Part B Insider (Multispecialty) Coding Alert

Don't Relax Your HIPAA Standards

Published on Fri Apr 17, 2015

Audit delay doesn’t mean you can forget about privacy.

Ignore the HHS Office for Civil Rights’ upcoming HIPAA audits at your peril, experts warn.

Disregarding Phase 2 audits is no longer an option, Jared Festner, HIPAA specialist for Irvine, Calif.-based Medical Information Technology Group said in a statement. “If you think for one minute your [organization] won’t be under the microscope for everything from device encryption, to making sure that every policy and procedure is completely filled out and updated on a yearly basis, you’ll be kicking yourself once you receive fines of up to $1.5 million per offense.”

The delay in Phase 2 OCR audits doesn’t mean that you can relax your efforts to make sure you’re in compliance with all HIPAA regulations, said Charlotte, N.C.-based attorney Chara O’Neale in a blog post for law firm Parker Poe. While the audit portals are still under development, this is a good time to do the following in preparation:

Make sure your HIPAA policies and procedures are up-to-date and meet the latest privacy and security requirements;
Create a list of all business associates (BAs) that provide services to your organization; and
Conduct an internal risk assessment to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI).

Last year, OCR stated that the Phase 2 audits would focus on specific HIPAA compliance issues, law firm Alston & Bird noted. For CEs, these compliance areas include:

Risk analysis and risk management (Security Rule);
Notice of privacy practices (NPP) and access rights (Privacy Rule);
Content and timeliness of breach notification (Breach Notification Rule);
Device and media controls and transmission security (Security Rule); and
Safeguards and training on policies and procedures (Privacy Rule).

For BAs, audits will focus on risk analysis and risk management, as well as breach reporting to the CE, Alston & Bird said. “OCR had also indicated that the audits would be ‘desk audits’ — i.e., document-only audits, without follow-up.”