Play It Safe: Prepare for HIPAA AuditsA Wide Variety of Organizations Will be Scrutinized
What are the odds that your organization will be one of the 150 selected for a HIPAA compliance audit? Pretty slim. But unless you're into high-stakes gambling, your best bet is to assume you're going to be audited and get ready now.
Senior executives at a small hospital in Texas never dreamed the organization would be selected as one of the first 20 to be audited. But sure enough, the notification letter came in the mail in December. Now, hospital leadership is scrambling to get ready with the help of consultant Mac McMillan of CynergisTek.
I hope that the Office for Civil Rights will offer detailed summaries of its audit findings periodically this year, pinpointing vulnerabilities discovered and suggesting ways to address them.
"There was a fair amount of anxiety when they got this letter," McMillan says. "They didn't think they'd be among the first to be selected."
So if you think your organization doesn't stand a chance of being audited, think again.
As I pointed out in a recent story, the Department of Health and Human Services' Office for Civil Rights intends to audit a wide variety of hospitals, physician groups, health plans and other covered entities - not just huge, big-city organizations (see HIPAA Audits Move Forward). By the way, business associates, business partners that have access to patient information, will not be subject to audits this year.
It makes sense to audit healthcare organizations of all shapes and sizes. After all, one goal of the audit program is to spur across-the-board compliance with the Health Insurance Portability and Accountability Act's privacy, security and breach notification rules. And the best way to do that is to scrutinize a variety of players.
Audit Prep Steps
Virtually any organization that's audited is going to have some HIPAA compliance issues that it has yet to resolve. So McMillan urges covered entities to document in advance of an audit areas where they needs to work on compliance, and the steps they plan to take.
We'll have to wait and see how the audits play out. But Leon Rodriguez, the new head of the Office for Civil Rights, stresses that a key goal of working with covered entities on audits is to "find out where there are opportunities for improvement and help them improve."
Keep in mind, however, that Rodriguez also acknowledges that audits that uncover significant vulnerabilities could result in significant corrective action and even civil monetary penalties.
The bottom line? It's time to review your HIPAA compliance policies, procedures and training. And by all means, make sure you've documented your strategy so you have something to show the auditors.
I hope that the Office for Civil Rights will offer detailed summaries of its audit findings periodically this year, pinpointing vulnerabilities discovered and suggesting ways to address them. That way, the audit program can be a learning experience for everyone.
It's too bad that federal authorities didn't launch a HIPAA compliance audit program a long time ago. Who knows how many health information breaches and privacy violations could have been avoided if more organizations took compliance more seriously?
In addition to the audit program, I'm hoping the Office for Civil Rights, under the direction of its new leader - an experienced prosecutor - will take additional aggressive enforcement steps, imposing more sanctions against organizations guilty of the most egregious HIPAA violations. That would be a another powerful compliance catalyst.