Liles Parker PLLC
(202) 298-8750 (800) 475-1906
Washington, DC | Houston, TX
San Antonio, TX | Baton Rouge, LA

We Defend Healthcare Providers Nationwide in Audits & Investigations

HIPAA Audit Protocols are Here. Are Your Privacy Practices Fully Compliant?

HIPAA Audit Protocols Have Been Announced.(December 28, 2011):  The Office of Civil Rights (OCR), an agency of the Department of Health and Human Services (HHS), is the central organization responsible for enforcing compliance with the Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).  As OCR’s website reflects, the agency:

“. . [I]nvestigates complaints, enforces rights, and promulgates regulations, develops policy and provides technical assistance and public education to ensure understanding of and compliance with non-discrimination and health information privacy laws.”

I.  Development of HIPAA Audit Protocols:

After witnessing the effectiveness of Medicare contractors in identifying and recovering improper payments, Congress chose to include a similar compliance measure for HIPAA privacy as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed in 2009. Under HITECH, HHS and OCR were mandated to create HIPAA audit protocols designed to help ensure that covered entities and their business associates were meeting HIPAA Security and Privacy Rule requirements.

In response, OCR contracted with a large nationally-recognized government contractor last year to develop and assess several HIPAA audit protocols and auditing methodologies for possible implementation. While that assessment was reportedly completed in August 2010, neither the contractor’s report nor the specific method chosen to conduct the upcoming audits has been publicly disclosed.

II.  Timeframe of Initial HIPAA Audits:

In July and August 2011, OCR and the contractor worked to develop their initial HIPAA audit protocols and the standards they would assess provider compliance against. A national accounting firm was selected to conduct these HIPAA audits in September, 2011. Initially, they are expected to only examine a few providers in order to test the HIPAA audit protocols and standards which have been developed. Once the accounting contractor documents its initial observations, OCR will work with the contractors to modify the HIPAA audit protocols, as necessary.  This is expected to occur during the first quarter of 2012. Starting in May 2012, the remaining initial HIPAA audits are anticipated to be conducted.

Importantly, neither OCR nor its contractors have indicated that there are any limits in terms of the size and / or types of providers to be audited.  Physicians, practice groups, home health agencies and other small to mid-sized providers should not expect audits to solely be conducted on hospitals and other large institutional providers. At this time, all providers are eligible to be subject to audit. Furthermore, you can expect that once the HIPAA audit demonstration project is completed, Congress will more than likely make it permanent and expand the scope of the audit program.

III.  Recommendations for Effective HIPAA Compliance:

If you have not already done so, now is the time to ensure that your practice remains fully compliant with HIPAA and HITECH requirements. Auditors will primarily be looking for compliance with the HIPAA Privacy and Security Rules.  You should also expect them to examine the security of your electronic transmissions and physical security safeguards.  Additional areas of inquiry are likely to include whether business associate relationships are being properly handled and whether or not providers are fully documenting each person who accesses a medical record so that patients may be given an accurate accounting of such information.

All providers, regardless of size, should have an effective HIPAA privacy policy as part of their overall Compliance Program.  As with other compliance measures, it should be specifically tailored to address the needs of your organization, along with any unique risks faced by your practice.  A “sample” policy downloaded from the Internet, unfortunately, will not suffice. When developing a HIPAA privacy policy, be sure to keep in mind the four “scalability” factors set out in the Code of Federal Regulations in analyzing a provider’s compliance with the Security Rule:

  • The size, complexity, and capabilities of the covered entity;
  • The covered entity’s technical infrastructure, hardware, and software security capabilities;
  • The cost of security measures; and
  • The probability and criticality of potential risks to electronic protected health information. 45 CFR 164.306(b)(2).

While small providers may desire to only implement the “basic” requirements, they must be careful to ensure that each of the Privacy Rule’s provisions are fully met.  All providers, regardless of size, must utilize reasonable safeguards to protect paper, electronic and oral transmissions of protected health information.

Liles Parker attorneys have extensive experience in compliance matters, including HIPAA privacy requirements. Our team can assist your practice with GAP Analyses, mock audits and other reviews designed to help you better comply with applicable statutory and regulatory requirements. For a free consultation, call us today at 1 (800) 475-1906.

  • Advertisement

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.