In the coming months, rheumatologists may want to pay particular attention to their email inboxes. By the end of the year, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) will complete stage I, phase II of a series of desk and on-site audits designed to assess providers and their business partners for compliance with the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Those randomly selected for audit will be notified by email, the HHS says.
What to Do If You’re Chosen
Physicians who are notified should ask what materials are being audited so the practice can pull together the requested information to review.
Rachel Yaffe, a Chicago-based healthcare attorney with McDonald Hopkins LLC, says “contact [your] healthcare attorney immediately—ideally someone who specializes in HIPAA compliance. They can assist with timelines, documentation and complying with the request, [and they can] also help you know what’s within your rights.”
OCR Under Review
Phase II of the OCR’s audits is a continuation of a process that began in 2011–2012 following a review of the OCR’s audit activity. The review was conducted by the HHS Office of the Inspector General (OIG), and the findings, which were presented in a report published last year, determined that the OCR had been less than thorough in its assessment and enforcement of penalties associated with HIPAA breaches or breach risk.1
“OCR should strengthen its oversight of covered entities’ compliance with the Privacy Rule,” the report said. “OCR’s oversight is primarily reactive; it investigates possible noncompliance primarily in response to complaints. OCR has not fully implemented the required audit program to proactively assess possible noncompliance from covered entities.”
The Health Information Technology for Economic and Clinical Health Act (HITECH), part of the 2009 American Recovery and Reinvestment Act, requires the OCR to conduct such audits of covered entities, which include hospitals, doctors, pharmacies, health insurance companies and more. It also gave equal legal liability to businesses that handle patient data.
“If you’re going to be a vendor in the healthcare space, you have to play by healthcare rules,” Ms. Yaffe says.
One such rule: Under HIPAA, every practice or healthcare organization must designate a privacy officer to oversee all activities related to the development, implementation and maintenance of the practice’s or organization’s privacy policies in accordance with applicable federal and state laws.
Focus on Smaller Providers
Although previous audits have focused primarily on large providers, the latest round will be directed at smaller providers and their risks for HIPAA breaches. The OIG report found smaller covered entities were less likely to be investigated for small breaches (impacting fewer than 500 patients) than larger entities.