peshkova - Fotolia
SAN DIEGO -- The second round of HIPAA audits is coming, but not quite as soon as expected. But get ready, because this time it counts: Some will quite likely carry financial penalties for the first time.
HHS Office for Civil Rights (OCR) officials, speaking at the American Health Information Management Association (AHIMA) annual convention in San Diego, said audits of some 350 healthcare providers and another 50 of their business associates will likely start in early 2015; they were originally set to begin in October 2014.
However, those HIPAA-covered entities to be audited have already been chosen in a random process that was corrected for geographical balance and diversity of audit subjects, which include healthcare providers, insurance companies, healthcare clearinghouses and, for the first time, business associates.
"You cannot submit your name for an audit investigation, and you cannot submit the name of the hospital next door," Geraldine Davis, an OCR senior health information privacy specialist, told a room packed with health information management directors, vendor representatives and others. "It's a random methodology."
Portal not ready in time
In the meantime, a big reason for the delay is a re-tooling of the OCR audit Web portal to allow audit subjects to print out documents, Davis said.
"Our website is not user-friendly at all," she acknowledged to laughter and scattered applause among those who had experienced problems with the site.
Yet privacy and security of personal health data and preventing breaches is a deadly serious matter, warned veteran OCR lawyer and audit specialist Yun-kyung (Peggy) Lee.
Lee noted that the 23 resolution agreements the OCR has settled since 2008 for cash payments have ranged from $215,000 for a small Washington county to $4.5 million for a big university and teaching hospital in New York. Every organization that handles personal health data should be careful.
Civil penalties for providers who fail audits
Yun-kyung (Peggy) LeeOCR lawyer and audit specialist
Overall since audits began in earnest in 2011, $26 million in fines have been collected.
This time, in contrast to the first round of routine audits that wrapped up in 2012 -- as opposed to major self-reported breaches -- civil money penalties will be a firm option, the OCR officials said.
"Regardless of your size, you really have to have something in place to safeguard the personal health data," Lee said.
"We will be investigating large hospitals, small hospitals, practices, insurance companies and individuals," Davis said.
Every covered entity under HIPAA is required to do a risk analysis not only as a routine compliance practice but after a breach is discovered, in order to reduce harm to the data, Davis said. "They ultimately are responsible for their data and that PHI [personal health information]."
At a separate venue in Washington, D.C. as part of National Health IT Week, new OCR director Jocelyn Samuels said earlier in her first public remarks about HIPAA that OCR will be focusing in the near term on healthcare provider HIPAA violations that block patients' access to their own personal health information.
Former ONC privacy officer dishes HIPAA audit advice
Tips for complying with the HIPAA omnibus rule
Why business associates should take the omnibus rule seriously