Phase 2 HIPAA Audits are Underway- Is your Medical Practice Ready?
According to a recent study, it is probably not. The study conducted by NueMD, the Daniel Brown Law Group, and Porter Research suggests that the majority of physician practices may not be well prepared for the upcoming HIPAA audits. In fact, 66 percent of those who responded were unaware of the HIPAA audits all together. This is troubling news. The Office for Civil Rights conducts audits of Covered Entities and their Business Associates to assess for compliance with HIPAA and pinpoint risks and vulnerabilities. For those that are found to be deficient, fines can be steep, ranging from $100 to $50,000 per violation with a yearly maximum of $1.5 million. It is expected that the Phase 2 audits will be based on findings from Phase 1, focusing on areas of non-compliance and the security of protected health information (PHI). Why are medical practices unprepared? Doesn't everyone know about HIPAA by now? While small physicians' practices are likely incorporating ways to protect their patients' information, they may lack the resources of a large hospital to ensure that they are meeting all the necessary standards for HIPAA compliance. For example, 42 percent of respondents either did not have or were unsure if they had a HIPAA compliance plan. Only a third of those surveyed had completed a formal risk analysis to identify potential risks to PHI within the practice. If audited, these would be red flags. What can a medical practice do to get ready? Perform a risk analysis. Look at the administrative, physical and technical safeguards that are in place regarding PHI. Take corrective actions to address any vulnerabilities. Identify all Business Associates and ensure all Business Associate Agreements are up to date. Train staff on the proper way to handle PHI. HIPAA training should be done at the time of hire and yearly thereafter. Make certain that the training is documented. On that note, have documentation for everything! Make sure that policies and procedures are in place and be able to demonstrate how they were implemented. Confirm that all systems that transmit electronic PHI have proper encryption technology in place. Keep a catalog of all electronic devices, including mobile devices. Ensure the Notice of Privacy Practices is compliant. Be aware of patients rights to access their PHI. Have proper authorizations in order to release PHI. Have solid protocol in place for handling a breach of PHI. Though it may seem overwhelming for a small physicians' practice, taking the steps to ensure HIPAA compliance is essential.