General Surgery Coding Alert

HIPAA Audit:

Maximize Your Plan for Phase 2 Audit Focus

Use protocol tool even if you don’t face audit — this time.

Even if your lab or pathology practice hasn’t gotten the call for a Phase 2 HIPAA Audit from the Office of Civil Rights (OCR), you should use news of the process as a learning opportunity to improve your own compliance.

Read on to understand the audit protocols and to discover how OCR tools can help you meet HIPAA expectations for your lab or pathology practice.

Find Out Phase 2 Tools

Phase 2 HIPAA Audits are underway, involving a round of desk audits for covered entities (CEs — healthcare providers who electronically transmit any health information) and a second round for CEs’ business associates (BAs). Then the OCR will conduct a third round of on-site audits for some of the participants from the first two rounds. “As all desk audits are expected to be completed by December 2016, it would seem that phase two is going to be limited to roughly 200 entities total (including health plans and clearinghouses),” says attorney Neil Eggeson of Eggeson Appellate Services in Indianapolis.

During the OCR’s desk audits, the agency will be reviewing privacy policies relating to the Privacy, Security, and Breach Notification Rules, says San Francisco-based privacy attorney Diana Maier.

Protocol: The OCR recently published its current audit protocol on the Health and Human Services (HHS) website (www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html). The document offers an in-depth look into what you should be doing to enhance preparedness for this round of audits if you’re called — or for any future HIPAA compliance hurdles you may face.

Audit inquiry: Once you log on and look at the audit protocol document, you can zero in on column five (audit inquiry) for Phase 2 Audit preparedness. The audit inquiry column has the new guidance, and identifies the documents and information that OCR auditors will request, says Daniel F. Gottlieb, Esq., a partner with McDermott Will & Emery’s healthcare practice in Chicago.

Do this: Ensure that your HIPAA compliance program adequately addresses the current areas of OCR focus as outlined in the audit inquiry column.

For example: The document indicates that you should have policies and procedures in place to restore any lost data as well as a disaster recovery plan. If you haven’t yet created these protocols, now is the time to act. “Practices should have procedures in place outlining what they’d do in the event of a disaster or other system outage,” Gottlieb says. “Most people initially focused on confidentiality and preventing unauthorized access to PHI, but the Security Rule also requires safeguards to assure availability of electronic PHI to authorized users and that’s why it impacts your disaster recovery plan and backup protocols.”

Don’t panic: If you read the entire Audit Protocol, chances are high you’ll find that you have gaps in your HIPAA compliance program, but that doesn’t mean you should sound the alarms. “Practices should take care of any gaps now, but the good news is that implementation is scalable,” Gottlieb says. “The Security Rule and Audit Protocol indicate that the OCR will take into account the size and capabilities of the organization. It will have greater expectations for a large hospital system than for a small medical practice.”