Updated on: January 31, 2013

Don’t Let HIPAA Audits Take You By Surprise: It’s not Just the Office for Civil Rights

By Elizabeth Lamkin, MHA and Melissa (Lisa) Thompson, JD, MPH
Original story posted on: April 26, 2012

As many of you know, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) rolled out a pilot program in November 2011 using KPMG to conduct audits for compliance with the Health Information Portability and Accountability Act of 1996 (HIPAA) and its regulations, including the Privacy Rule and the Security Rule. KPMG first will focus on covered entities, with business associates to follow. The goal is to establish a permanent program by the end of 2012.

 

These audits are primarily compliance improvement activities, and OCR will use the reports to determine what types of technical assistance should be developed (as well as what types of corrective action are most effective). However, should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to address the problem.

 

It is important to understand that the HIPAA Security Rule and Health Information Technology for Economic and Clinical Health Act (the HITECH Act) are different from the Privacy Rule. The Privacy Rule sets standards for how protected health information should be controlled; it does this by, among other things, setting forth what uses and disclosures are authorized or required and what rights patients have with respect to their health information. However, the Security Rule and the HITECH Act focus on general requirements for safeguards to protect the confidentiality, integrity and availability of protected electronic health information that must be tailored to each organization - one size does not fit all.

 

At the same time OCR has been engaged in the HIPAA audits, the Centers for Medicare & Medicaid Services (CMS) recently revised its interpretive guidance and instructions for surveyors on hospital conditions of participation (CoP). For example, under the Patient Rights CoP, the old survey instructions called for observations to determine if patients were provided privacy. During the survey, basic observations were made to see if patient information or names were posted in public view and if the hospital was promoting the right to privacy.

 

The new CMS survey instructions are significantly more detailed and contain language that parrots the HIPAA Privacy and Security Rules. Again, using the Patient Rights CoP as an example, the new survey procedures include a review of hospital policies and interviews with staff concerning their understanding of the use of patient information in the facility directory - representing an attempt to determine if the policies address the opportunity for the patient or patient's representative to restrict or prohibit use of patient information in emergent and non-emergent situations. Surveyors also are instructed to review hospital policies and conduct observations or interview staff to determine if reasonable safeguards are used to reduce incidental disclosures of patient information. Lastly, if audio and/or visual monitoring is utilized in the medical/surgical or ICU settings, they will conduct observations to ensure that monitor screens and/or speakers are not readily visible or audible to visitors or the public. Needless to say, the new survey process is a more intense analysis and review.

 

So why is this so important now? Prior to the HITECH Act, the HHS secretary could impose civil monetary penalties on any person who violated a provision of this, a penalty of not more than $100 for each violation (except that the total amount for all violations of an identical requirement of prohibition during a calendar year could not exceed $25,000). The HITECH act strengthened HIPAA enforcement, establishing categories of violations that reflect increasing levels of culpability, requiring that a penalty determination be based on the nature and extent of the violation and the harm resulting from the violation, and establishing tiers of increasing penalty amounts based on reasonable findings of diligence, reasonable cause or willful neglect.

 

These changes definitely will affect normal operations and must be addressed, particularly within policies, procedures and training. Each entity must have or develop policies and procedures (P&Ps) to help ensure compliance with HIPAA. Much of the training staff currently receive revolves around HIPAA Privacy, yet each rule must be defined and should be taught as part of all staff and full workforce orientation (and should be part of your competency reviews). Your organization must have a designated security official (in addition to your privacy officer) who should receive ongoing training.

 

Finally, each covered entity is required to conduct a technical and non-technical assessment under the Security Rule. So, each facility must utilize ongoing risk assessment and risk management methodologies for the security of electronic PHI (ePHI), which should include self-audits of Security Rule requirements and revisions to policies and procedures, as appropriate. In addition, facilities should examine their compliance with applicable accreditation requirements and the relevant CoPs (based on the new CMS instructions for surveyors).

 

About the Authors

 

Elizabeth Lambin, MHA, is a partner in PACE Healthcare Consulting. Elizabeth has more than 20 years of C-suite level hospital executive management experience.  Most recently, she was the CEO/Market President for Tenet Healthcare's Hilton Head Regional Healthcare. Elizabeth holds an undergraduate degree in Business Administration, Cum Laude and a Master's in Healthcare Administration from the University of South Carolina.

 

Melissa Thompson, JD, MPH, is with the law firm of Adelman, Sheff, & Smith, LLC where she focuses her practice on healthcare regulatory, litigation, administrative appeals and transactional law.  Lisa is also a trained arbitrator, mediator and a frequent author and lecturer on health care issues.

 

Contact the Authors

 

 

Elizabeth.Lamkin@pacehcc.com

 

LThompson@hospitallaw.com

 

To comment on this article please go to editor@racmonitor.com

 

NOTE: This summary is provided for information purposes only and does not constitute legal advice.