alphaspirit - Fotolia
It may surprise doctors to learn that the U.S. Department of Health and Human Services' Office for Civil Rights is about to launch its first formal round of HIPAA compliance audits.
In a 2014 survey of more than 1,000 healthcare providers and administrators, only 32% of the respondents had any inkling of the HIPAA audits that will hit some 400 healthcare providers and 150 of their business associates in 2015.
Even if doctors and physician practices know about the audits and HIPAA requirements that they must meet, most non-hospital healthcare providers aren't ready, HIPAA audit experts say.
And that puts those "covered entities," as HIPAA refers to most physicians and healthcare systems, at risk for hefty fines if they are chosen for a random audit and fail.
"Pity the poor guy who got selected," said Daniel Brown, an Atlanta lawyer who specializes in healthcare law, including HIPAA audits. "But the goal is to make sure folks are in substantial compliance. I don't think it's going to be a 'gotcha' situation."
The good news is that with some time and effort, unprepared doctors and practices can bolster their chances of showing compliance.
OCR wants compliance, but doesn't reveal much
The goal of the audits is deterrence with "high-impact" audits involving "egregious" breaches of protected health information or ones involving large numbers of victims, as new OCR chief Jocelyn Samuels said.
OCR has secured several major settlements with healthcare organizations after patient data breaches over the last few years, with fines ranging from $800,000 to $4.2 million.
Now, after two years of pilot audits with no fines attached, the agency has signaled that civil financial penalties are a realistic option even though it could also order other corrective actions.
Samuels said this month that audits will be delayed, likely for several weeks or months, while OCR fine tunes audit protocols and makes technical improvements.
Faced with tough sanctions, providers must prepare
Despite no clear direction on fines, audited hospitals and physician practices should anticipate tough penalties, HIPAA audit experts say.
"I expect there to be fines across a broad range of amounts," said David Harlow, a healthcare lawyer and blogger in Newton, Mass.
Many solo doctors and small and midsize practices are likely not ready to be scrutinized by OCR. Often, they are overwhelmed by their daily clinical volume, laboring under what they consider thin financial margins, and, perhaps, thinking the odds are with them to avoid an audit.
When you mention audit preparation, "They say, 'Are you kidding me? I have patients,' Harlow said. "It's all great until [federal officials] notify you that you're being fined."
Steps to survive an audit
Compared with individual doctors, most hospitals are prepared for HIPAA by now in the time since Congress passed both the groundbreaking law in 1996 and 2013's updates, experts said. The latter action hiked fines for privacy and security violations and laid out rules for notifying patients about breaches of their health information.
Healthcare systems, in general, designate privacy officers, conduct security risk assessments, perform their own internal security audits and encourage patients to electronically view their own medical records -- all required by HIPAA.
"In order to survive an audit, the way to succeed is to have a specific plan, not something off the shelf," Harlow said.
HIPAA compliance checklists for what hospitals are already doing -- and what individual practitioners should pay attention to -- include the following steps, according to Brown, Harlow and others:
- Adopt HIPAA-compliant privacy and security measures for all protected health information (PHI), defined by HIPAA as any medical data that is individually identifiable
- Conduct security risk assessments to identify potential vulnerabilities
- Ensure that EHRs used by the doctor or practice can verify all assertions about the privacy and security of the medical records
- Maintain paper documents for at least six years to support clinical quality measures
- Develop formal policies and training procedures for staff members that are tailored to the workflow of the organization
- Conduct regular training to change the behavior of employees who don't comply with privacy and security measures or aren't aware of them
- Conduct self-audits to test procedures for ensuring confidentiality and security of PHI
Recommendations from an EHR vendor
From the vantage point of least one EHR vendor whose customer base consists nearly exclusively of small and midsize physician practices, the audit experts' advice is academic.
Customers ought to pay close heed not only to HIPAA's security and privacy mandates but also to the updated law's dictates on patient access to their own medical data, said George Cuthbert, vice president of Medent Community Computer Service Inc. The family-owned, cloud-based EHR vendor is in Auburn, N.Y.
These days, PHI and basic health data -- including family and prescription history, medical conditions and vital measurements -- usually reside in so-called patient portals that are built into or grafted onto all federally certified EHRs.
Relatively small players such as Medent , which focuses on the East Coast, offer portals as integral parts of their EHR systems. So do market-dominating companies that populate academic medical centers and large healthcare systems, such as Epic Systems, Cerner, Allscripts-Misys Healthcare and Meditech.
As part of its client education, Medent publishes HIPAA compliance regulations in its online user manual. And the vendor provides its customers, by region, with rosters of consultants it recommends as knowledgeable and adept enough to guide clients through the HIPAA regulatory labyrinth.
"We don't take this lightly," Cuthbert said.
For doctors, HIPAA compliance and audit preparation comes down to spending the time to educate themselves and scrutinize their efforts.
"It's more work, but it's not a mystery," Cuthbert said. "It's time to step up, time to learn it or get help. It's the cost of doing business."
Life of PHI
From 2009 to 2014, reports of health data breaches affecting 500 or more people hit 1,176 -- a more-than hundredfold increase from an earlier five-year period. That’s a sign that more providers are taking HIPAA seriously.
• 60% were due to theft and loss
• 21% involved paper records
• 33% traced back to laptops and other mobile devices
Editor's note: This story has been updated to include more recent comments made by OCR Director Jocelyn Samuels.
Massachusetts hospital gets hit with six-figure fine for HIPAA violation
HHS risk assessment tool one way to self-audit
As hospital data breaches go up, so does number of incident response plans
Dig Deeper on HIPAA (Health Insurance Portability and Accountability Act)
Lower HIPAA violation fines shouldn't translate into lax security
HIPAA (Health Insurance Portability and Accountability Act)
HHS seeks input to modify HIPAA rules, expert says proceed carefully
Anthem data breach settlement points to larger data access