The HIPAA audit program is gearing up in 2015 to unpredictably assess healthcare covered entities and business associates for compliance with the HIPAA security, privacy, and breach notification rules set forth by the Office for Civil Rights.
Back in 2012, the HIPAA Compliance Audit program did a year of trial audits and now that the US Department of Health and Human Services has had sufficient time to analyze the results, the 2015 HIPAA Audit Program has been revealed. Most likely the key objectives for this round of audit questioning will be to focus on the inadequacies spotted in the 2012 trials. Requisitions for information have been consigned to near 1200 covered entities and business associates by the HHS to ascertain if it would be apropos to audit. Since new HIPAA rules enact higher fines - mandatory minimum fines of $10, 000 - for willful neglect of compliance, being sagacious and preconditioned for an unprecedented audit is more important than ever. Federal and private officials have openly and candidly stated that enforcement is a top priority of the HHS. So a message to non-compliant covered entities and business associates: Beware that there will be little to no leniency for non-compliance now and for many years to come.
Key Takeaways from 2012 Audits
- Covered entities on the smaller side bore many more issues. The smaller entities represented 66% of paucity findings.
- An inordinate amount of these inadequacies were by healthcare providers. These providers accounted for 50% of the audited entities and recounted for 81% of these insufficiency findings.
- 65% of overall findings were in relation to the Security Rule, but the OCR did ascribe this to the audit protocol having primary focus on security rather than breach notification or privacy.
Top 2012 Security Enigmas to Note for 2015 Audits
- Operator activity monitoring
- Medium usage and destruction
- Circumstantial/crisis planning
- Risk Assessment
- Admitting and adjusting operator access
Top 2012 Privacy Enigmas to Note for 2015 Audits
- Analysis process for refutation of patient access to records
- Negation to include proper patient access to records
- Business Associate Agreements
- Personal representatives disclosure
- Deficit policies and procedures enacted
- Usage and exposure of PHI
Have any questions or concerns? All of us here at Catalyze are available anytime for your support. Reach out to us directly or tweet us @catalyzeio and be sure to keep following our blog for regular updates.