The Health Information Technology for Economic and Clinical Health (HITECH) Act requires the U.S. Department of Health and Human Resources (HHS) to conduct audits to ensure health care providers, health care industry organizations, and their business associates comply with HIPAA. The HHS Office for Civil Rights (OCR) audit program scrutinizes policies and procedures (or lack of same) of HIPAA-covered entities. Audit protocol looks at many elements (which may vary based on the type of covered entity audited) categorized as privacy requirements, security requirements, and breach notification requirements. The OCR makes available its audit protocol for public review online. OCR awarded KPMG a $9.2 million contract to create HIPAA auditing protocols and to handle audits. The government is keen on these audits; audits will increase in the near future.
According to OCR, “To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules.” Be prepared. Do not wait for an audit notice. A few of the many factors potentially relevant if your medical practice or other health care business is selected for the review include:
Is there a signed business associate agreement with each business associate?
Do you encrypt protected health information (PHI)?
Do you have policies and procedures in place for employees (new employees, existing employees, terminated employees, etc.)?
Do you have policies in place with regard to the removal of PHI from the medical practice site (e.g. a smartphone)?
Do you have a written policy for ascertaining and reporting a security breach?
Do your policies cover everything you do with PHI?
Do you really do things consistently with your existing policies?
There are many more factors that should be carefully reviewed and evaluated. The stakes are high. Fines and penalties are harsh, to say the least. The maximum penalty for a HIPAA violation is now $1.5 million.
Many providers and other health care businesses have already learned this reality the hard way. HITECH requires that HHS post a list of offenders and their breaches of unsecured PHI affecting 500 or more individuals online. A review of this list and its descriptions of the HIPAA offenses should be informative (and motivating) to anyone in a health care business.
Kevin Little is a Georgia and South Carolina Health Care attorney who represents physicians, physician groups, ambulance service providers, nursing homes and other health care providers and businesses. Our business practice is focused on health care issues. We have an office in downtown Augusta, Georgia and midtown Atlanta. Contact us at (706) 722-7886 or (404) 685-1662 to schedule a confidential consultation.
*Disclaimer: Thoughts shared here do not constitute legal advice.