Random audits of large and small practices, payers, clearinghouses and, now, business associates and their subcontractors, could begin at any time. The Office of Civil Rights (OCR) is expected to resume the second half of its audit program soon, although no date has been given. OCR announced a delay of Phase 2 in September.
Practices and other covered entities should thoroughly review existing policies and address any gaps, as monetary penalties for non-compliance are steep. The HITECH Act raised its fines, with a potential maximum of $1.5 million per violation, per year.
That said, practices shouldn't panic, especially if they do a little homework in advance. Here are some important steps your practice can take in preparation for a possible audit:
- Make sure you have all your HIPAA documents on hand, including your office's privacy and internal security policies; staff training and education material which documents who was briefed on security and privacy information and when; copies of Business Associate Agreements; a log of Protected Health Information (PHI) disclosures; and a log of HIPAA breaches and corrective actions. All practices should have notices of privacy that are either on display somewhere in the office or readily available should a patient ask for a copy. East Bay Pediatrics, a PCC client in Berkeley, CA, posts its concise privacy policy (below) on the practice's website:
The Health Information Portability and Accountability Act (better known as HIPAA) protects information about your child's health and medical record. At East Bay Pediatrics your privacy is our priority. You and your child will be able to discuss your child's health with a physician behind closed doors. We try to keep hallways clear in order to facilitate the privacy of conversations. Completed forms with health information must be mailed to you (not faxed) or transmitted over the secure email system. If you have any questions or concerns about privacy, please contact our business office at (phone number).
-
Review all HIPAA policies and procedures and update if needed. This includes updating and/or signing Business Associate Agreements with all Business Associates - people or organizations (e.g. outside billers, consultants) whose business with your practice involves the use or disclosure of PHI.
- Prepare your staff for an audit. Make sure staff know and understand all your practice's policies and procedures. Follow up with staff training if necessary. "Practices are likely already doing what their policies state, but it's important to make sure by revisiting those policies and practice what's in there," says PCC's Privacy and Security Officer Lauren Gluck. "Also, look around from an auditor's point of view. If you see something questionable, like a front desk computer screen that is facing where a patient can see it, make sure to fix it."