7 compliance measures for new HIPAA rules

Q: How will the new Health Insurance Portability and Accountability Act (HIPAA) regulations pertaining to audits affect me in private practice?

A: In the past, audits conducted by the Office for Civil Rights (OCR) related to compliance with the Health Insurance Portability and Accountability Act (HIPAA) were initiated by complaints and self-reported breaches in the provider environment. That is no longer the case. Provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act require the U.S. Department of Health and Human Services (HHS) to undertake periodic audits of covered entities and business associates for compliance with the HIPAA privacy rule, security rule, and breach notification.

A covered entity is considered to be one of the following:

• physicians,

• clinics,

• psychologists,

• dentists,

• chiropractors,

• nursing homes,

• pharmacies, and

• information transmitted in an electronic form with a transaction for which HHS has adopted a standard.

The type of functions of a business associate may include claims processing, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, and practice management. The services may be legal, accounting, consulting, data aggregation, management, administrative accreditation, and financial.

The preliminary results from an OCR pilot program showed that the majority of protected health information (PHI), which refers to individually identifiable health information, is that which can be linked to a particular person. These identifiers include:

• names;

• geographic identifiers;

• dates directly related

• to an individual;

• phone and fax numbers;

• email addresses;

•  Social Security numbers;

• medical record numbers;

• health insurance beneficiary numbers;

• patient account numbers;

• vehicle identifiers and serial numbers, including license plate numbers, device identifiers, and serial numbers;

• URLs and  IP address numbers;

• biometric identifiers including finger, retina, and voice prints;

• full face images, and any comparable identifiers.

It is important to prepare your practice for such an audit. Covered entities and business associates should ensure that they take the following compliance measures:

• Provide the Notice of Privacy with the appropriate changes to patients.

• Have written and signed business associate agreements with all entities considered a business associate.

• Conduct a thorough assessment of the risk to electronic protected electronic health information (ePHI).

• Implement required technical and administrative safeguards to protect ePHI.

• Update the formal policies and procedures for the privacy and security of PHI to reflect the changes resulting from the omnibus final rule.

• Train all employees whose duties are affected on privacy and security policies, even those with previous training, to bring them up-to-date with the additional changes.

• Maintain documentation of all employee training, disclosure logs, breach analyses, and sanctions against employees for violations of security and privacy. This can be done either in written or electronic form.

How the audit process works

These audits are likely to begin in September 2013. The audit process begins when the OCR sends a document request to the audit contractor and a request for required HIPAA documents, including copies of the privacy policies and procedures, training documentation, incident response plans, and risk analyses.

When a covered entity is selected for an audit, OCR will notify the covered entity in writing. The OCR notification letter introduces the audit contractor, explains the audit process and expectations in more detail, and describes initial document and information requests. It also specifies how and when to return the requested information to the auditor. OCR expects covered entities and business associates who are the subject of the audit to provide requested information within 10 business days of the request for information.

OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated on-site visit. On-site visits may take between 3 and 10 business days depending upon the complexity of the organization and the auditor’s need to access materials and staff.

After completing fieldwork, the auditor will provide the covered entity with a draft report; a covered entity will have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR. If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), OCR may refer the complaint to the Department of Justice for investigation.

OCR reviews the information, or evidence, that it gathers in each case. In some cases, it may determine that the covered entity did not violate the requirements of the privacy or security rule. If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining:

• Voluntary compliance

• Corrective action

• Resolution agreement

Most privacy and security rule investigations are concluded to the satisfaction of OCR through these types of resolutions. OCR notifies the person who filed the complaint and the covered entity in writing of the resolution result.

If the covered entity does not take action to resolve the matter in a way that is satisfactory, OCR may impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing before an HHS administrative law judge who will decide if the penalties are supported by the evidence in the case. Complainants do not receive a portion of the CMPs collected.

The answer to our reader’s question was provided by Maxine Lewis, CMM, CPP, CPC-I, CCS-P, president of Medical Coding & Reimbursement in Cincinnati, Ohio. Send your practice management questions to medec@advanstar.com.

Additional information on complying with the new HIPAA regulations and protecting patients’ health information is available at: bit.ly/12sgjXo and bit.ly/15Xq28K.