Share this article on:
The Department of Health and Human Services’ Office for Civil Rights commenced the second round of HIPAA compliance audits late last year. The audit program consists of desk-based audits of HIPAA-covered entities and business associates, followed by a round of in-depth audits involving site visits. The desk audits have been completed, with the site audits put on hold and expected to commence in early 2018.
Only a small number of covered entities have been selected to be audited as part of the second phase of compliance audits; however, covered entities that have escaped an audit may still be required to demonstrate they are in compliance with HIPAA Rules.
In addition to the audit program, any HIPAA-covered entities that experiences a breach of more than 500 records will be investigated by OCR to determine whether the breach was the result of violations of HIPAA Rules. OCR also investigates complaints submitted through the HHS website.
The first round of HIPAA compliance audits in 2011/2012 did not result in any financial penalties being issued, but that may not be the case for the second round of audits. Also, the past two years as seen an increase in financial penalties for noncompliance with HIPAA Rules that was discovered during investigations of complaints and data breaches.
There is now an elevated risk of an audit or investigation and OCR is issuing more fines for noncompliance. Consequently, covered entities cannot afford to take chances. Many healthcare organizations are turning to HIPAA compliance software and are seeking assistance from compliance experts to ensure their compliance programs are comprehensive and financial penalties are avoided.
Imperial Valley Family Care Medical Group Calls in HIPAA Compliance Experts
Imperial Valley Family Care Medical Group is a multi-specialty physician’s group with 16 facilities spread throughout California. IVFCMG was not selected for a desk audit, although following the theft of a laptop computer, OCR investigated the breach. IVFCMG was required to demonstrate compliance with HIPAA Rules and provide documentation to show the breach was not caused by the failure to follow HIPAA Rules.
Covered entities may fear a comprehensive HIPAA audit, but investigations into data breaches are also comprehensive. OCR often requires considerable documentation to be provided to assess compliance following any breach of protected health information. In the case of IVFCMG, OCR’s investigation was comprehensive.
Responding to OCR’s comprehensive questions in a timely manner was essential. IVFCMG, like many covered entities that are investigated or selected for an audit must be careful how they respond and all questions must be answered promptly and backed up with appropriate documentation.
As we have already seen this year, if HIPAA Rules are not followed to the letter after a data breach is experienced, fines can follow. Presense Health was fined $475,000 by OCR for potential violations of the HIPAA Breach Notification Rule following a breach of PHI.
Following the breach, IVFCMG turned to a third-party firm for assistance and contacted the Compliancy Group. By using the firm’s Breach Response Program, IVFCMG was able to ensure all of the required actions were completed, in the right time frame, and all of those processes were accurately documented.
The Breach Response Program is part of the Compliancy Group’s “The Guard” HIPAA compliance software platform. Compliancy Group simplifies HIPAA compliance, allowing healthcare professionals to confidently run their practice while meeting all the requirements of the HIPAA Privacy, Security and Breach Notification Rules. The Guard uses the “Achieve, Illustrate, and Maintain” methodology to ensure continued compliance, with covered entities guided by HIPAA compliance experts all the way.
IVFCMG’s Chief Strategic Officer, Don Caudill, said “Their experts provided us with a full report and documentation proving that our HIPAA compliance program satisfied the law – which ultimately helped us avoid hundreds of thousands of dollars in fines.” When OCR responded to the initial breach report asking questions about another aspect of HIPAA Rules, IVFCMG was able to respond in a timely fashion and provide the evidence to prove it was in compliance.
HIPAA compliance software helps covered entities pass a HIPAA audit, respond appropriately when OCR investigates data breaches and complaints, and avoid fines for non-compliance. OCR has increased its enforcement activity over the past two years and healthcare data breaches are on the rise. Non-compliance with HIPAA Rules is therefore much more likely to be discovered and result in financial penalties.
Small to medium sized HIPAA-covered entities with limited resources to dedicate to HIPAA compliance can benefit the most from using HIPAA compliance software and receiving external assistance from HIPAA compliance experts.
“Responding to a HIPAA audit requires sensitivity and expertise,” Bob Grant, Chief Compliance Officer of Compliancy Group, told HIPAA Journal. “As a former auditor, I’ve developed The Guard and our Audit Response Program to satisfy the full extent of the HIPAA regulatory requirements. Giving federal auditors everything they need to assess the compliance of your organization is our number one goal. Our Audit Response Program is the only program in the industry to give health care professionals the power to illustrate their compliance so they can get back to running their business in the aftermath of a HIPAA audit.”