Learn how the new Health Insurance Portability and Accountability Act (HIPAA) regulations pertaining to audits will affect your private practice.
Q: How will the new Health Insurance Portability and Accountability Act (HIPAA) regulations pertaining to audits affect me in private practice?
A: In the past, audits conducted by the Office for Civil Rights (OCR) related to compliance with the Health Insurance Portability and Accountability Act (HIPAA) were initiated by complaints and self-reported breaches in the provider environment. That is no longer the case. Provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act require the U.S. Department of Health and Human Services (HHS) to undertake periodic audits of covered entities and business associates for compliance with the HIPAA privacy rule, security rule, and breach notification.
A covered entity is considered to be one of the following:
The type of functions of a business associate may include claims processing, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, and practice management. The services may be legal, accounting, consulting, data aggregation, management, administrative accreditation, and financial.
The preliminary results from an OCR pilot program showed that the majority of protected health information (PHI), which refers to individually identifiable health information, is that which can be linked to a particular person. These identifiers include:
It is important to prepare your practice for such an audit. Covered entities and business associates should ensure that they take the following compliance measures:
How the audit process works
These audits are likely to begin in September 2013. The audit process begins when the OCR sends a document request to the audit contractor and a request for required HIPAA documents, including copies of the privacy policies and procedures, training documentation, incident response plans, and risk analyses.
When a covered entity is selected for an audit, OCR will notify the covered entity in writing. The OCR notification letter introduces the audit contractor, explains the audit process and expectations in more detail, and describes initial document and information requests. It also specifies how and when to return the requested information to the auditor. OCR expects covered entities and business associates who are the subject of the audit to provide requested information within 10 business days of the request for information.
OCR expects to notify selected covered entities between 30 and 90 days prior to the anticipated on-site visit. On-site visits may take between 3 and 10 business days depending upon the complexity of the organization and the auditor’s need to access materials and staff.
After completing fieldwork, the auditor will provide the covered entity with a draft report; a covered entity will have 10 business days to review and provide written comments back to the auditor. The auditor will complete a final audit report within 30 business days after the covered entity’s response and submit it to OCR. If a complaint describes an action that could be a violation of the criminal provision of HIPAA (42 U.S.C. 1320d-6), OCR may refer the complaint to the Department of Justice for investigation.
OCR reviews the information, or evidence, that it gathers in each case. In some cases, it may determine that the covered entity did not violate the requirements of the privacy or security rule. If the evidence indicates that the covered entity was not in compliance, OCR will attempt to resolve the case with the covered entity by obtaining:
Most privacy and security rule investigations are concluded to the satisfaction of OCR through these types of resolutions. OCR notifies the person who filed the complaint and the covered entity in writing of the resolution result.
If the covered entity does not take action to resolve the matter in a way that is satisfactory, OCR may impose civil money penalties (CMPs) on the covered entity. If CMPs are imposed, the covered entity may request a hearing before an HHS administrative law judge who will decide if the penalties are supported by the evidence in the case. Complainants do not receive a portion of the CMPs collected.
The answer to our reader’s question was provided by Maxine Lewis, CMM, CPP, CPC-I, CCS-P, president of Medical Coding & Reimbursement in Cincinnati, Ohio. Send your practice management questions to email@example.com.