HIPAA audits set to begin for those who have their number pulled

By Correy Stephenson

The Daily Record Newswire

The Department of Health and Human Services has contracted with two different parties to conduct audits of entities covered by the 1996 Health Insurance Portability and Accountability Act.

What that means for covered entities "is that the audit program is coming," cautioned Adam H. Greene, a partner in the Washington, D.C. office of Davis Wright Tremaine who formerly worked at HHS' Office for Civil Rights and focuses his practice on HIPAA compliance.

Under the auspices of the 2009 HITECH (Health Information Technology for Economic and Clinical Health) Act, HHS was mandated to conduct audits of covered entities to ensure compliance with data security and privacy requirements.

Prior to HITECH, HHS investigated potential HIPAA violations based on specific complaints. But HITECH imposed a requirement to conduct periodic audits to ensure that covered entities and business associates are complying with the HIPAA rules.

"Covered entities" include health care providers, health plans (including insurance companies and HMOs) and health care clearinghouses, such as billing services for physicians. "Business associates" are entities that perform functions on behalf of covered entities that involve disclosure of protected health information, such as medical data contractors or law firms that represent health care providers.

In June, the department awarded two contracts related to the audit requirements. The first went to Booz Allen Hamilton, for $180,000 for "audit candidate identification."

The department then awarded a $9.2 million contract to KPMG to create an audit protocol and conduct up to 150 audits of covered entities by Dec. 31, 2012.

According to the contract synopsis, each audit will include a site visit with interviews with various leadership officials (such as the chief information officer, legal counsel and director of medical records) and an examination of the physical features, operations and adherence to policy.

In addition to data from the site visit, reports would include a timeline and methodology of the audit as well as specific recommendations the entity can take to address identified compliance problems, complete with a corrective action plan.

Recommendations for HHS regarding oversight and the need for any corrective action will also be included.

With audits set to begin late this year or in early 2012, covered entities should prepare themselves now, Greene said.

On the privacy side, they should make sure they "have comprehensive policies and procedures that are up-to-date and reflect the issues of the organization," he said.

For example, an organization that bought a canned set of policies and procedures eight years ago might have since discovered that its biggest issues are the improper disposal of paper records and the inappropriate snooping by employees into electronic records.

If those issues aren't reflected in their policies and procedures, "that will not look good to OCR and the auditors," Greene said.

Covered entities should also ensure that they have conducted comprehensive training, especially for new staff.

"You don't want someone who has had exposure for nine months to personal health information simply waiting until the annual training comes around," Greene said. "And again, you want the training to reflect not just general HIPAA issues, but those specific to your organization."

Finally, he suggested that entities that have never imposed an internal HIPAA-related sanction may have a problem.

Not having issued a sanction "doesn't mean you have never had a HIPAA violation," Greene said. "Have a written sanctions policy that you have trained employees on so that they know the repercussions if they violate the privacy and security requirements."

Greene acknowledged that the odds of being audited remain low, given the number of covered entities.

"Think of it as losing the lottery," he said. "Even if the odds are low, some people are going to have their number drawn."

Published: Thu, Sep 1, 2011


  1. No comments
Sign in to post a comment »