documenting each person who accesses a medical record so that patients may be given an accurate accounting of such information.

All providers, regardless of size, should have an effective HIPAA privacy policy as part of their overall Compliance Program.  As with other compliance measures, it should be specifically tailored to address the needs of your organization, along with any unique risks faced by your practice.  A “sample” policy downloaded from the Internet, unfortunately, will not suffice. When developing a HIPAA privacy policy, be sure to keep in mind the four “scalability” factors set out in the Code of Federal Regulations in analyzing a provider’s compliance with the Security Rule:

• The size, complexity, and capabilities of the covered entity;
• The covered entity’s technical infrastructure, hardware, and software security capabilities;
• The cost of security measures; and
• The probability and criticality of potential risks to electronic protected health information. 45 CFR 164.306(b)(2).

While small providers may desire to only implement the “basic” requirements, they must be careful to ensure that each of the Privacy Rule’s provisions are fully met.  All providers, regardless of size, must utilize reasonable safeguards to protect paper, electronic and oral transmissions of protected health information.

Liles Parker attorneys have extensive experience in compliance matters, including HIPAA privacy requirements. Our team can assist your practice with gap analyses, mock audits and other reviews designed to help you better comply with applicable statutory and regulatory requirements. For a free consultation, call us today at 1 (800) 475-1906.

A Virginia Physician Who Wrongfully Disclosed Patient Health Information is Being Prosecuted by the Feds

(June 24, 2011): Physicians and other health care providers should take care — improprerly  disclosing a patient’s protected individual health information could land you in Federal prison. Earlier this week, Virginia osteopath was indicted in the Eastern District of Virginia on charges that he illegally disclosed a former patient’s health information to the patient’s employer.

The Virginia physician was indicted by a Federal Grand Jury for the wrongful disclosure of individually identifiable health information under the Health Insurance Portability and Accountability Act (HIPAA).  The physician reportedly faces a maximum of up to five years imprisonment if convicted.

According to the indictment, the physician practiced osteopathic medicine and served as Medical Director at a Virginia psychiatric care facility. The physician is alleged to have provided inpatient mental health treatment to a patient in 2007.  As set out in a discharge summary from 2008, the physician indicated that the patient was not considered a danger to others. Nevertheless, on three separate occasions in February 2008, the physician allegedly disclosed, without any authorization, the patient’s individually identifiable health information to an agent of the patient’s employer. In these unauthorized disclosures, the physician  falsely indicated that the patient was a serious and imminent threat to the safety of the public, when he allegedly knew that the patient was not such a threat.

Commentary:  As this case shows, the Federal government is quite serious about health information privacy.  It is essential that health care providers take affirmative steps to ensure that all of their staff – including physicians – are cognizant of both applicable statutory and regulatory requirements and their associated obligations with respect to protected health information.  Effective training on HIPAA, HITECH and the restrictions governing disclosure should represent an important component of each provider’s Compliance Plan. 

Liles Parker attorneys have extensive experience representing physicians and other health care professionals in government investigations and disciplinary actions.  Our attorneys are also knowledgeable regarding HIPAA, HITECH and provider obligations under these statutes.  Need assistance?  Call us for a complimentary initial consultation.  We can be reached at:  1 (800) 475-1006. 

HHS-ONC Names EHR “Authorized Testing and Certification Bodies”

(September 1, 2010):  Earlier this week, the Office of the National Coordinator for Health Information Technology (ONC), an organization within the Office of the Secretary of the Department of Health and Human Services (HHS), has announced named two entities as “Authorized Testing and Certification Bodies.”  They include:

• The Certification Commission for Health Information Technology (CCHIT), Chicago, Illinois, and  Drummond Group Inc. (DGI), Austin, Texas.

These entities are the first technology review bodies that have been authorized to test and certify electronic health record (EHR) systems for compliance with the standards and certification criteria that were issued by HHS earlier this year

As HHS’ Press Release reflects:

Certification of EHRs is part of a broad initiative undertaken by Congress and President Obama under the Health Information Technology for Economic and Clinical Health (HITECH) Act, which was part of the American Recovery and Reinvestment Act (ARRA) of 2009.  HITECH created new incentive payment programs to help health providers as they transition from paper-based medical records to EHRs.  Incentive payments totaling as much as $27 billion may be made under the program.  Individual physicians and other eligible professionals can receive up to $44,000 through Medicare and almost $64,000 through Medicaid.  Hospitals can receive millions.

To qualify for the incentive payments, providers must not only adopt, but also demonstrate meaningful use of, certified EHR systems.  The law envisions that defined meaningful use requirements will help ensure that the patient and provider benefits of EHRs are realized.  Initial meaningful use criteria were defined in a final rule issued by the Centers for Medicare & Medicaid Services (CMS) on July 28.”

With these appointments, EHR vendors will be able to have their programs certified as meeting criteria to support the “Meaningful Use” which are now required.

Should you have questions regarding these or other health law issues, you should contact your attorney or feel free to call one of the attorneys at Liles Parker.  For a free initial consultation, call: 1 (800) 475-1906.