HIPAA Audits Delayed Again, But for How Long?

Irvine, CA, January 28, 2015 (Newswire.com) - In what may come as a relief for several healthcare providers, there is still an uncertainty about when the next round of HIPAA audits will actually start. The Office for Civil Rights (OCR) hasn't yet created a protocol to conduct the audits or set a timeline to enforce them. Medical practices have time to look at the state of digital security and compliance status in line with the Omnibus Rule changes.

Since last fall, the OCR has been warning healthcare providers that HIPAA compliance audits are 'coming soon'. However, latest news reports indicate that they're tweaking their online portal and making other technical improvements and fine tuning audit protocols, which can run into many weeks or even months. What medical practices can do is keep an eye out for updates and new announcements about the audit program on the OCR website.

"If healthcare practices think for one minute they won't be under the microscope for everything from device encryption, to making sure that every policy & procedure is completely filled out and updated on a yearly basis, they'll be kicking themselves once your receive fines up to $1.5 million per offense."

Jared Festner, Medical ITG's HIPAA Specialist

If medical practices think this new round of audits won’t be as intense as the last round, they will be in for a surprise. The size and scope of the federal government has grown to epic proportions. The Federal Machine shows no signs of slowing or shrinking anytime soon. The market is managed by huge, bureaucratic organizations that employ thousands of people that do nothing all day but grind through minutiae. This leads to things like the looming ICD-10, a diagnostic coding system that governs the classification and reporting of diseases and injuries.

With more than 140,000 different codes, the ICD-10 gets rather specific. Was the patient struck by a chicken? Enter code W6132XA. Were they struck by a goose? That’s a separate code—W6152XA. Also, code S1087XA covers unexpected hickeys on the neck. There’s one code for assault with a hockey stick (Y0801XA), another for assault by letter bomb. Finally, there is V91.07XA, for patients who have been burned by flaming water skis. (Burned by flaming water skis a second time? That’s V91.06XD.)

American health care providers are required to update from ICD-9 to ICD-10 this year. Medical practices have until October 1st 2015. The law is written in black & white at the beginning of the Federal Register, under a rule titled Administrative Simplification. “If healthcare practices think for one minute they won’t be under the microscope for everything from device encryption, to making sure that every policy & procedure is completely filled out and updated on a yearly basis, they’ll be kicking themselves once your receive fines up to $1.5 million per offense,” adds Festner.

The repercussions of non-compliance

The OCR will be looking for patterns in determining whether or not to audit a provider. Information about a number of similar breaches and a lack of action from the provider can be a major factor in the 'whether or not to audit' decision. However, keep in mind the audits are random and you can never tell if you'll get caught in the net. The OCR is out to set as many examples of poor HIPAA compliance as possible. They may have a point, given that HIPAA data breaches have climbed 138 per cent and fines have ranged from $800,000 to $4.2 million over the last few years.

If healthcare practices cannot demonstrate compliance, not only will they come under the OCR's radar, but they will also be liable for settlement fines anywhere from $215,000 to up to millions. Large healthcare organizations may be able to afford six-figure or more fines but cannot escape a loss of reputation and public goodwill.  For small medical practices and doctors with twenty or fewer employees, a hefty fine can be a major sting affecting their very survival. Better safe than sorry is a good attitude to have given the consequences of failing an audit. If medical practices think they’re immune from public scrutiny once they pay the fine and serve time, think again. The “HIPAA Wall of Shame” will have its own webpage on HHS.gov indefinitely.

What kind of audits are you looking at?

The OCR had originally planned to conduct 400 covered entity desk audits and a large number of on-site audits. Then, they brought the number of desk audits down to less than 200 covered entities and didn't put a cap on the intended number of on-site audits. Please remember covered entities are not necessarily single medical professionals.  A covered entity can be an organization as small as one physician and as large as a chain of hospitals spanning across the country.

Many small and midsized practices, as well as single doctors, are quite likely not prepared to be audited by the OCR. There are two levels of scrutiny:

• A desktop audit where the practice's network security will be assessed. It will target provisions responsible for a large number of compliance failures in pilot audits.
• An on-site audit examining compliance with a broad list of HIPAA policies and procedures

Practices that don't have a plan in place can start by conducting a security risk assessment to identify potential vulnerabilities. It is best for these practices to make the most of the time they have until the audits are formally launched instead of stressing out and scrambling at the last minute. Festner’s healthcare IT company, Medical ITG, conducts security risk assessments for their clients so they ultimately won’t put their medical licenses or even the existence of their practice in jeopardy. “The option to disregard these audits is no longer an option,” replies Festner. “The only choice practices have is whether or not they bet with their medical license, or with their wallet.”

For more information about Medical ITG's Security Risk Assessment Program, please visit medicalitg.com, call toll free at 1-877-220-8774, or send an e-mail to info@medicalitg.com.