Preparing Your Medical Practice for a HIPAA Audit

September 28, 2012

Here's a breakdown of the federal government's HIPAA audit procedures and how your office can be prepared.

Even with recovery audit contractors (RACs) recovering almost $1 billion in Medicare overpayments and the heightened enforcement of fraud and abuse, HHS’ Office of Civil Rights has added HIPAA enforcement to its audit arsenal. This year, the government started to audit HIPAA policies and procedures of physician practices and other "covered entities." Under the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA), covered entities include, among others, any healthcare provider who transmits health information in electronic form.

Physician practices have a very short timeline for successfully meeting the demands of the HIPAA audit. After the practice receives a letter that it is to be audited, the practice has up to 10 days to send over all requested information. Within the next one month to three months, the practice is subject to a physical audit lasting three business days to 10 business days. The auditors use this time to scrutinize the practice’s policies and procedures, to analyze its technological protections and security measures, to observe the overall environment with safeguarding health information, and to interview the staff. Thereafter, the auditor sends a draft final report summarizing the findings and the physicians have 10 days to refute the comments before that auditor submits the report to the government. This year, the government intends to physically audit 115 covered entities.

To assist physicians with preparations for an eventual HIPAA audit, the government posted the 165 total performance criteria by which auditors will evaluate the practice’s HIPAA policies and procedures. The published provides detailed and complex measures by which a practice will be reviewed in satisfaction of the Security, Privacy and Breach Notification Rules. In fact, some criteria require a screen-shot of the practice’s computer system to assess technical access to health information (i.e., is it read-only, full-access, or modified). Other criteria require the auditor to review documented risk assessments that the practice determined were not security breaches.

Among the administrative, physical, and technical safeguards of the Security Rule, the practice is required to: (1) conduct risk assessments; (2) develop and deploy an information activity review process; (3) select a security official; and (4) develop and implement procedures to respond to and report security incidents. If the practice should choose not to fully implement criteria that are not required, but still "addressable," the government requires the practice to implement an alternative measure that is reasonable and appropriate to the physician’s specific environment and to document the aspects it has chosen not to implement along with the rationale for doing so.

For example, an encryption and decryption mechanism should be in place to protect electronic-protected health information (ePHI). Recently, an eye and ear provider in Massachusetts failed to implement necessary encryption measures. Consequently, the provider settled for $1.5 million in penalties and agreed to review, revise and maintain policies and procedures in compliance with the Security Rule and submit to unnannounced monitoring of its HIPAA compliance procedures, according to a press release announced September 17, 2012 by HHS.

Based on the complexity of a physician’s practice, the auditor may review, among others, formal or informal policies and procedures, the type(s) of encryption used, how encryption keys are protected, restricted access to modify or create keys to appropriate personnel, or how keys are managed. If the physician’s practice has chosen not to fully implement this specification it must document where they have chosen not to fully implement this specification and their rationale for doing so.

The HIPAA Privacy Rule focuses on several areas of compliance including the notice of privacy practices for the patient’s protected health information (PHI), the patient’s right to request privacy protection for PHI, the individual’s right to access their PHI, administrative requirements, uses and disclosures of PHI, amendment of PHI and accounting of disclosures. For these areas, HIPAA audit protocol requires the practice to: (1) obtain a valid authorization for the use or disclosure of PHI; (2) account for disclosures of PHI; and (3) comply with minimum necessary requirements.

Finally, the Breach Notification Rule requires the practice to: (1) conduct a risk assessment of the breach; (2) notify individuals of the breach in a timely manner; and (3) when appropriate, notify media and the HHS Secretary.

Meeting the demands of a HIPAA audit cannot be met overnight. Be proactive! The physician’s practice should develop a work plan to review HIPAA policies and procedures, implement such policies and procedures with staff and management and update as necessary to reflect changes in the technology and the law, as well as create detailed supportive documentation of all compliance decisions and activities. Further, the practice should use the HIPAA audit protocol as a guide to avoid adverse findings or significant monetary penalties and to prevent unnecessary disruption of their practice.

Find out more about Daniel M. Lindenberg and our other Practice Notes bloggers.

The information contained within this blog posting on this website, is made available by the attorney authoring the posting for educational purposes only, and to give you general information and a general understanding of the law. It is not intended to provide specific legal advice to your individual circumstances or legal questions. By using this blog site you understand that your reading of this blog posting does not establish an attorney-client relationship between you and the authoring attorney or his law firm. This blog posting should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Readers of this information should not act upon any information contained in this blog posting on this website without seeking professional counsel.