Three steps to prepare for a HIPAA audit

  • Share

Avoid getting the next million-dollar penalty.

Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA) includes the subsection known as the Health Information Technology for Economic and Clinical Health (HITECH) Act. In addition to its incentives for health care organizations to adopt electronic health records (EHRs), HITECH extended the scope of the HIPAA Privacy Rule and the Security Rule, increased penalties for failing to protect PHI and increased enforcement for violations of the Health Insurance Portability and Accountability Act (HIPAA).On 25 January 2013, the Department of Health and Human Services (HHS), released its final omnibus rule relating to these requirements. Changes incorporated into the final rules include:

  • More robust patient privacy protections
  • New rights over health information for individuals
  • Greater limitations on using personal health information for reasons not directly related to a patient’s treatment or for payment of services
  • Required accountability over service providers
  • Increased diligence when assessing potential privacy or security breaches

In addition to issuing enhanced rules for privacy and security of personal health information, HITECH mandates HHS to provide for periodic audits of covered entities (CEs) to assess their compliance, not only with privacy and security rules, but also with breach notification standards.

In January 2012, the Office for Civil Rights (OCR) initiated a 12-month pilot program of proactive audits to assess CEs’ compliance with HIPAA. The pilot audits resulted in a defined audit protocol and identified common compliance challenges.

Health care payers, providers and clearing houses need to be prepared for a HIPAA audit. However, as the final omnibus rules outline, so too do business associates (BAs) and their subcontractors.

These additional entities are also now subject to the same security and privacy regulations — and the same penalties for non-compliance — as CEs.

Our series, 5: insights for executives, explores the questions: