Healthcare compliances training and discussion blog

HIPAA Activity on the Rise


HIPAA Audit Program

The HIPAA audit program mandated by the HITECH Act is underway. HHS recently awarded KPMG $9.2 million to commence the program. To date, HHS review of covered entities has been complaint driven. Audit protocols will be developed for covered entities and business associates. The audits will begin late this year or early 2012, and consist of as many as 150 on-site audits of entities varying in type, size, and location. These audits can result in enforcement action if violations are discovered.

To get prepared for a HIPAA audit, providers should perform an updated risk assessment and review their policies and procedures. HHS issued an audit checklist that identifies personnel who may be interviewed and documents that may be requested during an audit.

Accounting of Disclosures and Access Report

The long-anticipated rules regarding accounting of disclosures were proposed this May. There are two major changes covered entities and business associates will need to address: 1) accounting for treatment, payment, and health care operations disclosures, and 2) providing an access report.

Accounting for Disclosures

While the proposed rules broaden the accounting requirement to treatment, payment, and health care operations, HHS proposes to limit the accounting to information maintained in a designated record set for three years prior to the date of the request. There are also proposed exemptions, including, disclosures in which 
breach notice was provided; abuse or neglect reports; patient safety work product, and disclosures for research, health oversight activities, decedents, and others required by law. Keep 
in mind these exemptions may still 
be subject to the Access Report. 
Other proposed changes include decreasing response time to 30 days 
and specifically including business associates.

Access Report

This rule proposes that an individual may request a report describing who has accessed their PHI maintained in an electronic designated record set, including the date and time of access, the person or entity accessing the information, a description of the information, and what was done with the information.

Covered Entities must revise their Notice of Privacy Practices to notify individuals of their right to an accounting and an access report.

Monetary Penalties

For the first time this year, there were three major monetary penalties issued for HIPAA violations. These include a $4.3 million penalty involving failure to provide access, a $1 million penalty involving loss of PHI, and most recently an $865,500 penalty involving unauthorized employee access to electronic PHI. Another reason to update your HIPAA program!

Joy Kosiewicz is an attorney in the Health Care Group at Brouse McDowell in Akron.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Tag Cloud

%d bloggers like this: