Please pardon me, but I feel a little like a modern-day Paul Revere alerting you to the start of the second wave of Health Insurance Portability and Accountability (HIPAA) compliance audits.
ADVERTISEMENT |
Last week, Jocelyn Samuels, director of the Health and Human Services’ Office of Civil Rights (OCR), announced the launch of the audits, a follow up from the pilot audit program dating back to 2012. The audit contractors have been hired, a new data portal at the OCR has been rolled out, and initial surveys are going out to possible auditees. It seems now it’s official; it’s finally happening.
Some general information about the audits is available on the OCR website. The plans include conducting desk audits of a total of 150 entities—100 covered entities and 50 business associates. The desk audits will use new portals created to support the remote audit model. Auditors will send requests for information, and auditees will submit data through the new portal. If everything proceeds according to schedule, the desk audits will be completed by December 2016.
In addition to the desk audits, 50 onsite audits will be conducted at 40 covered entities and 10 business associates. The onsite audits will have a broader scope than the desk audits, and having a desk audit does not prevent you from having an onsite visit as well.
Areas of focus for the desk audits mentioned in Samuels’ announcement include risk analysis, risk management, notice of privacy practices, and access to records. The OCR has promised to release the audit protocols as it continues to ramp up.
I said I felt like Paul Revere, but maybe it’s really Dirty Harry—“Do you feel lucky?”—because your odds of being selected for an audit are fairly small. The OCR plans to conduct a total of 200 reviews from a pool of nearly three million covered entities. Being prepared, however, is always a best practice. You never know when a complaint or, worse yet, a breach event will put you in the crosshairs of an investigation.
Two recent settlements coming out of breach investigations have generated headlines. One settlement was for $1.55 million and the other for $3.9 million. Both breaches can be traced back to unencrypted laptops with one involving a business associate and another involving research data. Encrypting your laptops is one of the most basic steps to take to secure your patient data that may be stored on a portable computer. While the breach events both stem from the loss of laptops, both investigations indicate lack of proper risk assessments as underlying causes. This brings us back to the Phase 2 audit focus of risk analysis and risk management.
The best advice is to:
• Know your risks through a detailed risk analysis.
• Act on those risks with an ongoing management plan.
• Encrypt your laptops!
Add new comment