Featured Product
This Week in Quality Digest Live
Health Care Features
Claudine Mangen
If you have the energy to try and address organizational overwork, start small
Gregory Way
Drug designers are rethinking their response to medications that affect multiple targets
Adam Zewe
Research on machine-learning models that can help doctors consult patient records more easily
Karina Montoya
Analysis of social and economic impact bolsters the fight against hepatitis C
Tom Rish
Keep it organized and ready for inspection at any time

More Features

Health Care News
Google Docs collaboration, more efficient management of quality deviations
MIT course focuses on the impact of increased longevity on systems and markets
Delivers time, cost, and efficiency savings while streamlining compliance activity
First responders may benefit from NIST contest to reward high-quality incident command dashboards
Enhances clinical data management for medtech companies
Winter 2022 release of Reliance QMS focuses on usability, mobility, and actionable insights
The tabletop diagnostic yields results in an hour and can be programmed to detect variants of the SARS-CoV-2 virus
First Responder UAS Triple Challenge focuses on using optical sensors and data analysis to improve image detection and location
Free education source for global medical device community

More News

Ken Miller

Health Care

HIPAA Audits Are Coming! HIPAA Audits Are Coming!

Know your risks and act on them

Published: Tuesday, April 19, 2016 - 13:56

Please pardon me, but I feel a little like a modern-day Paul Revere alerting you to the start of the second wave of Health Insurance Portability and Accountability (HIPAA) compliance audits.

Last week, Jocelyn Samuels, director of the Health and Human Services’ Office of Civil Rights (OCR), announced the launch of the audits, a follow up from the pilot audit program dating back to 2012. The audit contractors have been hired, a new data portal at the OCR has been rolled out, and initial surveys are going out to possible auditees. It seems now it’s official; it’s finally happening.

Some general information about the audits is available on the OCR website. The plans include conducting desk audits of a total of 150 entities—100 covered entities and 50 business associates. The desk audits will use new portals created to support the remote audit model. Auditors will send requests for information, and auditees will submit data through the new portal. If everything proceeds according to schedule, the desk audits will be completed by December 2016.

In addition to the desk audits, 50 onsite audits will be conducted at 40 covered entities and 10 business associates. The onsite audits will have a broader scope than the desk audits, and having a desk audit does not prevent you from having an onsite visit as well.

Areas of focus for the desk audits mentioned in Samuels’ announcement include risk analysis, risk management, notice of privacy practices, and access to records. The OCR has promised to release the audit protocols as it continues to ramp up.

I said I felt like Paul Revere, but maybe it’s really Dirty Harry—“Do you feel lucky?”—because your odds of being selected for an audit are fairly small. The OCR plans to conduct a total of 200 reviews from a pool of nearly three million covered entities. Being prepared, however, is always a best practice. You never know when a complaint or, worse yet, a breach event will put you in the crosshairs of an investigation.

Two recent settlements coming out of breach investigations have generated headlines. One settlement was for $1.55 million and the other for $3.9 million. Both breaches can be traced back to unencrypted laptops with one involving a business associate and another involving research data. Encrypting your laptops is one of the most basic steps to take to secure your patient data that may be stored on a portable computer. While the breach events both stem from the loss of laptops, both investigations indicate lack of proper risk assessments as underlying causes. This brings us back to the Phase 2 audit focus of risk analysis and risk management.

The best advice is to:
• Know your risks through a detailed risk analysis.
• Act on those risks with an ongoing management plan.
• Encrypt your laptops!

Discuss

About The Author

Ken Miller’s picture

Ken Miller

Ken Miller serves as a senior manager in healthcare services at HORNE LLP, a CPA and business advisory firm. He concentrates on providing compliance consulting services in the areas of healthcare billing regulations, privacy regulations, and healthcare internal audit services.