Start working now to ensure your privacy and security practices are on par. Every anesthesia practice is a potential target for a HIPAA (Health Insurance Portability and Accountability Act) audit. The Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) is conducting the full range of audits using revised protocol materials, through December 2012. Here's the latest on three common questions and how you can prepare for a potential audit. Which Physicians Will Be Audited? Technically, all covered entities and their business associates are eligible for a HIPAA audit. According to the HHS website, the "OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit." Business associates will be included in future audits. "The new program is a random program, and the selection is not dependent on any prior behavior, violations, breaches or any other factor, so there is no way to take action to prevent being audited under this program," says Jim Sheldon-Dean, director of compliance services for Lewis Creek Systems in Charlotte, Vt. Up to 150 audits will be performed by the end of 2012 under this particular program, he added. Plus: What Should We Expect? If your practice is scheduled for an audit, the OCR will notify you in writing. The notification will outline the audit process, tell who your audit contractor will be, and list requests for relevant documents and other information to ensure you're prepared for the audit. How and when you should return the requested information to the contractor also will be specified at this stage. Important: How Do We Prepare? Put together your documentation that demonstrates the steps you have taken to be compliant with HIPAA requirements. "I've seen many organizations big and small lapse in their mitigation and monitoring response. Specifically, that they do not review periodically," says Ester Horowitz, CMC, CITRMS, certified management counselor and owner/practice marketing advisor with M2Power Inc. in Merrick, N.Y. Organizations followed HIPAA initially from a system-wide approach, she adds. New procedures were adopted and others revised. Many of the procedures from that time continue today but some have become outdated or lax. Every organization is required to periodically review their privacy policies, procedures, and methodologies and to document that they did, Horowitz points out. The review should include information demonstrating that employees were and are trained " not just once, but periodically. "In an effort to standardize and make habit a routine that allows the company to deliver care or support care, it must also be acknowledged that routines become obsolete, need adaptation, updating, and should be minimally reviewed," Horowitz says. "I do not see that occurring at this stage of the HIPAA life cycle across a majority of organizations." Afterwards: You should "see it [taking corrective action] as valuable labor ... (and) clearly understand that it is a profit center method that will only elevate the organization's reputation and output if followed and measured appropriately," Horowitz advises. Resource: