February 23, 2024 They’re Baaaaaack! And in this case, not the poltergeists in the 80s classic, but the Office For Civil Rights (OCR). The OCR shared some significant news, announcing their plans to reintroduce their random HIPAA audits program. The last time this program was in place was in 2016 – 2017, with over 200 Covered Entities and Business Associates audited to ensure HIPAA compliance. Before this program is officially implemented again, the OCR is surveying past audit participants, and hearing their feedback before random audits begin. However, Director of the OCR, Melanie Fontes Rainer, confirmed the audits would resume this year, “OCR intends to initiate audits of HIPAA-regulated entities later this year. These audits can assist regulated entities in improving their HIPAA compliance and their protection of health information.” The audits revealed eye-opening shortcomings of CEs and BAs, with Paul Hales of Hales Group describing that “86% of covered entities and 83% of business associates failed the risk analysis audit, and 94% of CEs and 88% of BAs failed the risk management audit”. Thankfully, this news doesn’t have to be like a horror movie if you’re proactive and take compliance seriously. What does this mean for you? While random HIPAA audits might seem very nerve-wracking for your practice or organization, with the proper tools, you can be easily prepared. These audits will help all in healthcare, highlighting the importance of being compliant and keeping patients’ data safe. That’s why Abyde is here to help. Our software simplifies compliance, allowing your practice to focus on what matters most, taking care of patients, or in the case of Business Associates, running your business. To learn more about how you can be prepared for the random OCR HIPAA audits, email us at info@abyde.com or schedule a compliance consultation below. MEDICAL PRACTICES: SCHEDULE CONSULTATION BUSINESS ASSOCIATES: SCHEDULE CONSULTATION
Navigating a HIPAA Compliance Audit: A Structured Guide
September 15, 2023 Receiving notification of a pending HIPAA compliance audit may initially feel like an alarming event. Rest assured, it doesn’t need to be a distressing experience. Let’s put the jests aside and embark on a guided pathway to handling this with seriousness and diligence. Here’s how you can approach this situation methodically and with poise, assisted by Abyde’s comprehensive solutions: Step 1: Stay Calm and Mobilize Your Team Upon receiving the notification, resist the urge to panic. Instead, convene a team meeting to align your strategies and affirm that you can successfully navigate the audit with a coordinated effort. Step 2: Understanding the Audit Letter Deciphering the audit letter is paramount. Invest time in understanding the specifications mentioned in the letter to identify the areas that will be under scrutiny during the audit. Step 3: Engage Your Compliance Officer Your Compliance Officer will be the anchor during this period. Leverage their expertise to lead the preparation phase, focusing on gathering the necessary documents and aligning your operations with HIPAA standards. Step 4: Document Compilation Systematically compile all necessary documents including, but not limited to: Step 5: Conduct a Pre-Audit Before the official audit, conduct a pre-audit to identify any gaps in your compliance. This step ensures that you are well-prepared and confident for the audit day. Step 6: Be a Gracious Host On the audit day, maintain a cooperative and respectful demeanor toward the auditors. Offer refreshments and be willing to assist them throughout the process, facilitating a smoother audit experience. Step 7: Review and Improve Post-audit, take time to review the feedback provided in the auditor’s report. Utilize this information to make necessary amendments, showcasing your commitment to continuous improvement. Step 8: Continuous Compliance Recognize that maintaining compliance is an ongoing endeavor. Regularly update your policies and training to ensure that your practice operates within the stipulated regulations, fostering a culture of continuous compliance. Leveraging Abyde for Compliance Ease With Abyde by your side, you can transform this seemingly daunting task into a manageable one. Abyde offers: With preparation and the right partner like Abyde, you can face a HIPAA audit with confidence and tranquility. Embark on this compliance journey with seriousness and structured guidance, ensuring a successful outcome.
Latest HIPAA Audit Industry Report
December 18, 2020 End of year report cards are in (or at least they are for covered entities) and the HIPAA compliance grades the Office for Civil Rights (OCR) & Department of Health and Human Services (HHS) just handed out are not ones to write home about. Just yesterday, the HHS released their latest HIPAA Audits Industry Report grading providers and business associates’ on their level of compliance with HIPAA regulations. The report evaluated audit results from 166 covered entities and 41 business associates, focusing specifically on compliance with the Notice of Privacy Practices, patient records access, breach notifications timeliness and content, the Security Risk Analysis, and appropriate risk management programs. While the full report is pretty lengthy, we’ve compiled some of the top takeaways from these latest results: So what does this data tell us? In some ways, nothing new – all of the areas audited have factored heavily into recent OCR enforcement activity, and highlight the same trends we’ve seen all year. If not part of recent enforcement, these areas factor into the recent proposal to modify the HIPAA Privacy Rule, including proposed adjustments to the Notice of Privacy Practices. “The audit results confirm the wisdom of OCR’s increased enforcement focus on hacking and OCR’s Right of Access initiative,” said OCR Director Roger Severino in addition to the latest report, “we will continue our HIPAA enforcement initiatives until health care entities get serious about identifying security risks to health information in their custody and fulfilling their duty to provide patients with timely and reasonable, cost-based access to their medical records.” What NEW information can we take away from these results? Organizations are STILL. NOT. COMPLIANT. Many of the covered entities or business associates audited produced what they thought was sufficient evidence, but did not meet actual HIPAA requirements. Some weren’t even close – when asked to produce an SRA, entities provided irrelevant documents like a patient’s insurance prescription coverage and rights; a document discussing pharmacy fraud, waste and abuse; and a conflict of interest and code of conduct employee sign-off page – none of which are even semi-related to an actual SRA. If your practice wants to get a slightly better HIPAA grade than the ones in this recent audit, ensuring you have the PROPER documentation in place, and meet ALL HIPAA requirements is key. If HIPAA isn’t your best subject, a software solution like Abyde is the tutor you’ve been needing to help walk you through the process to get an A+ (plus avoid hefty HIPAA fines, stress over your HIPAA program, and general unhappiness).
Top 6 Ways to Be Prepared for a HIPAA Audit
August 14, 2020 Let’s be real – there’s probably a few things in life we all have an“Oh, it won’t happen to me” mentality about. For many medical professionals, that may be exactly how you feel about HIPAA audits – yet HIPAA investigations are becoming more common than you might think. While the odds of facing a totally random HIPAA audit might not be high, they increase significantly when you factor in additional investigation triggers like data breaches, cyber attacks, and patient complaints- none of which a medical practice is immune to. Proactively preparing for anything that might be thrown your way is imperative for your practice to have the ability to handle a HIPAA audit without the consequence of a hefty violation. Here are the top 6 things you should have in place BEFORE a breach, complaint or audit investigation occurs: 1. Security Risk Analysis The first thing the OCR looks for upon investigation is a properly documented and up to date Security Risk Analysis (SRA). This shows that you’ve assessed your practice operations and identified any vulnerabilities – BEFORE an audit occurs. While it’s the first step of HIPAA compliance, only 17% of practices audited by the OCR met this requirement. 2. Practice-Specific Policies & Procedures Proper documentation is key for all aspects of your compliance program including your practice specific HIPAA policies and procedures. These policies and procedures serve as the guidelines for how protected health information (PHI) should be handled within your practice and the proper documentation is necessary to prove the expectations and standards you have set for your organization. 3. Disaster Recovery Plan Disasters happen, most of the time without warning. Having a disaster recovery plan in place is important to ensuring continuity of patient care and continued access to important medical records. As the saying goes, if you fail to plan, you plan to fail. 4. Implement Proper Administrative, Technical and Physical Safeguards Securing all forms of PHI with the necessary safeguards already implemented within your practice is essential to successfully meeting HIPAA requirements – and ultimately protecting your patients. 5. Staff HIPAA Training Properly train your workforce on all HIPAA privacy and security policies and procedures. This training should be ongoing to ensure that staff is staying up to date with any changes to HIPAA regulations or practice operations. 6. Business Associate Agreements It’s important to be on the same page with everyone that has access to your patient’s secure information. Implementing the proper business associate agreements (BAAs) with all third party vendors that could potentially access PHI ensures patient data is secure while also offsetting liability to business associates should they be the cause of a data breach. There’s a lot that goes into your HIPAA program, even more than the top 6 items listed here, which is why it’s all the more important to have a true culture of compliance in place and a complete HIPAA program to prevent and minimize threats to your patient’s data.
Tax Audits vs HIPAA Audits | What You Need to Know
February 21, 2020 When you think of the most wonderful time of the year – tax season probably isn’t the first thing that comes to mind. But even though the filing process can be a bit daunting, it’s the lesser of two evils when compared to the IRS audit that could result from not submitting anything at all. So while you file your taxes this time every year in hopes of not having to face the IRS this tax season – what are you doing to prepare for a HIPAA audit? As long as you do everything right, the changes of the government showing up on your doorstep are pretty slim. In fact, considering only about 0.5% of all tax returns filed are actually audited – you have a 6% better chance of becoming a millionaire than you do facing the IRS. But despite the unlikely odds, we’re all still focused on staying off the government’s radar by filing each and every year. This better safe than sorry mentality should also apply to the precautions taken to avoid a HIPAA audit, but for many practices, it doesn’t hold the same weight. Over the past few years, the Office for Civil Rights has investigated more HIPAA complaints and ran more random practice audits than ever before, bringing the total amount of HIPAA fines to over $19 million – just between 2020-2021 alone. So why have we seen such a major increase lately? With technology use in healthcare on the rise and changes in government standards and patient needs, it is easier for Protected Health Information (PHI) to be accessed by those with malicious intent and seemingly harder for practices to provide patients with their own PHI when requested. So just as we all go through the tax filing process – ensuring that you have a complete HIPAA program is pretty similar: So why don’t practices pay more attention to HIPAA, like they do their taxes? It all comes down to the lack of education on what HIPAA compliance really entails. The reality for many practices is that, because of misinformation or lack of education, the proper safeguards are never put in place and data breaches are growing more and more common. The worst part? A HIPAA fine could cost your practice, and has cost many others, millions of dollars in addition to time-consuming administrative burdens. And on top of that, unlike late payment fees or penalties on taxes, once a breach occurs under HIPAA there is no going back – and no way to reduce the government’s levied fines. Our takeaway? You shouldn’t just be preparing for tax season – HIPAA audit season has proven to be a year-round occurrence that deserves just as much of a priority as filing taxes does.