Up to now, the many healthcare organizations that are Covered Entities under HIPAA law did not have to worry too much about outside scrutiny of their compliance activities. Most entities provide a Notice of Privacy Practices; many went through a one-time effort to create HIPAA policies for privacy and security; and a few conducted periodic audits of their HIPAA compliance, either internally or using an outside resource like a HIPAA consultant. But penalties for a HIPAA violation were relatively rare, and were mostly only levied in connection with breaches of PHI in an electronic system or electronic storage media.
New HIPAA Enforcement – Covered Entities Beware!
A new HIPAA enforcement program is coming. The Department of Health and Human Services (HHS) just granted a contract to KPMG, a large consulting and auditing firm, to develop audit tools for auditing Covered Entities, and then performing these audits on upwards of 150 Covered Entities next year. Entities are supposed to be selected at random, not necessarily because they have had a HIPAA violation or a breach. Of course, once the tool is in place, it is not hard to see an audit becoming part of an enforcement action in the future.
In any case, now is the time to get serious about performing a HIPAA Risk Assessment, making sure your staff is trained in your policies and that those policies are up to date. A HIPAA Risk Assessment has long been a requirement for Covered Entities as part of the original HIPAA Privacy Rule from 2003. However, the HITECH Act of 2009 established a requirement for healthcare organizations applying for HITECH Act EHR Meaningful Use incentives to complete a HIPAA Risk Assessment. Now we have the possibility of an audit by the Office of Civil Rights that reviews your organization’s HIPAA compliance.
HIPAA Law has Changed. Be Prepared for an Audit.
How much more incentive do you need?
Many things have been added to HIPAA compliance in the past few years, from
- requirements to a plan for notifying patients of breaches of ePHI to
- new requirements for a Business Associate Agreement to requirements to respond
- to patient requests for instances of release of PHI as part of healthcare operations and claims.
Now is the time to make sure your HIPAA policies and practices are up-to-date, and observed by staff and business associates alike. Enforcement has arrived, penalties are real, and preparation is a must.