The acronym “HIPAA” has turn out to be a household name given that the enactment of the Overall health Facts Portability and Accountability Act of 1996, which, amongst other points, established guidelines for guarding and securing patients’ wellness information and facts. In reality, it is not uncommon to hear about breaches of patient information and facts costing healthcare providers and suppliers six and seven figure civil monetary penalties or settlements. Generally, such settlements and penalties have arisen out of patient complaints that the privacy of their protected wellness information and facts (PHI) has been compromised. On the other hand, starting November 2011, patient complaints will not be the only way in which the Division of Overall health and Human Solutions (HHS) Workplace of Civil Rights (OCR) will find out about non-compliant entities.
Section 13411 of the American Recovery and Reinvestment Act of 2009, which established the Overall health Facts Technologies for Financial and Clinical Overall health (HITECH) Act, demands the Secretary of HHS to “deliver for periodic audits to assure that covered entities and organization associates” comply with the needs of the HIPAA Privacy Rule, Safety Rule and Breach Notification Rule (collectively, the HIPAA Guidelines). To realize this finish, the OCR has engaged, below a $9.two million contract, KPMG, LLC (KPMG) to conduct functionality audits of covered entities in the type of a pilot audit system. The pilot will include things like up to 150 audits of covered entities to assure compliance with HIPPA. The pilot system will conclude in December of this year.
Who Will be Audited
For the duration of this pilot system, covered entities of all sizes will be audited. According to the OCR, it “will audit as wide a variety of kinds and sizes of covered entities as feasible covered person and organizational providers of wellness solutions, wellness plans of all sizes and functions, and wellness care clearinghouses may possibly all be regarded as for an audit.” Company associates will not be audited for the duration of the pilot, but will be integrated in future audits. A covered entity is defined as (i) a wellness program, (ii) a healthcare clearinghouse, or (iii) a healthcare provider transmitting any wellness information and facts in electronic type. As such, anesthesiologists, anesthesia groups, CRNAs, ambulatory surgery centers, doctor offices and clinics electronically transmitting any wellness information and facts are eligible to be audited by the OCR.
What Audited Entities Can Anticipate
Even though the OCR will start with roughly twenty (20) audits to test and finalize the audit protocols, audited entities can anticipate the HIPAA audits to include things like a request for documentation, an on-website field take a look at and a report. Initially, the OCR is working with the audit method to detect compliance with the HIPAA Guidelines and recognize ideal practices, and to learn compliance dangers and vulnerabilities.
Step 1: Notification Letter
The OCR will send entities written notification letters. Incorporated in the notification letter will be a request for documentation evidencing their HIPAA privacy and safety compliance efforts. The OCR supplied a sample notification letter on its web-site.1 Incorporated in the sample letter is the following language briefly advising the audited covered entity of what to anticipate:
In the attached letter, KPMG LLP requests specific information and facts be supplied by you in order to facilitate the audit method. In addition, they deliver speak to information and facts for the audit firm personnel accountable for conducting the audit. Please recognize that KPMG LLP is requesting and reviewing these documents solely as a contractor to OCR and on its behalf and pursuant to its audit authority. This letter serves to notify you that the audit shall start inside the subsequent 30 to 90 calendar days from the date of this letter. The final results of the audit firm’s function, which includes your management’s written response to any reportable findings will be presented in a final report to OCR.
Audited entities will have ten (10) organization days in which to deliver the requested documentation.
Step 2: Receipt and Overview of Documentation and Arranging Field Perform
Immediately after KPMG receives the requested documentation from the audited entities, it will evaluation the documentation and start preparing the audit field function-the on-website take a look at to the audited entity. Following KPMG’s evaluation, audited entities need to anticipate KPMG to notify them inside thirty (30) to ninety (90) days prior to the on-website take a look at.
Step 3: On-Internet site Stop by
KPMG will send auditors to conduct on-website field function of the audited entities. Audited entities can anticipate the field function to span in between 3 (three) to ten (10) days, based on the size of the entity, the complexity of the audit and the auditor’s require to access information and facts and personnel. The on-website field function will include things like interviews with the covered entity’s leadership (e.g., the compliance officer, legal counsel, wellness information and facts manager, health-related records director, and so forth.), examination of the physical space and operations, consistency of the entity’s practice with its stated policies and observation of the entity’s compliance with the HIPAA Guidelines.
Step 4: Draft Audit Report
Inside twenty (20) to thirty (30) days following the auditor’s on-website evaluation of the audited covered entities, the auditor will prepare a draft audit report of its findings. The draft audit report will include things like information and facts relating to the timeline and methodology of the audit, the ideal practices noted by the auditor, and any other information and facts and information collected by the auditor. The draft audit report will also include things like certain suggestions to the covered entity to address compliance challenges identified for the duration of the audit.
Step 5: Overview of the Draft Audit Report
Immediately after receipt of the draft audit report from the auditor, audited entities will have ten (10) organization days to evaluation the draft audit report and deliver the auditor their written comments, issues and corrective actions taken to address any prospective violations of the HIPAA Guidelines.
Step 6: Final Audit Report
The auditor will revise its draft audit report and submit a final audit report to the OCR. Final audit reports will have to include things like the following information and facts:
Identification and description of the audited entity, which includes the entity’s complete name, address, EIN, and speak to individual
The procedures applied by the auditor to conduct the audit
A evaluation and description of every audit getting, which need to include things like the following:
Situation: The defect or non-compliant status observed by the auditor, and proof of every defect or non-compliant status
Criteria: A clear demonstration that every unfavorable getting is a prospective violation of the HIPAA Guidelines, which includes a citation to the certain rule that is potentially violated
Trigger: The explanation why the situation exists, which includes an identification of the supporting documentation applied to identify such lead to
Impact: The threat or non-compliant status that final results from the auditor’s getting
Suggestions for the audited entity to address every getting and
Corrective actions taken by the audited entity, if any
Acknowledgement of any ideal practice(s) or results(es) of the audited entity and
The auditor’s all round conclusion.
Audited entities can anticipate the auditor to take up to thirty (30) organization days to submit its final audit report to the OCR.
What Anesthesiologists Can Do
When the OCR is conducting a restricted quantity of audits for the duration of this year, anesthesiologists usually are not exempt from inclusion in this pilot system. This pilot period delivers anesthesiologists and anesthesia groups with an chance to establish HIPAA compliance policies or to revisit current ones. For these entities that have not had their policies updated lately, this may possibly serve as a very good chance to have their policies reviewed and updated as effectively as internally reviewing compliance with their personal policies. Additionally, this may possibly be a prime time for anesthesiologists, anesthesia groups and their employees to be educated or re-educated on HIPAA, the needed needs for compliance with the HIPAA Guidelines and consequences for breaching the HIPAA guidelines.
Anesthesiologists need to also familiarize themselves with new dangers and vulnerabilities for breaches of patient information and facts. For instance, 1 such new threat or vulnerability involves the look of patient information and facts on social media websites. Anesthesiologists need to familiarize themselves with the implication of social media websites and need to educate their employees on the correct and improper use of social media in a experienced healthcare setting. A different instance of enhanced vulnerability is the use of transportable storage (e.g., a flash drive or a thumb drive, laptops, and so forth.) devices to transport unencrypted patient information and facts. Most breaches of patient information and facts are unintentional. As such, anesthesiologists need to be conscious of current and emerging dangers and take measures to guard against such dangers.
Lastly, anesthesiologists can anticipate HHS to situation new guidelines on breach notification this year, finalizing its Interim Final Rule issued in August 2009. Anesthesiologists need to assure that the new guidelines are incorporated into their compliance policies.
Most anesthesiologists will not be audited for the duration of this year having said that, these that are can anticipate a request for information and facts, an on-website take a look at and an audit report of the findings. Regardless of regardless of whether an anesthesiologist is audited, all anesthesiologists need to take this chance to dust off their HIPAA compliance policies and assure they reflect the most updated regulations that have been issued.