Can your office pass a compliance audit?

The next round of HIPAA audits will soon be underway. Generally, most small allergy practices do not have an internal HIPAA staff person who can perform the pre-audit now. You can consult with your EHR software vendor and have them make certain you are currently in compliance.

The HiTech Act (part of the Affordable Care Act) requires periodic audits of covered entities and business associates for compliance with HIPAA privacy, security and breach notification rules. These audits will be performed by the Department of Health and Human Services (HHS) Office of Civil Rights (OCR). We expect to see an audit protocol proposal before the audits begin, but you should not wait to see what the OCR will audit, but ensure your office is in compliance now.

Compliance with HIPPA rules is required under federal law, and violation of these rules is enforceable by corrective measures or by potential fines, as noted in the following chart:

HIPAA violations and enforcement

HIPAA violation

Minimum penalty

Maximum penalty

Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA

$100 per violation, with an annual maximum of $25,000 for repeat violations (NOTE: maximum that can be imposed by State Attorneys General regardless of the type of violation).

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation due to reasonable case and not due to willful neglect

$1,000 per violation, with an annual maximum of $100,000 for repeat violations

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation due to willful neglect but violation is corrected within the required time period

$10,000 per violation, with an annual maximum of $250,000 for repeat violations

$50,000 per violation, with an annual maximum of $1.5 million

HIPAA violation is due to willful neglect and is not corrected

$50,000 per violation, with an annual maximum of $1.5 million

$50,000 per violation, with an annual maximum of $1.5 million

 

The most common issues investigated by the OCR are:

  • Impermissible uses and disclosure of Protected Health Information (PHI).
  • Lack of safeguards of PHI including failure of security controls to protect against unauthorized access.
  • Lack of patient access to their own PHI.
  • Lack of administrative safeguards of ePHI.
  • Use or disclosure of more than minimal PHI.

Action is taken against private practices so you should make sure patient data is protected. Check out recent HIPAA violations to give you some idea of the kinds of practices you need in place to prevent these sort of violations from occurring in your practice:

  • A laptop was stolen from Leahy Hospital and Medical Center in Boston from an unlocked treatment room during overnight hours. This laptop contained PHI of 599 individuals. The subsequent OCR investigation demonstrated widespread noncompliance with HIPAA rules, and they were fined $850,000.
  • A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. The employee left a message with the information at the patient’s home despite previous instructions to leave the information only at her work number.
  • A complaint alleged that an HMO impermissibly disclosed a patient’s PHI when it sent her entire medical record to a disability insurance company without her authorization.
  • A patient alleged that his private practitioner failed to provide him access to his medical records and, after he filed an OCR complaint, they released the patient’s medical record and billed him $100, which exceeds the privacy rule limits which allow only a reasonable cost fee for copying and mailing this information.

There are many more similar reports. We hope this will give you some idea of the kind of problems you could have if you aren’t careful, and a heads-up that any violations could lead to large fines.