Heads up: HHS says all covered entities and business associates are targets.
HIPAA is a core component of your day-to-day policies, but if you aren’t following your organization’s policies and procedures, you may face penalties. Are you prepared for a HIPAA audit?
The Health Information Technology for Economic and Clinical Health Act (HITECH) §13411 now requires the U.S. Department of Health and Human Services (HHS) to periodically audit covered entities and business associates subject to HIPAA Privacy and Security rules, according to Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems, LLC, in Charlotte, Ver. HHS has redesigning the random audit program, with new audits performed by HHS staff starting Oct. 1, 2013 — just eight days after the new rules became enforceable.
Get ready: “Everyone is an audit target, all covered entities and all business associates,” warned Susan A. Miller, JD in an issue brief for Malvern, Penn.-based Malvern Group Incorporated. The HHS Office for Civil Rights (OCR) “is going to be knocking on everyone’s digital door in the near future. It appears that OCR will audit all covered entities and business associates periodically.”
Get Ready Now — What to Expect
A HIPAA audit basically aims to determine whether you have in place all the HIPAA-required policies and procedures, Sheldon-Dean explains. You also have to show that you’ve been using these policies and procedures.
And you’ll need to offer up a mountain of documentation that auditors will ask for — everything from your training policies, materials and rosters to your security incident policy and security incident reports, Sheldon-Dean says. Worst of all, you’ll have just three weeks’ notice to produce this substantial documentation and prepare for the on-site audit.
Beware: Auditors can and will interview staff members — any staff they choose, Sheldon-Dean cautions. “You must be prepared in advance or it’s too late.”
Pay attention: And the audits will be more specific and focus on particular problem areas. Sheldon-Dean predicts that auditors will scrutinize the following areas the most:
Know the New Enforcement Definitions
The HIPAA Omnibus final rule introduced and solidified a new penalty structure, as well as new definitions relating to HIPAA violations. The definitions for three terms in particular are rather pivotal under the new, tougher penalty structure.
What’s more: Willful neglect violations must be investigated and penalties are mandatory, Sheldon-Dean points out. And the HITECH provisions allow continued corrective actions, even if there’s no penalty. Plus, now your state Attorney General can bring HIPAA actions.
How Wrongful Disclosures Apply to Individuals Too
Under HITECH §13409 (Wrongful Disclosures), such violations can apply to individuals and are now being used in criminal cases, Sheldon-Dean says. Further, civil lawsuits involving HIPAA violations are becoming increasingly common — and with escalating verdict awards.
Case in point: A July 26, 2013 jury verdict from the Indiana Superior Court awarded a Walgreens pharmacy customer $1.44 million after her pharmacist leaked her PHI to other individuals who allegedly used that customer’s PHI to intimidate and harass her. The customer filed a lawsuit against not only Walgreens, but also the pharmacist as an individual.
This case illustrates the newest legal evolution in HIPAA violations — although not the first case in which HIPAA has been involved in a private cause of action, it is “the first case resulting in a substantial jury verdict against a provider using HIPAA as the basis for the standard of care,” according to a recent legal analysis in an article by Theodore J. Kobus III and Lynn Sessions of Cleveland, OH-based law firm Baker Hostetler.
“Whether and to what extent HIPAA can be used to establish the standard of care in a professional liability, negligence or other breach of professional duty case will be dependent on state tort law,” the attorneys wrote. “Healthcare providers must be aware that, depending on the law of the state in which they are licensed, their potential liability for HIPAA violations could extend beyond civil monetary penalties.”
Understand the New Tiered Penalty Structure
Also, you’re now facing higher penalties for HIPAA violations, effective for incidents after Feb. 17, 2009. The new maximum penalty is $1.5 million for all violations of a similar type in one calendar year. Sheldon-Dean breaks down the new penalty tiers: