Answer any verification requests and define clear compliance policies.
Your practice size does not exempt you from a potential audit and breach. The Office of Civil Rights (OCR) random desk audits will continue through Dec. 2016 and even small practices can be the auditor’s target. Here is what you can do when you receive an audit notification.
1. Respond to Verification Request
The first step when you receive an Audit Entity Contact Verification form is to prepare to respond. You shouldn’t panic; instead, prepare to answer. The form does not imply selection for an audit. It however, means that your entity may undergo a comprehensive HIPAA compliance audit.
Choose to respond: Adopt the wise step to responding to the request and help establish correct contact information.
No response is not less risk: If you choose not to respond to the verification form, you cannot escape the audit. You may still be eligible to be targeted by auditors.
2. Follow Some Basic Requirements
If you are a small practice, you may find it challenging to meet the HIPAA requirements with limited resources. For the minimum, acquaint yourself with the existing rules and get started on some basics like establishing written compliance policies and procedures and an assigning a compliance officer.
You can look for templates and guidelines from some good sources like: www.healthit.gov/providers-professionals/guide-privacy-and-security-electronic-health-information www.hhs.gov/hipaa/for-professionals/index.html.
3. Join a Support Group if Possible
You may not be able to engage a HIPAA-compliance vendor, but you can always bank upon the professional organization you are associated with. The medical societies have given due importance to HIPAA compliance.
For example, you can access the compliance guidance by the American College of Radiology (ACR) at: http://www.acr.org/Membership/Legal-Business-Practices/HIPAA/HIPAA-Privacy-FAQs-From-HHS-Web-Site.