Last year, the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) reported their intentions to survey a small number of health care entities and their business associates in order to select subjects for a new “random” audit.
The selection process is now underway!
OCR has begun sending pre-audit screening surveys via email to a small number of applicable entities across the state, with questions expected to focus on security risks to protected health information (PHI) and pervasive issues of non-compliance based on OCR’s 2011 and 2012 audit findings and observations.
Please note: only a small number of covered entities, less than 10%, will actually receive the survey.
It is unknown how many of those contacted will actually be selected for the audit; however, sources are projecting that approximately half of those contacted will be audited. If you receive a survey, please don’t ignore it. Respond to it as soon as possible. Failure to do so could potentially “raise a red flag” with HHS, and invite scrutiny or even an independent audit.
If a serious compliance concern is found through an audit, OCR may initiate a full compliance review through its enforcement division that could lead to financial penalties.
The audit program is an attempt by OCR to proactively enforce, assess, and confirm HIPAA compliance efforts, and present new opportunities to “examine mechanisms for compliance, identify best practices, and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews.” (1)
TMLT Resources
If you receive a survey, please contact Cathy Bryant in TMLT’s Product Development and Consultant Services department at cathy-bryant@tmlt.org or 512-425-5910. Cathy will do a high level review to help your Privacy Officer identify areas that may be on the audit.
If you are chosen for an audit, please contact TMLT at 800-580-8658 and ask for the Claims Department.
To help you prepare for a potential audit, TMLT offers the following table with information and solutions related to these audits.
|
Checklist |
Information or Solution |
|
POLICIES AND PROCEDURES - REVIEW AND UPDATE HIPAA and Texas Medical Privacy and Security require you to have updated policies and procedures. |
TMLT Privacy and Security Toolkit
The toolkit is available online. |
|
NOTICE OF PRIVACY PRACTICES (NPP) - REVIEW AND UPDATE Recent changes to the HIPAA Omnibus Rule and Texas Medical Privacy and Security laws require you to revise your Notice of Privacy Practices.
|
Notice of Privacy Practices (NPP)
|
|
BUSINESS ASSOCIATE (BA) & BUSINESS ASSOCIATE AGREEMENT (BAA) - IDENTIFY ALL BAs & REVIEW AND REVISE BAAs BAs are now held to the same requirements under HIPAA as Covered Entities (CE). During the Random HIPAA Audit, BAs of audited CE will also be subject to an audit. |
Business Associates and Business Associate Agreements |
|
SECURITY RISK ANALYSIS
|
TMLT can conduct a Security Risk Analysis for your practice. The HIPAA Security Rule requires a Security Risk Analysis if you do electronic billing or have EHR. (2) |
|
TRAINING
|
TMLT Privacy and Security Toolkit TMLT can develop customized training for your office. TMLT solutions are available in TMLT’s toolkit. |
|
KNOW YOUR STATE LAW
|
TMLT Privacy and Security Toolkit The Comparison Tool, included in the toolkit, highlights Texas and federal law differences. |
For more information on TMLT’s Toolkit, risk assessments, or consulting services, please contact Stephanie Downing at 1-800-580-8658 or consultingwebmail@tmlt.org.
Sources:
- http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/auditpilotprogram.html
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/
About the Author
Visit Website More Content by Laura Hale Brockway
