The Rheumatologist
  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed
  • Home
  • Conditions
    • Rheumatoid Arthritis
    • SLE (Lupus)
    • Crystal Arthritis
    • Spondyloarthritis
    • Osteoarthritis
    • Soft Tissue Pain
    • Scleroderma
    • Vasculitis
    • Systemic Inflammatory Syndromes
    • Guidelines
  • Drug Updates
    • Biologics & Biosimilars
    • DMARDs & Immunosuppressives
    • Topical Drugs
    • Analgesics
    • Safety
    • Pharma Co. News
  • Professional Topics
    • Ethics
    • Legal
    • Legislation & Advocacy
    • Career Development
      • Certification
      • Education & Training
    • Awards
    • Profiles
    • President’s Perspective
    • Rheuminations
  • Practice Management
    • Billing/Coding
    • Quality Assurance/Improvement
    • Workforce
    • Facility
    • Patient Perspective
  • Technology
    • Electronic Health Records
    • Apps
    • Information Technology
  • Resources
    • Issue Archives
    • Events
    • Multimedia
      • Audio
      • Video
    • From the College
    • American College of Rheumatology
    • Rheumatology Research Foundation
    • Arthritis & Rheumatology
    • Arthritis Care & Research
    • Treatment Guidelines
    • Research Reviews
    • Annual Meeting
      • Abstracts
      • Meeting Reports
    • Rheumatology Image Bank
    • ACR ExamRheum
  • About Us
    • Mission/Vision
    • Meet the Authors
    • Meet the Editors
    • Contribute to The Rheumatologist
    • Subscription
    • Contact
  • Advertise
  • Search
You are here: Home / Articles / Preparing for Increased HIPAA Audits Among Smaller Rheumatology Providers

Preparing for Increased HIPAA Audits Among Smaller Rheumatology Providers

May 13, 2016 • By Steven M. Harris, Esq.

  • Tweet
  • Email
Print-Friendly Version / Save PDF
love work 51/shutterstock.com

love work 51/shutterstock.com

Recent enforcement activities of the Department of Health and Human Services’ Office for Civil Rights (OCR) have shown an increase in fines and penalties assessed against smaller providers for failing to comply with the privacy, security and breach notification requirements of the Health Insurance Portability and Accountability Act (HIPAA). Historically, OCR has focused on larger providers, such as hospitals and health systems, and breaches involving more than 500 individuals; however, OCR is now aggressively enforcing HIPAA compliance of smaller providers, including sole practitioners, and investigating smaller breaches affecting fewer than 500 individuals. As a result, 2016 is expected to be a critical year for HIPAA enforcement and a record year for fines and penalties for noncompliance.

You Might Also Like
  • HIPAA Audit Activities Increase in 2016
  • HHS Enforces Stricter Rules on HIPAA
  • Phase 2 of HIPAA Audit Program Launches
Explore This Issue
May 2016
Also By This Author
  • Avoid Data Breaches, HIPAA Violations When Posting Patients’ Protected Health Information Online

Reason for the Change

In fall 2015, the Office of Inspector General (OIG) issued a report regarding OCR’s HIPAA enforcement practices. The report found that OCR actively investigated all large breaches (affecting more than 500 individuals), but failed to document investigations of small breaches (affecting fewer than 500 individuals), suggesting that small breaches are often overlooked. This variance is largely due to limited federal resources and the fact that OCR simply does not have the time or manpower to investigate small breaches.

ad goes here:advert-1
ADVERTISEMENT
SCROLL TO CONTINUE

The OIG’s report also suggests that certain covered entities routinely violate HIPAA regulations and exhibit compliance issues that warrant increased fines and penalties. In response, OCR is increasing its enforcement activities by reviewing covered entities with previous breaches to reassess compliance and markedly increasing the fines assessed against repeat offenders. In addition, on March 21, 2016, OCR announced that phase 2 of its HIPAA audit program had begun, which is undoubtedly an effort to overcome any scrutiny cast on OCR by the OIG’s report.

Phase 2 HIPAA Audits

Although the second round of HIPAA audits has been expected for some time, OCR is now actively selecting covered entities and business associates for phase 2 HIPAA audits. The goal of the audit program is to assess compliance with the HIPAA Privacy, Security and Breach Notification Rules. OCR intends to use the data it obtains during the audit process to examine compliance mechanisms, determine best practices, and discover program risks and vulnerabilities.

ad goes here:advert-2
ADVERTISEMENT
SCROLL TO CONTINUE

Phase 1 took place in 2011 and 2012, and focused on the compliance of covered entities. Phase 2 will differ from phase 1 in that the audits will be expanded to include business associates. This phase will consist of three series of desk and on-site audits. The first series of audits will be desk audits of covered entities, and the second series will be desk audits of business associates. Desk audits are conducted off site and will examine specific compliance requirements of the Privacy, Security and Breach Notification Rules by reviewing policies, procedures and compliance plans of each entity selected for the audit. OCR expects the first and second series of desk audits to be completed by the end of 2016. The third series of audits will be on site and focus on a broader scope of HIPAA requirements than the desk audits. Selection for the first or second round of desk audits does not preclude selection for the on-site audits conducted during the third round, so some entities may be subject to both.

It is imperative that you evaluate your HIPAA compliance now & not wait until you are selected for an audit or are—even worse—a party to a breach.

Any covered entity or business associate can be audited, regardless of size or type of provider. Audit selection criteria include the size and type of the entity, affiliation with other healthcare organizations, whether the entity is public or private and geographic factors. The only entities exempt from an audit are those with an open complaint investigation or those currently subjects of compliance review.

ad goes here:advert-3
ADVERTISEMENT
SCROLL TO CONTINUE

Advance Preparation Is Critical

Fines and penalties assed by the OCR due to noncompliance with HIPAA requirements can put a small provider out of practice. For this reason, it is imperative that you evaluate your HIPAA compliance now and not wait until you are selected for an audit or are—even worse—a party to a breach.

Pages: 1 2 | Single Page

Filed Under: Billing/Coding, Legal, Practice Management Tagged With: audit, HHS, HIPAA compliance, Legal, noncompliance, physician practice, Practice Management, rheumatologistIssue: May 2016

You Might Also Like:
  • HIPAA Audit Activities Increase in 2016
  • HHS Enforces Stricter Rules on HIPAA
  • Phase 2 of HIPAA Audit Program Launches
  • How to Maintain HIPAA Compliance

Rheumatology Research Foundation

The Foundation is the largest private funding source for rheumatology research and training in the U.S.

Learn more »

Simple Tasks

Learn more about the ACR’s public awareness campaign and how you can get involved. Help increase visibility of rheumatic diseases and decrease the number of people left untreated.

Visit the Simple Tasks site »

ACR/ARP Annual Meeting

Don’t miss rheumatology’s premier scientific meeting for anyone involved in research or the delivery of rheumatologic care or services.

Visit the ACR Annual Meeting site »

The Rheumatologist newsmagazine reports on issues and trends in the management and treatment of rheumatic diseases. The Rheumatologist reaches 11,500 rheumatologists, internists, orthopedic surgeons, nurse practitioners, physician assistants, nurses, and other healthcare professionals who practice, research, or teach in the field of rheumatology.

About Us / Contact Us / Advertise / Privacy Policy / Terms of Use

  • Connect with us:
  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Feed

Copyright © 2006–2019 American College of Rheumatology. All rights reserved.

ISSN 1931-3268 (print)
ISSN 1931-3209 (online)

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.
This site uses cookies: Find out more.