The second round of HIPAA compliance audits was commenced late in 2018 by the Department of Health and Human Services’ Office for Civil Rights.
The audit program will include of desk-based audits of HIPAA-covered companies, organizations and business associates followed by a round of complex audits incorporating site visits. The desk audits part of this round have been completed but with the site audits had been delayed but are now due to start in early 2018.
Only a small number of covered organizations have been picked to be audited as part of the second phase of compliance audits; however, covered organizations that have avoided an audit may still be required to show they are in compliance with HIPAA Rules.
In addition to the audit program, any HIPAA-covered organizations that encounters a breach of more than 500 records will be looked into by OCR to investigate whether the breach occurred due to a breach of HIPAA Rules. OCR also reviews complaints submitted through the HHS website portal.
The original round of HIPAA compliance audits in 2011/2012 did lead to any financial sanctions being issued, but that is not likely to be the case for the second round of audits not happening. Also, the past two years as witnessed an increase in financial sanctions for noncompliance with HIPAA Rules that was discovered during examinations of complaints and data violations.
There is now higher likelihood of an audit or investigation and OCR is issuing more financial penalties for not adhering to HIPAA regulations. Due to this, covered organizations cannot afford to take risks. Many healthcare entities are turning to HIPAA compliance software and are seeking help from compliance consultants to ensure their compliance programs are comprehensive and financial penalties are dodged.
Imperial Valley Family Care Medical Group is a multi-specialty physician’s group that operates 16 facilities across California. IVFCMG was not picked for a desk audit, although following the theft of a laptop computer device, OCR looked into the violation the breach. IVFCMG was asked to show compliance with HIPAA Rules and provide documentation to show the breach was not caused by not following HIPAA Rules.
Covered organizations may be afraid of a comprehensive HIPAA audit, but investigations into data breaches are also thorough. OCR often requires a lot of documentation to be provided in order to assess compliance following any breach of protected health data. In the case of IVFCMG, OCR’s review was very comprehensive.
Reacting to OCR’s in depth questions in a speedy manner was important. IVFCMG, like many covered organizations that are investigated or chosen for an audit must be careful how they react and all questions must be answered promptly and backed up with necessary documentation.
Following the breach was suffered, IVFCMG turned to a third-party firm for help in the guise of the Compliancy Group. By using the company’s Breach Response Program, IVFCMG was able to ensure all of the proper procedures actions were completed, in the right time frame, and all of those processes were accurately recorded.
The Breach Response Program is an important part of the Compliancy Group’s “The Guard” HIPAA compliance software offering. Compliancy Group simplifies HIPAA compliance, allowing healthcare employees to confidently run their practice while complying with all the requirements of the HIPAA Privacy, Security and Breach Notification Rules. The Guard utilizes the “Achieve, Illustrate, and Maintain” methodology to ensure sustained compliance, with covered organizations guided by HIPAA compliance experts completely.
IVFCMG’s Chief Strategic Officer, Don Caudill, in commenting said “Their experts provided us with a full report and documentation proving that our HIPAA compliance program satisfied the law – which ultimately helped us avoid hundreds of thousands of dollars in fines.” When OCR reacted to the original breach report asking questions about another area of HIPAA Rules, IVFCMG was in a position to respond in a speedy manner and supply the evidence to prove it was adhering.
HIPAA compliance software allows covered organizations pass a HIPAA audit, react properly when OCR examines data breaches and complaints, and avoid financial penalties for non-compliance. OCR has strengthened its enforcement procedures over the past two years and healthcare data breaches are increasing. Non-compliance with HIPAA Rules is now much more likely to be seen and result in fines.
Small to medium sized HIPAA-covered organizations with restricted resources to allocate to HIPAA compliance can benefit the most from using HIPAA compliance software and receiving external consultations from HIPAA compliance experts.
“Responding to a HIPAA audit requires sensitivity and expertise,” Bob Grant, Chief Compliance Officer of Compliancy Group, said. “As a former auditor, I’ve developed The Guard and our Audit Response Program to satisfy the full extent of the HIPAA regulatory requirements. Giving federal auditors everything they need to assess the compliance of your organization is our number one goal. Our Audit Response Program is the only program in the industry to give health care professionals the power to illustrate their compliance so they can get back to running their business in the aftermath of a HIPAA audit.”