OCR HIPAA Audits Present an Opportunity to Review Your Own Compliance

Blog picture_8.11.2016As part of an ongoing effort to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules, the HHS Office for Civil Rights (OCR) has begun the second phase of audits for HIPAA covered entities. The first phase of the audits was conducted in 2011 and 2012 and evaluated the controls and processes implemented by 115 covered entities in order to comply with HIPAA’s requirements. This second phase of audits builds upon the findings of that first audit, and will address compliance efforts by both covered entities and their business associates.

The second phase of the OCR audits is focused primarily on compliance with HIPAA directives related to privacy, security, and breach notifications. Currently, details about the specific documentation that will be required is unavailable, but the OCR has noted that the audit will only deal with compliance with federal guidelines. Compliance with state regulations will not be addressed at all. Still, even though the specifics of the audit are still under wraps, now is a great time to review your own compliance with HIPAA rules and begin gathering documentation.

The HIPAA Audit Process: An Overview

Earlier this summer, the OCR sent notification to all HIPAA-covered entities requiring them to confirm the contact details for their organization and all business associates that handle protected data by the end of July. Once contact details are confirmed, the OCR will send out preliminary surveys to gather more information about specific organizations and their data protection protocols. From those survey responses, several hundred organizations will be chosen for desk audits, which means that they will be required to submit specific, requested documentation as instructed.

While the Phase 2 audits have many health care executives concerned, the OCR has noted that only several hundred entities will be selected for an audit, and of those, a very small percentage (only about 25 to 50 organizations total) are expected to move on to a full, on-site audit. Still, because there is no way of knowing whether your organization will be selected for audit, you need to prepare and be ready to go should that be the case.

The OCR is quick to point out that the Phase 2 auditing process is not intended to be punitive, and that the purpose is rather to identify best practices and potential weaknesses as a means to provide better guidance to covered entities on how to more effectively comply with HIPAA regulations. That being said, regulators do note that should there be serious deficiencies discovered during the process, then there could be sanctions or other corrective actions taken.

Continue Reading

Another Day, Another EHR Survey

Another day, another EHR survey, and once again it’s about the security of information contained in electronic health records.

Apparently, according to this latest survey, more needs to be done to educate patient consumers of the value of the healthcare technology they encounter in their physician’s offices even though more than 50 percent of respondents said they feel EHRs are better than paper charts. Specifically, in this survey patients feel their personal information contained in the EHR is vulnerable to security breaches or hackers.

The data captured in this survey is not surprising, nor is it anything new. In fact, the following statement came from an April 2011 survey I administered for a major healthcare software vendor and announced to the press:

“While both physicians and patients believe that EHR will help improve the quality of healthcare, both groups have concerns about privacy and the security of EHR.” – April 26, 2011.

Though many people think the burden of educating the public about the benefit of EHRs should be placed on physicians, I disagree with this stance.

Physicians, frankly, are consumers of EHRs, just as patients are. It’s an unfair burden to put a group of consumers in the position of advocates for products they pay to use. In what other commercial industry do the manufacturers and retailers of products leave the education of the product to consumer? Correct me if I’m wrong, but I can’t think of any.

The burden of educating consumers about the value and importance of EHRs should fall to the EHR vendors. After all, the vendors are the experts of their products’ capabilities, not the physicians. Automatically electing physicians into this role is unfair.

When I represented an EHR vendor, we brought our message to physicians and patients. Get patients to realize the value of EHRs and you drive them to persuade their physicians to adopt the systems. Our stance meant we held ourselves responsible for educating the market about our EHRs’ capabilities. We didn’t feel that it was right to put our physician clients in the position of becoming product advocates unless they wanted to be. Advocating our products was our job.

As patients become more familiar with EHRs, they will fear them less, just as happened with online banking and shopping. Familiarity and comfort with these systems have changed and so have consumers’ perception of them; the same will ultimately happen for EHRs.