Would your practice survive an audit?

There are many different types of “audits”, so when we refer to audits, we are referring to a “HIPAA audit”. When anyone mentions HIPAA audit, most practices think it won’t happen to them. I hear so often; I have never seen the “HIPAA Police” come around and do an audit. Well, they don’t just walk in off the street, but it only takes one patient complaint, a disgruntled employee, or a data breach to trigger an investigation. I have said this MANY times… and I feel the need to repeat it one more time! HIPAA has changed a few times over the years, one thing that has not changed since 1996 – HIPAA compliance is here to stay, and it is not optional.

When an investigation is opened, depending on the documentation you provide will determine whether a desk audit is conducted. For example, many OCR (Office for Civil Rights) investigations find systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures. With the “recognized security practices”, the OCR may review a minimum of 12 months of your documentation. The good news is, if you have documented your compliance efforts, you may not be fined or penalized! The OCR is trying to incentivize practices to step up their data security practices. Keep in mind, this must be documented. Just another reason why our clients are moving to our online compliance platform!

Employee mistakes are the typical cause of a security incident or data breach. Someone clicks on a link, opens an infected website, or falls for a phishing scam. This is a HUGE problem; all you have to do is go to the OCR breach portal and you can see for yourself the number of breaches reported for hacking. Educating your staff is #1, along with good data security practices that are documented.

Lost or stolen devices are also a problem unless they are encrypted. Security incidents must be reviewed, and the outcome documented. If a device is lost or stolen and it is encrypted (and documented as such) it is not a reportable breach!

Another area that the OCR reviews (depending on the complaint or violation) is employee training. HIPAA training requires periodic updates, and it is recommended that all staff including physicians attend annual HIPAA training. Again, this must be documented.

Background checks are so important and often overlooked. I can’t stress this enough… background checks are more than calling the “references” the candidate offers you. Of course, they will give glowing reviews! Insider threats are becoming more of a problem. People pose as a “great” employee, only to steal patient information, or some may just be curious and open patient records that they are not authorized to. Both situations can lead to data breaches or violations. Utilizing a professional company to conduct your background checks will provide you with the appropriate documentation.

Have you noticed something that all these areas have in common? DOCUMENTATION! If is not documented, it doesn’t exist in the eyes of the OCR.

Do you know why the OCR is coming down hard on the lack of data security? Because patient data is valuable, and hackers and scammers are trying to get to YOUR patient data. This is some of the most sought-after information because it contains everything needed to steal a person’s identity. It is easy to get a new credit card number, but you can’t get a new social security number. One more thing, some identity thefts lead to medical identity theft. This can be deadly if someone’s medical information is changed.

These are just friendly reminders to keep your practice safe and secure!

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:


Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

OCR Issues Audit Report on Health Care Compliance

Yesterday, the Office for Civil Rights (OCR) at the Department of Health and Human Services (DHHS) released its 2016-2017 HIPAA Audits Report. Although this seems outdated, it typically takes this long to compile the data.  They reviewed selected covered entities (CE) and business associates (BA) for HIPAA compliance of the HIPAA Privacy, Security, and Breach Notification Rules.

DHHS is required by law under the HITECH Act to conduct periodic audits. The chances of a random audit are slim, but they do happen, and you must be prepared. Don’t be fooled by a slim chance of a random audit, you can be audited for many other reasons! This audit comprised of 166 covered entities and 41 business associates. The OCR publishes this report to share the overall findings.

A summary of the audit findings includes:

  • Most CEs met the timeliness requirements for providing breach notification to individuals.
  • Most CEs that maintained a website about their customer services or benefits satisfied the requirement to prominently post their Notice of Privacy Practices on their website.
  • Most CEs failed to provide all of the required content for a Notice of Privacy Practices.
  • Most CEs failed to provide all of the required content for breach notification to individuals.
  • Most CEs failed to properly implement the individual right of access requirements such as timely action within 30 days and charging a reasonable cost-based fee.
  • Most CEs and BAs failed to implement the HIPAA Security Rule requirements for risk analysis and risk management. 

“The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino. “We will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.”

The 2016-2017 HIPAA Audits Industry Report may be found at:  https://www.hhs.gov/sites/default/files/hipaa-audits-industry-report.pdf

If you need assistance with HIPAA Risk Management or guidance with your HIPAA Compliance contact us at 877.659.2467 or complete the contact us form.

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC