Anesthesia Coding Alert

Start working now to ensure your privacy and security practices are on par.

Every anesthesia practice is a potential target for a HIPAA (Health Insurance Portability and Accountability Act) audit. The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) is conducting the full range of audits using revised protocol materials, through December 2012. Here's the latest on three common questions and how you can prepare for a potential audit.

Which Physicians Will Be Audited?

Technically, all covered entities and their business associates are eligible for a HIPAA audit. According to the HHS website, the "OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit." Business associates will be included in future audits.

"The new program is a random program, and the selection is not dependent on any prior behavior, violations, breaches or any other factor, so there is no way to take action to prevent being audited under this program," says Jim Sheldon-Dean, director of compliance services for Lewis Creek Systems in Charlotte, Vt. Up to 150 audits will be performed by the end of 2012 under this particular program, he added.

Plus: Some audits are being performed outside of this new program, as a result of complaints or breach reports. These audits can potentially result in violations and settlements for fines.

What Should We Expect?

If your practice is scheduled for an audit, the OCR will notify you in writing. The notification will outline the audit process, tell who your audit contractor will be, and list requests for relevant documents and other information to ensure you're prepared for the audit. How and when you should return the requested information to the contractor also will be specified at this stage.

Important: You must return this information within 10 business days of receiving the notice. Also, "OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated onsite visit," states the HHS website. "In this pilot phase, every audit will include a site visit and result in an audit report. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance.""

How Do We Prepare?

Put together your documentation that demonstrates the steps you have taken to be compliant with HIPAA requirements.

"I've seen many organizations big and small lapse in their mitigation and monitoring response. Specifically, that they do not review periodically," says Ester Horowitz, CMC, CITRMS, certified management counselor and owner/practice marketing advisor with M2Power Inc. in Merrick, N.Y. Organizations followed HIPAA initially from a system-wide approach, she adds. New procedures were adopted and others revised. Many of the procedures from that time continue today but some have become outdated or lax.

Every organization is required to periodically review their privacy policies, procedures, and methodologies and to document that they did, Horowitz points out. The review should include information demonstrating that employees were and are trained " not just once, but periodically.

"In an effort to standardize and make habit a routine that allows the company to deliver care or support care, it must also be acknowledged that routines become obsolete, need adaptation, updating, and should be minimally reviewed," Horowitz says. "I do not see that occurring at this stage of the HIPAA life cycle across a majority of organizations."

Afterwards: Following the site visit, auditors will develop a draft report and share it with the entity. Audit reports generally describe how the audit was conducted, what the findings were, and what actions the covered entity is taking in response to those findings. Prior to finalizing the report, the covered entity will have the opportunity to discuss concerns and describe corrective actions implemented to address issues that were identified.

You should "see it [taking corrective action] as valuable labor ... (and) clearly understand that it is a profit center method that will only elevate the organization's reputation and output if followed and measured appropriately," Horowitz advises.

Resource: You can read up for further details at www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html.