OCR's HIPAA Audits: Get Organized and Be Prepared

In prior blogs I have touched upon HIPAA, the need for confidentiality, and the importance of proper recordkeeping in your practice. The time has now come to find out whether your practice is HIPAA-compliant, as the Office of Civil Rights (OCR) will be conducting random “HIPAA Compliance Audits” of Covered Entities (e.g., your practice) and its Business Associates in 2012. Providers lucky enough to be selected for an audit will be required to submit all written HIPAA compliance materials for review and participate in a three-day to 10-day on-site audit to observe those HIPAA compliance policies in action. Although these audits are not “formal” investigations, discrepancies may trigger a formal OCR investigation, which any practice wants to avoid.

Although HIPAA was all the rage back in the early 2000s when most practices purchased HIPAA manuals and obtained staff training, HIPAA has been neglected by many since then. To be fully HIPAA-compliant, your practice must keep its policies and training updated and stay abreast of new legal interpretations, opinions, and case law. I am routinely asked to provide guidance regarding HIPAA and am consistently surprised by how many providers: (a) base their HIPAA compliance policies on outdated or incomplete information; or (b) believe the generic form they printed off the internet in 2005 is all the HIPAA compliance needed. Nothing could be further from the truth!

Before you are caught with your HIPAA pants down, I recommend you practice take the following steps to plan for a smooth audit:

1. Gather all of your HIPAA documents. The bulk of your HIPAA policies minimally should include: office policies and procedures; a Notice of Privacy Practices; medical record request forms; documented staff training and education material with signed acknowledgments; security rule risk analysis; breach protocols; Business Associate Agreements form; required disclosure log; and documented HIPAA incidents and corrective actions.

2. Review HIPAA policies and procedures and update as necessary. Be certain that you have updated, signed Business Associate Agreements with all Business Associates. The 2009 “Health Information Technology for Economic and Clinical Health” (HITECH) law necessitated updates to Business Associate Agreements and, in addition to other provisions, conferred directly liability on Business Associates. Contact health law counsel or a HIPAA consultant to see if your forms need to be modified or replaced.

3. Conduct a risk assessment of your practice by observing office protocol over a period of time and reporting any potential compliance issues. Follow up with staff training. Remember that no policy is effective if it is neither known nor understood by your practice staff.

4. Consider how the use of technology and social media may have changed since you first developed your HIPAA compliance materials. Determine what guidelines may be needed to protect electronic data and to train staff regarding privacy of patient information in the age of social media (see my blog on social media).

5. If you find risk-areas during your assessment, actively address them through your written HIPAA compliance plan. Do not wait for the auditor to note these deficiencies.

6. Prepare your staff for an audit. Explain what to expect and have a plan in place for who will take the lead with the auditors during a visit (which could extend over many days). Make sure staff understands all HIPAA policies and procedures and can comfortably discuss the same with an auditor.

If you are selected for an audit, stay calm and contact your legal counsel. It’s important to provide all requested documentation within the allotted time frame (but remember you do not have to provide any information that is not specifically requested). During the on-site visit, make the auditors comfortable and cooperate as necessary. If you have any questions regarding whether the auditor should have access to specific information, privately consult your legal counsel.

These OCR audits are just a pilot phase and the beginning of HIPAA compliance efforts nationally. To avoid the penalties associated with HIPAA non-compliance, every practice should dust off their HIPAA manuals, update the practice’s policies and retrain staff on the requirements of the law. Like with any government audit, a little advance preparation can save you a lot of trouble!

Find out more about Ericka L. Adler and our other Practice Notes bloggers.