HIPAA Audit Program Phase II – Have You Been Selected?

HIPAAAuditProgram

Phase II of the HIPAA Audit Program has begun, with many covered entities and business associates receiving a “Audit Entity Contact Verification” message from the Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR). The communication requires the individual recipient to verify that he or she is the primary contact for the HIPAA Audit Program.

Does the receipt of this form mean that your entity has been selected for an audit? Not necessarily.

Although receipt of the communication is not a guarantee of an audit,  it is the first step in a process that may lead to a comprehensive HIPAA compliance audit of your entity.  According to OCR, the process for the HIPAA Audit Program is as follows:

  1. Contact Verification: OCR will send the Audit Entity Contact Verification to a covered entity or business associate to determine the entity’s primary contact for HIPAA purposes. Covered entities and business associates who receive the form should respond and not ignore the OCR’s request for verification.  The OCR has made it clear that entities who do not respond could still be subject to an audit.
  1. Questionnaire: After the entity’s contact information is verified, the OCR will send a questionnaire to each covered entity and business associate to determine the size, type, and operations of the entity.  Covered Entities will also be required to identify each of their business associates. OCR will use this data to develop the pool of potential auditees for the HIPAA Audit Program.
  1. Selection: OCR will then randomly select entities from the pool for audit.  If selected, the entity will have to visit an OCR web site and upload its HIPAA privacy policies, security policies, and most recent risk assessment. Based on the information uploaded, it is possible that OCR will arrange for an on-site visit of the entity.

The bottom line is that your receipt of the Audit Entity Contact Verification message does not necessarily mean that your entity will be selected for a HIPAA audit.  However, your entity will likely be placed into the pool from which OCR will select entities to audit.

If nothing else, the receipt of the Audit Entity Contact Verification communication should motivate your entity to review current HIPAA privacy and security policies and ensure that they conform to the requirements of HIPAA and the HITECH Act.  In addition, your entity should perform an updated risk analysis to uncover and address gaps in your HIPAA security policies and procedures.

A basic risk analysis should include the following components:

  1. Inventory: An inventory listing all of your information assets that contain health information (e.g. computers, laptops, smartphones, etc.);
  2. Threats: Potential threats to the security of your information assets;
  3. Controls: Current controls to safeguard the assets against the threats;
  4. Vulnerabilities: Any vulnerabilities in the controls;
  5. Likelihood: The likelihood that the threats will exploit the vulnerabilities;
  6. Impact: The impact if the vulnerabilities are exploited (e.g. how much health information is at risk); and
  7. Risk: The overall risk of a threat based the likelihood and potential impact of the threat’s exploitation of a vulnerability.

It is important to develop policies and procedures to address any risks that your entity uncovers as a result of the risk analysis.

Although the HIPAA Audit Program can be a source of anxiety for covered entities and business associates, it can also be a great opportunity to update HIPAA policies and procedures and ensure that your entity is doing everything possible to safeguard health information.

For more information about the HIPAA Audit Program and HIPAA compliance issues, please contact Casey Moriarty.

Can non-MSSP ACOs qualify for Tax-Exempt Status?

The Internal Revenue Service (IRS) recently affirmed its decision to deny 501(c)(3) tax-exempt status to an accountable care organization (ACO) that did not participate in the Medicare Shared Savings Program (MSSP). The IRS initially denied the ACO’s … [Continue reading]

A Question of Privilege: Protecting Data in a Clinically Integrated Network

clinicallyintegratednetwork

In this emerging era of healthcare reimbursement based on value, many providers are considering different ways to provide services to patients.  The old fee-for-service model, which often awarded providers based on volume, is being replaced with a … [Continue reading]

Home Is Where The Patient Is – The New Washington State Telemedicine Bill

It is official. The Washington State Legislature appears to have bought into the promise of telemedicine. For the second year in a row, the Legislature has passed a bill (Senate Bill 6519) that helps reduce the barriers to patient access to remote … [Continue reading]

Stolen Laptop Costs Research Institute Millions

The Feinstein Institute for Medical Research (Feinstein) recently agreed to pay, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), $3.9 million to settle allegations that Feinstein violated the HIPAA Privacy and … [Continue reading]

Steep Price Tag for Not Entering a Business Associate Agreement

North Memorial Health Care of Minnesota (“North Memorial”) recently agreed to settle charges that it violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by essentially failing to enter into a … [Continue reading]

HIPAA $239K Fine – Don’t Leave PHI with Husband

An Administrative Law Judge for the U.S. Department of Health and Human Services, recently ruled that Lincare violated the HIPAA Privacy Rule, by failing to implement policies and procedures to safeguard protected health information (PHI) and failing … [Continue reading]

Overpayment Rule Sets 6 Year Lookback

Nearly 6 years after the passage of the Affordable Care Act, CMS published the final 60 day rule for Medicare Parts A and B overpayments. The rule requires a person who has received an overpayment to report and return the overpayment to HHS, the … [Continue reading]

EEOC Announces New Employer Pay Data Reporting Requirements

On Friday, January 29, 2016, the Equal Employment Opportunity Commission (EEOC) announced the agency’s intent to require a new obligation for employers with at least 100 employees to submit data on wages earned and hours worked to the agency in … [Continue reading]

CMS Issues Stark Law Changes

CMS issued last week its final rule modifying the Physician Self-Referral Law aka the Stark Law putting into place most of what it proposed to modify this summer. The majority of the new modifications become effective on January 1, 2016, though CMS … [Continue reading]