With the next round of HIPAA compliance audits on the horizon, clinicians should ensure they are prepared for both on-site and off-site privacy investigations.
The Office for Civil Rights (OCR) concluded its first pilot of HIPAA audits in 2012 after reviewing the practices and compliance of 115 health care entities. The assessments included health care providers, health plans, and clearing houses. Round two of the audits, originally scheduled for 2014, is expected to begin in early 2015. The next phase will be based on preaudit surveys of 800 covered entities and 400 business associates of covered entities, according to a May announcement in the Federal Register.
The first wave of HIPAA audits revealed weaknesses in the internal controls and compliance programs of many health care entities, particularly small group practices, said Anna C. Watterson, a Washington-based health information privacy and securities attorney and a former OCR policy analyst. Practices of 10-50 providers (Level 4) made up 41% of findings by the OCR and “struggled” with all three focus areas – breach notification, privacy, and security, according to audit results. Findings were generated only for entities that did not meet audit criteria or had potential compliance violations.
“Small providers generally have struggled more with compliance than other organizations,” Ms. Watterson said in an interview. “It’s largely a resource issue. Having a full HIPAA security program is very resource-intensive.”
Understanding the differences between on and off-site audits and what may be required is key to preparing for inquires, said Ms. Watterson, who spoke about HIPAA audits at the American Health Lawyers Association’s health fraud and compliance forum. Off-site audits refer to documentation requests by phone or electronic means. These audits often are limited in scope and pertain to one or two provisions under HIPAA. On-site audits are frequently more intensive and include visits by federal investigators to the provider’s premises.
It is essential to make certain that all compliance and sanction policies are well documented and to reply to requests in a timely manner, Ms. Watterson said. All documentation must be current as of the request date and cannot be created after the inquiry.
Next page: On-site audits >>