HIPAA Audit Program
The HIPAA audit program mandated by the HITECH Act is underway. HHS recently awarded KPMG $9.2 million to commence the program. To date, HHS review of covered entities has been complaint driven. Audit protocols will be developed for covered entities and business associates. The audits will begin late this year or early 2012, and consist of as many as 150 on-site audits of entities varying in type, size, and location. These audits can result in enforcement action if violations are discovered.
To get prepared for a HIPAA audit, providers should perform an updated risk assessment and review their policies and procedures. HHS issued an audit checklist that identifies personnel who may be interviewed and documents that may be requested during an audit.
Accounting of Disclosures and Access Report
The long-anticipated rules regarding accounting of disclosures were proposed this May. There are two major changes covered entities and business associates will need to address: 1) accounting for treatment, payment, and health care operations disclosures, and 2) providing an access report.
Accounting for Disclosures
While the proposed rules broaden the accounting requirement to treatment, payment, and health care operations, HHS proposes to limit the accounting to information maintained in a designated record set for three years prior to the date of the request. There are also proposed exemptions, including, disclosures in which breach notice was provided; abuse or neglect reports; patient safety work product, and disclosures for research, health oversight activities, decedents, and others required by law. Keep in mind these exemptions may still be subject to the Access Report. Other proposed changes include decreasing response time to 30 days and specifically including business associates.
This rule proposes that an individual may request a report describing who has accessed their PHI maintained in an electronic designated record set, including the date and time of access, the person or entity accessing the information, a description of the information, and what was done with the information.
Covered Entities must revise their Notice of Privacy Practices to notify individuals of their right to an accounting and an access report.
For the first time this year, there were three major monetary penalties issued for HIPAA violations. These include a $4.3 million penalty involving failure to provide access, a $1 million penalty involving loss of PHI, and most recently an $865,500 penalty involving unauthorized employee access to electronic PHI. Another reason to update your HIPAA program!
Joy Kosiewicz is an attorney in the Health Care Group at Brouse McDowell in Akron.