HIPAA Audits – what to expect for 2013


 According to Leon Rodriguez (director of the Health and Human Services), covered entities (which means you) have a mountain of work to do in the area of HIPAA compliance.  In addition Mr Rodriguez states that the HIPAA audits are to resume and ramp up over 2013 with strong funding and renewed vigor.  Uh oh…

  So in what areas should your practice be concerned?  In 2012 the HIPAA audits began and the overwhelming area of concern was the HIPAA Security Rule. For those of you not aware, the HIPAA Security rule deals more with the “electronic” side of protecting an individual’s health information. According the initial 115 audits conducted in 2012, the specific areas in need within the HIPAA Security Rule were:

  • Risk Analysis had never been performed
  • Non-existent Contingency Plans
  • Outdated or non-existent policies and procedures
  • Weak IT security

After personally conducting over 250 HIPAA Security Risk assessments throughout the U.S., my findings absolutely concur with those of the Health and Human Services.  The problem I find most often is this whole process is not very well explained by the Federal government.  They tell you “what” to do but not “how” to do it.  

  The first thing you MUST do is have a risk assessment/analysis done.  A risk assessment/analysis is by far the most crucial component of this entire legislation.  Without a risk assessment/analysis you have no way of knowing exactly where your “warts” are.  A risk assessment/analysis can be done in various ways but the most “sure fire” method is based on NIST guidelines. …and the preferred method of Federal auditors: http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf

   Secondly, do you have any sort of contingency plan (a.k.a. disaster recovery plan)?  This is an area you will need input from your IT provider as well as management.  Any outsourced or in house IT (worth their salt) should have some sort of written contingency plan for your IT system.  A proper contingency plan is more than a bunch of “what if’s” it requires great detail and precision to be affective.  Here is a link to a template provided by the NIST.  …again the preferred method of the Federal government. http://csrc.nist.gov/groups/SMA/fasp/documents/contingency_planning/contingencyplan-template.doc

   What about outdated policies?  You should have a policy written for every single one of the 44 implementation specifications of the HIPAA Security Rule.  Remember, when dealing with the Federal government: “if it ain’t written, you ain’t doing it”.  You absolutely MUST have written policies and procedures that reflect the ACTUAL PROCEDURES of your practice.  Trying to create fake or “canned” policies is quite frankly worse than having none at all.  It’s patronizing to the Federal auditor and that’s not a good thing!   ….trust me on that one.

  Having a weak IT department whether outsourced or in house is a very high risk factor as well.  Even highly competent engineers may not understand the nuances and idiosyncrasies of “Health IT”.  Health IT is an entirely different animal with many more layers and challenges than traditional IT.  Be careful when selecting your IT partner. 

 The real scary part of this is “HIPAA” is going to become the new “OSHA” in terms of strict enforcement.  For years HIPAA compliance was sort of analogous to the “Boy who Cried Wolf” fable.  There were plenty of threats but rarely any real action.  But now the funds are there and a very strong push is underway.  According to Mr Rodriguez “…I expect we are going to see monetary settlements for a long time to come…”

© 2013 Efficiency in Practice

Brian Tuttle is a Senior IT Specialist and Compliance Consultant for InGauge Healthcare Solutions, Inc., an InHealth company.   Efficiency in Practice is the free eNewsletter for medical practice managers who want to save time, money and reduce risk.  For more information and to access your FREE report, Patient Collections: It’s Make or Break for Many Practices, visit www.efficiencyinpractice.com 

This article can be reprinted freely online, as long as the entire article and this resource box are included.



Comments are closed.