On September 9, Linda Sanches, the Senior Advisor for the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) warned that Health Insurance Portability and Accountability Act (HIPAA) audits are forthcoming. Speaking at the HIMSS Privacy and Security Forum in Boston, Sanches cautioned attendees that the best defense to an audit is conducting periodic and comprehensive risk analyses focused on administrative and technical protections, as well as human error vulnerabilities. “The onus is on you to prove that you had the proper systems in place,” Sanches warned, advising providers to proactively perform risk analyses in advance of a HIPAA audit.
To attendees’ disappointment, Sanches did not unveil a start date for the HIPAA audits. Instead, Sanches explained that the OCR has postponed initiating HIPAA auditing to implement new technology with increased auditing capacities. Originally, the OCR intended to conduct a total of 400 desk audits. However, Sanches confirmed that now the OCR will likely perform fewer than 200 targeted desk audits and an unconfirmed number of on-site audits. A variety of providers across practice area, size, and geographic location should expect to be audited. Audited entities will be responsible for compliance with both the HIPAA Privacy Rule and the HIPAA Security Rule. In addition, providers should have available an updated list of business associates with contact information and services provided. Sanches warned that the OCR will use a provider’s business associate list to select business associates for HIPAA auditing.
Providers with patterns in reported breaches are more likely to face HIPAA auditing. Sanches emphasized that providers who fail to demonstrate compliance with the HIPAA privacy rule and HIPAA security rule may face hefty settlement fines based on the amount of harm and provisions violated. When discussing fines, Sanches stated, “It’s basic math. How many people were affected?”
Since the inception of the HIPAA Privacy and Security Rules, Wachler & Associates has counseled providers and other covered entities in HIPAA compliance. In order to attain compliance, providers should update security policies and procedures, business associate agreements, privacy policies and procedures, and HIPAA privacy notices. Additionally, all employees should receive regular training in HIPAA compliance. If your entity does not already have these procedures in place Wachler & Associates can help you implement these important compliance measures. If you have any questions regarding HIPAA, HIPAA audits or require assistance developing a HIPAA compliance plan, please contact an experienced healthcare attorney at 248-544-0888 or via email at wapc@wachler.com.