by Cathy Bryant, RN, CHPC, Senior Compliance and Risk Management Representative
In the last few days, TMLT has received a number of reports from policyholders who have received emails from the Department of Health and Human Services’ Office for Civil Rights (OCR) asking them to verify their contact information. In a recent national survey, approximately 60% of covered entities that answered “yes” to their contact information being correct then received a second email with the pre-screening questionnaire.
This has left many wondering if verifying your contact information to the OCR results in an audit. Not necessarily, but it will put you into the pool for a possible audit in 2016.
In a recent interview, Deven McGraw of the OCR stated that emails continue to go out to obtain an appropriate pool of covered entities to conduct the next round of audits.(1) From this pool, 200-250 audits will be conducted, beginning first with covered entities and then progressing to business associates before the end of 2016.
McGraw urges covered entities to be prepared. If selected for a desk audit, a covered entity will have ten business days to respond with the documents requested. While a list detailing the requested documents for the desk audits is not currently available, two documents to be included in the audit are the organization’s comprehensive, enterprise wide security risk assessment and an updated Individuals’ Right under HIPAA to Access their Health Information policy.
A comprehensive, enterprise wide security risk assessment must assess your EHR and any area where protected health information resides in your office. Often connected devices are overlooked and can pose a significant vulnerability. McGraw said, “almost everything flows out of the Risk Analysis (aka Risk Assessment), so if you are leaving big pieces of your enterprise out of it, chances are you are going to be non-compliant.”
Are you ready? Here are four steps to help you prepare for a possible audit:
- Take TMLT’s HIPAA Random Audit Readiness Quiz. If you cannot answer YES to these ten basic questions you may not be ready.
- Review your most recent risk assessment. Is it comprehensive? Does it address vulnerabilities across your organization? What have you done with the vulnerabilities identified in your risk management plan to mitigate the risk?
- Review your Individuals’ Right under HIPAA to Access their Health Information Policy. Is it consistent with recently updated guidance from the OCR, which includes information on charges for electronic copies of PHI? (2, 3, 4)
- Review the OCR Audit Protocol.(5) Use the protocol as a self-assessment. The 180-item review of HIPAA Privacy, Security and Breach Notification can be overwhelming. TMLT is available to provide consulting services to assist you with an assessment.(6)
Cathy Bryant is certified in Health Care Privacy Compliance and part of TMLT’s Product Development and Consulting Services team. Cathy can be reached at email@example.com.
- OCR’s Deven McGraw On HIPAA Audit Preparation. Healthcare Info Security. Available at http://www.healthcareinfosecurity.com/interviews/ocrs-deven-mcgraw-on-hipaa-audit-preparation-i-3178. Accessed May 23, 2016
- Individuals’ Right under HIPAA to Access their Health Information. U.S. Department of Health and Human Services. Available at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/. Accessed May 26, 2016.
- Understanding Individuals’ Right under HIPAA to Access their Health Information. U.S. Department of Health and Human Services. Available at http://www.hhs.gov/blog/2016/01/07/understanding-individuals-right-under-hipaa-access-their.html . Accessed May 26, 2016.
- New HIPAA guidance reiterates patients’ right to access health information and clarifies appropriate fees for copies. U.S. Department of Health and Human Services. Available at http://www.hhs.gov/blog/2016/02/25/new-hipaa-guidance-accessing-health-information-fees-copies.html. Accessed May 26, 2016.
- Audit Protocol – Updated April 2016. U.S. Department of Health and Human Services. Available at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/. Accessed May 26, 2016.
- TMLT Cyber Consulting Services. Texas Medical Liability Trust. Available at http://www.tmlt.org/tmlt/products-services/cyber-consulting-services.html. Accessed May 26, 2016.
About the Author
Cathy joined TMLT in 2010 and serves as the Senior Compliance and Risk Management Representative. Cathy leads the development and implementation of TMLT’s cyber risk management services. Cathy Bryant can be reached at firstname.lastname@example.org.More Content by Cathy Bryant