Home Health & Hospice Week

HIPAA auditors could knock on your door any day now.

With HIPAA breaches growing despite continued education and regulations, the government is getting ready to institute its HIPAAaudits — are you prepared?

Upcoming audits will allow the feds to determine exactly what home care and hospice providers are doing wrong when it comes to HIPAA compliance. But the problems could lie in the fact that HIPAA has been an ever-evolving bundle of regulations that providers have trouble following.

Although the initial HIPAA laws have been in place since 1996, the first privacy regulations covering PHI didn’t come into play until 2003, followed by the security rule in 2005, said Paul Hales, a healthcare attorney in St. Louis, Mo. Unfortunately, not every medical provider was on board with the law at that point.

“I’ve found that the only people who were really paying attention were big organizations like health plans, hospitals, etc., and they already had the compliance, IT staffs and attorneys to handle it,” Hales says. Small providers “just didn’t have the resources to comply, and the Department of Health and Human Services didn’t really enforce it, so breaches were occurring.”

However, HHS prepared modifications during the Bush administration that were passed into law as part of the Stimulus Act in 2009. HIPAA now covers not only Business Associates who handle PHI, but even subcontractors working for those Business Associates. In addition, the Breach Notification Rule came into effect, HIPAA penalties skyrocketed, and HHS did a pilot audit of HIPAA programs in anticipation of a nationwide audit plan, Hales said.

The HHS Office for Civil Rights has repeatedly bumped Phase 2 of the HIPAA audits, which was initially slated to begin in the fall of 2014 (see Eli’s HCW, Vol. XXIV, No. 13). The HIPAA audits will likely start late this year or early next year, Hales predicted.

If the pilot audit results are any indication, the nationwide audit program could spell trouble for unprepared providers. “In 2012, HHS conducted a pilot HIPAA compliance audit in preparation for the mandatory, random HIPAA compliance audits that will begin soon,” Hales says. “HHS found 80 percent of the providers had not conducted a risk analysis although it had been mandatory since 2005. HHS also found that small providers have serious HIPAA compliance issues and ‘struggle’ with compliance.”