February 2012

Handling a HIPAA Audit

The U.S. Department of Health and Human Services has announced that it plans to carry out random audits for Health Insurance Portability and Accountability Act (HIPAA) compliance throughout 2012. Physicians may be subject to a HIPAA audit randomly or in response to a specific complaint.

The Cost of Violating HIPAA Is High

Previously, violations of HIPAA generally resulted in a warning letter. However, as a result of the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, violations of HIPAA now result in mandatory fines. Under the HITECH Act, the least serious violations, known as first-tier violations, result in a small fine that generally starts at $100. Second-tier violations are $1,000 per violation. The most serious violations, described as “willful neglect,” include breaches of unsecured protected health information (PHI). Medical practices found in violation of this category may face penalties of up to $1.5 million.

What Triggers a HIPAA Audit?

Typically, the circumstances that would result in a physician being audited are:

• A breach or complaint of a breach of PHI. A PHI breach is an impermissible use or disclosure under the Privacy Rule that results in the security or privacy of the PHI being compromised to such an extent that it puts affected persons at significant risk of harm to their finances or their reputations. Any PHI breach that affects more than 500 individuals must be posted online.
• A complaint of a privacy or security violation by anyone. The Department of Health and Human Services is obligated to investigate all complaints of HIPAA violations.
• Filing for Electronic Health Record (EHR) reimbursement. Physicians are required to show how their practices comply with HIPAA and that their EHR is certified as HIPAA-compliant when they apply for Medicare incentives for “meaningful use” of an EHR system.

What To Expect if You Are Audited

Physicians who are audited will have to document their HIPAA compliance efforts. Essentially, they’ll need to produce a list of policies and procedures that have been implemented to protect the confidential health information of patients and any financial information that may be accessible in the health records of patients.

Your practice’s key personnel will have to be available for the auditors. The practice owner, your HIPAA compliance officer and the practice’s IT person are considered key personnel.

If your practice does not currently designate an individual as a privacy/security officer, you should appoint one as soon as possible. That person will be responsible for regularly implementing and maintaining HIPAA compliance practices and records. Moreover, you have to be certain that your IT professional(s) is familiar with the essential requirements that HIPAA mandates for medical practices and is capable of helping your practice meet those requirements.

Talk to Us

The financial consequences of your practice failing a HIPAA audit can be substantial. We recommend that you carefully review your current policies and procedures as they relate to HIPAA. You may benefit from outside professional assistance. If we can help, This e-mail address is being protected from spambots. You need JavaScript enabled to view it. .