The word is finally out from the Office of Civil Rights (OCR) that, following recommendations of stronger HIPAA oversight of the Privacy, Security and Breach Notification Rules, it will begin the second phase of compliance audits early in 2016. While the exact dates are still unknown, no further delays are expected, according to OCR Director Jocelyn Samuels. This time around, not only covered entities but their business associates, such as software and other vendors, are targeted for compliance.
The Department of Human Services Office of Inspector General (OIG) criticized the numerous OCR inconsistencies of enforcement of existing HIPAA violations, noting that in the absence of a stronger audit program for compliance identification and enforcement, the OCR will be unable to correctly identify those entities and their Business Associates which are non compliant.
Among the OIG’s recommendations for improvement in OCR programs:
- Create and completely implement a permanent auditing program
- Improve the documentation of corrective actions required
- Develop policies requiring OCR staffers to check to see whether any covered entities have been investigated previously
- Improve system efficiency in searching for and tracking covered cases
- Expand education and outreach programs for covered entities
What will the expanded audit program be looking for?
- Business associates of covered entities will be subject to the same privacy security safeguards as the entities themselves.
- While the number of audits will increase, the Phase 2 audits are expected to consist of more “desk reviews” rather than the actual site visits of previous phases. In addition to previously identified areas of noncompliance from the first phase, these reviews will be checking documents and will attempt to identify whether the covered entities understand and actively utilize the HIPAA Rules.
- Thanks to expected OCR improvements in documenting and tracking cases, previous violators and others seemed to have system compliance issues can probably expect an on-site visit from auditors.
- Current estimates by the OCR put the expected number of audits at around 400; the actual number of audits will depend on budgetary constraints which are not expected to improve over the next few months. Consequently, enforcement of identified HIPAA violations will likely remain restricted.
- Following the end of the pilot audits, HIPAA-covered entities have already had three years to update their safeguards to security and privacy. Any current violations of HIPAA regulations will therefore be viewed by the OCR as wilful neglect and can result in heavy fines levied against the violators. This does not bode well for those practices and other entities which have just recently become HIPAA-compliant, as they can expect to be held accountable for any past data breaches or other failures to protect patient privacy.
How can organizations prepare for the coming audits?
For those newly-compliant, be aware that you may be held liable for previous lapses in data security. That said, regardless of past compliance status, organizations and their business associates should lose no time ensuring that the required HIPAA documentation procedures are in place and correctly applied. Because time is of the essence it is critical to quickly identify and address any gaps in compliance before the auditors find them.
If your practice or organization is uncertain about how to proceed or what to look for in determining HIPAA compliance, consider using the services of an experienced medical practice management company. M-Scribe Technologies, LLC, has been helping practices regardless of specialty or size with their audit compliance as well as billing, coding and revenue management since 2003.
Contact M-Scribe’s experienced consultants at email@example.com or call 888-727-4264 for a free analysis of your practice’s needs and learn how our experienced and dedicated staff can help ensure that your organization is fully compliant with all HIPAA Privacy, Security and Breach Notification Rules.