The United States Department of Health and Human Services Office for Civil Rights (OCR) has recently announced that the first 20 HIPAA audit letters have been sent to covered entities. The audit program will involve up to 150 covered entities by the end of 2012.
Of the first 20 audit letters, 10 involve healthcare providers, including at least three physicians or physician groups, as well as a laboratory, a pharmacy and other providers. Upon receipt of the audit letter, the covered entity has only 10 days to provide the requested information.
If you have been delaying bringing your practice into full compliance with HIPAA’s privacy and security rules, the time to act is now, not when you receive an audit letter or when a breach or some other privacy or security related problem arises. To be prudent, all healthcare providers should assume that within the next couple of years they will be audited and required to disclose exactly how they have complied with HIPAA’s privacy and security requirements.
The failure to comply can also create significant financial and administrative problems if a HIPAA violation is discovered. A recent example involves a cardiac surgery practice located in Arizona. The practice had posted clinical and surgical appointments for their patients on an internet based calendar that was publicly accessible.
Following the disclosure of the violation, an investigation revealed that the practice had failed to comply with HIPAA in a number of respects, including failing to implement policies and procedures, failing to document the training of its employees, failing to identify a security official and conduct a risk analysis, and failing to obtain business associate agreements with certain business associates. The practice accepted a $100,000 penalty and agreed to institute a corrective action plan designed to bring it into full compliance with HIPAA’s privacy and security rules.
While the practice’s failures in this Arizona case involve some very basic HIPAA related requirements, it is likely that many physician practices throughout the country have similar HIPAA compliance shortcomings.
Physician practices and other healthcare providers need to do a thorough analysis of HIPAA’s requirements and determine the extent to which they are in compliance, as well as potential security threats and vulnerabilities. Far too many physician practices and other providers have simply assumed that by preparing a notice of privacy practices and having new patients sign an acknowledgement of having received a copy of it, they have brought themselves into full compliance with HIPAA. As those practices who will be on the receiving end of a HIPAA audit or similar investigation will find out, there is far more to HIPAA than a privacy notice or written acknowledgement.
Healthcare providers and other HIPAA covered entities are being subjected to increasing levels of scrutiny for compliance with privacy and security standards. It is expected that enforcement actions against covered entities and their business associates will intensify with the imminent revisions to the HIPAA security and privacy rules to incorporate various provisions of the HITECH Act, while breach notification requirements as well as the OCR audit program continue to shine a light on HIPAA compliance concerns. It is therefore becoming increasingly important for covered entities and their business associates to analyze their compliance with HIPAA standards.
If you have any questions concerning this Alert, please contact:
John T. Mulligan 216.348.5435
Jane Pine Wood 508.385.5227
Rick L. Hindmand
Rachel H. Yaffe
McDonald Hopkins has a large and diverse healthcare practice, which is national in scope. The firm represents a wide variety of healthcare providers, facilities, vendors, technology companies and associations. Our diverse experience enables us to give our clients a unique perspective on the issues that may confront them in the rapidly evolving healthcare environment.