Keep alert for verification requests.
The Office of Civil Rights (OCR) random desk audits will continue through Dec. 2016, and word on the streets is that even small practices are in the auditor’s sights.
“A covered entity is required to comply with HIPAA, regardless of its size,” explains Michael D. Bossenbroek, Esq., of Wachler & Associates, P.C. in Royal Oak, Michigan.
If you’re part of a small surgical group, here are some pointers to help you make it through a possible audit, breach, or complaint that will bring you before the OCR investigators.
Respond to Verification Request
If you or your business partners receive an Audit Entity Contact Verification form, don’t panic. This important form is meant to verify the contact information of the covered entities at the practice.
Receiving the form does not necessarily mean that you’ve been selected for an audit, says Seattle-based attorney Casey Moriarty of Ogden Murphy Wallace. “Although receipt of the communication is not a guarantee of an audit, it is the first step in a process that may lead to a comprehensive HIPAA compliance audit of your entity.”
No safe haven: “The OCR has stated that if an entity doesn’t respond [to the verification form], it does not mean the entity will avoid an audit,” says Bossenbroek.
Bottom line: It’s wise to respond to the verification request to establish correct contact information and avoid confusion down the road.
Do the Basics
“It is a real challenge for smaller practices with limited resources to comply with HIPAA,” Bossenbroek says. “However, there is what I would refer to as ‘low hanging fruit’ or basic HIPAA compliance issues that OCR has repeatedly identified and that a practice could address without much difficulty.”
For instance, you should have written compliance policies and procedures, and an assigned compliance officer. Templates and advice are available from multiple sources, as you can see below:
Go to the agencies: Some of the best advice devoted to both HIPAA privacy and security rules comes from the government agencies themselves. Here are some great resources for any size practice:
Support groups: If you can’t afford to engage a HIPAA-compliance vendor or law firm, there are other organizations that can offer insight. For example, don’t overlook the professional organizations you are involved with, Bossenbroek suggests.
“It is my experience that medical societies have collaborated on HIPAA compliance, such as offering presentations and materials,” he says.
For instance: You might find helpful information from this site by the American College of Surgeons: www.facs.org/advocacy/regulatory/hipaa.