In the coming months, rheumatologists may want to pay particular attention to their email inboxes. By the end of the year, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) will complete stage I, phase II of a series of desk and on-site audits designed to assess providers and their business partners for compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Those randomly selected for audit will be notified by email, the HHS says.
What to Do If You’re Chosen
Physicians who are notified should ask what materials are being audited so the practice can pull together the requested information to review.
Rachel Yaffe, a Chicago-based healthcare attorney with McDonald Hopkins LLC, says “contact [your] healthcare attorney immediately—ideally someone who specializes in HIPAA compliance. They can assist with timelines, documentation and complying with the request, [and they can] also help you know what’s within your rights.”
OCR Under Review
Phase II of the OCR’s audits is a continuation of a process that began in 2011–2012 following a review of the OCR’s audit activity. The review was conducted by the HHS Office of the Inspector General (OIG), and the findings, which were presented in a report published last year, determined that the OCR had been less than thorough in its assessment and enforcement of penalties associated with HIPAA breaches or breach risk.1
“OCR should strengthen its oversight of covered entities’ compliance with the Privacy Rule,” the report said. “OCR’s oversight is primarily reactive; it investigates possible noncompliance primarily in response to complaints. OCR has not fully implemented the required audit program to proactively assess possible noncompliance from covered entities.”
The Health Information Technology for Economic and Clinical Health Act (HITECH), part of the 2009 American Recovery and Reinvestment Act, requires the OCR to conduct such audits of covered entities, which include hospitals, doctors, pharmacies, health insurance companies and more. It also gave equal legal liability to businesses that handle patient data.
“If you’re going to be a vendor in the healthcare space, you have to play by healthcare rules,” Ms. Yaffe says.
One such rule: Under HIPAA, every practice or healthcare organization must designate a privacy officer to oversee all activities related to the development, implementation and maintenance of the practice’s or organization’s privacy policies in accordance with applicable federal and state laws.
Focus on Smaller Providers
Although previous audits have focused primarily on large providers, the latest round will be directed at smaller providers and their risks for HIPAA breaches. The OIG report found smaller covered entities were less likely to be investigated for small breaches (impacting fewer than 500 patients) than larger entities.
The first series of desk audits will focus on covered entities, and the second will look at business associates. The OCR expects desk audits to be completed by December 2016. A third series of audits will involve on-site visits, which the OCR says will “examine a broader scope of requirements from the HIPAA rules than desk audits.” An entity may be selected for a desk and an on-site audit.
The Penalties
The OCR is considering size and type of covered entity, geography, affiliations and whether an entity is public or private for audit selection criteria. The agency can assess criminal or civil penalties for violations. Civil penalties fit four tiers that range from accidental noncompliance to purposeful violation without correction. Penalties include fees up to $1.5 million annually and/or jail time for up to 10 years.
“It’s getting continually harder for small physician groups to fully comply with HIPAA when even large institutions often are not doing so,” says Ms. Yaffe.
Kelly April Tyrrell writes about health, science and health policy. She lives in Madison, Wis.
Reference
- Murrin S. OCR should strengthen its oversight of covered entities’ compliance with the HIPAA Privacy Standards. Department of Health and Human Services Office of the Inspector General. 2016 Jul. https://oig.hhs.gov/oei/reports/oei-09-10-00510.pdf.
