Health and Human Services Launches Random HIPAA Audit Surveys

June 25, 2015 Laura Hale Brockway

Last year, the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) reported their intentions to survey a small number of health care entities and their business associates in order to select subjects for a new “random” audit.

The selection process is now underway!

OCR has begun sending pre-audit screening surveys via email to a small number of applicable entities across the state, with questions expected to focus on security risks to protected health information (PHI) and pervasive issues of non-compliance based on OCR’s 2011 and 2012 audit findings and observations.

Please note: only a small number of covered entities, less than 10%, will actually receive the survey.

It is unknown how many of those contacted will actually be selected for the audit; however, sources are projecting that approximately half of those contacted will be audited. If you receive a survey, please don’t ignore it. Respond to it as soon as possible. Failure to do so could potentially “raise a red flag” with HHS, and invite scrutiny or even an independent audit.  

If a serious compliance concern is found through an audit, OCR may initiate a full compliance review through its enforcement division that could lead to financial penalties.

The audit program is an attempt by OCR to proactively enforce, assess, and confirm HIPAA compliance efforts, and present new opportunities to “examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.” (1)

TMLT Resources

If you receive a survey, please contact Cathy Bryant in TMLT’s Product Development and Consultant Services department at cathy-bryant@tmlt.org or 512-425-5910. Cathy will do a high level review to help your Privacy Officer identify areas that may be on the audit.

If you are chosen for an audit, please contact TMLT at 800-580-8658 and ask for the Claims Department.

To help you prepare for a potential audit, TMLT offers the following table with information and solutions related to these audits.

Checklist

Information or Solution

POLICIES AND PROCEDURES - REVIEW AND UPDATE

HIPAA and Texas Medical Privacy and Security require you to have updated policies and procedures.

TMLT Privacy and Security Toolkit


The TMLT toolkit guides practices with existing policies through a system-wide review and highlights which revisions may need to be made.

The toolkit also helps those practices currently developing policies and procedures to better understand HIPAA rules and Texas law. 

 The toolkit is available online.

NOTICE OF PRIVACY PRACTICES (NPP) - REVIEW AND UPDATE

Recent changes to the HIPAA Omnibus Rule and Texas Medical Privacy and Security laws require you to revise your Notice of Privacy Practices.

 

 

 

 

 

Notice of Privacy Practices (NPP)
The NPP is an important document that tells your patients how you will use and disclose their protected health information (PHI).

Changes with Omnibus require you to review and revise your NPP.

Changes to Texas law require you to notify patients if you electronically disclose PHI.

Sample NPP are available on the HHS website.

TMLT solutions are available in TMLT’s toolkit.

           

           

           

           

           

           

           

             

BUSINESS ASSOCIATE (BA) & BUSINESS ASSOCIATE AGREEMENT (BAA) - IDENTIFY ALL BAs & REVIEW AND REVISE BAAs

BAs are now held to the same requirements under HIPAA as Covered Entities (CE).

During the Random HIPAA Audit, BAs of audited CE will also be subject to an audit.

Business Associates and Business Associate Agreements

Identify all your BAs or anyone with whom you share your PHI.

Determine if you had an existing BAA with them prior to March 26, 2013. If yes, you have until September 22, 2014 to get an updated BAA signed. If not, get a BAA signed as soon as possible.

 Learn more about BAs and BAAs in TMLT’s Privacy and Security Toolkit.

SECURITY RISK ANALYSIS

 

 

TMLT can conduct a Security Risk Analysis for your practice.

The HIPAA Security Rule requires a Security Risk Analysis if you do electronic billing or have EHR. (2)

TRAINING

 

TMLT Privacy and Security Toolkit

Texas law is more stringent than Federal Law on training. TMLT’s toolkit includes “Introduction to Developing Physician Office Training.”

TMLT can develop customized training for your office.

TMLT solutions are available in TMLT’s toolkit.

KNOW YOUR STATE LAW

 

 

TMLT Privacy and Security Toolkit

The Comparison Tool, included in the toolkit, highlights Texas and federal law differences.

 

For more information on TMLT’s Toolkit, risk assessments, or consulting services, please contact Stephanie Downing at 1-800-580-8658 or consultingwebmail@tmlt.org.

Sources:

  1. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html
    http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/

About the Author

Laura Hale Brockway is Assistant Vice President of Marketing at TMLT and has more than 17 years of experience in communications, 15 of those years with TMLT. Ms. Brockway has also worked for Seton Healthcare Family and the Texas Academy of Family Physicians. An honors graduate of the University of Texas at Austin, Ms. Brockway holds an Editor in Life Science (ELS) certification from the Board of Editors in the Life Sciences. She is also a contributor to Ragan Communication’s PR Daily website and is the author of the blog, impertinentremarks.com. Laura Brockway can be reached at laura-brockway@tmlt.org.

Visit Website More Content by Laura Hale Brockway
Previous Article
The Weekend I Spent Hacking My Own Computer

I thought I would conduct my own experiment. One Saturday, I tried to hack my own personal computer while m...

Next Presentation
Cyber Security Best Practices
Cyber Security Best Practices

You play an important role in keeping your organization’s sensitive information secure. Make a habit of fol...

Request onsite HIPAA training from TMLT staff certified in health care privacy compliance.

CONTACT US