The second round of HIPAA compliance audits by the Department of Health and Human Services’ Office for Civil Rights started late last year. The audit program involves desk-based audits of HIPAA-covered entities and business associates, and then a round of exhaustive audits with on-site visits. The desk audits were done, with the on-site audits temporarily stopped and likely to begin in beginning of 2018. Just a few covered entities were chosen to be audited for the second stage of compliance audits; nevertheless, covered entities which were not audited may still need to show they comply with the HIPAA Rules.
Besides the audit program, HIPAA-covered entities which had a breach of over 500 records are going to be inspected by OCR to figure out if the breach was caused by HIPAA Rules violations. OCR likewise investigates submitted complaints submitted via the HHS site.
There were no financial penalties issued during the first round of HIPAA compliance audits in 2011/2012, however it might not be the same for the second round of compliance audits. Additionally, there were more financial penalties in the last two years for violating the HIPAA Rules which were identified when complaints and breaches were investigated.
There is currently an increased risk of audit or investigation and OCR is penalizing more entities for violations. Subsequently, covered entities can no longer to take chances. A lot of healthcare companies are making use of HIPAA compliance software and getting the assistance of compliance specialists to make sure they have complete compliance programs to avert financial penalties. One example is the Imperial Valley Family Care Medical Group.
Imperial Valley Family Care Medical Group is a multi-specialty physician’s group having 16 centers distributed all over California. IVFCMG was not chosen for a desk audit, however right after the incident of laptop computer theft, OCR looked into the breach. OCR required IVFCMG to demonstrate their HIPAA Rules compliance and present documentation to prove the breach wasn’t due to the inability to adhere to HIPAA Rules.
Covered entities are afraid of a comprehensive HIPAA audit, yet when data breaches are investigated, they are also comprehensive. OCR usually necessitates substantial documentation to be presented to evaluate compliance when investigating breaches of protected health information. Regarding the case of IVFCMG, the investigation by OCR was extensive.
Replying to OCR’s numerous questions in a prompt manner was vital. IVFCMG, just like a lot of covered entities that OCR investigates or selects for an audit, should carefully respond. All questions should be answered on time and supported with relevant documentation. If HIPAA Rules aren’t adhered to strictly after experiencing a data breach, the covered entity will be fined. Just look at Presense Health which was penalized $475,000 by OCR for prospective HIPAA Breach Notification Rule violations after experiencing a breach of PHI.
Right after the breach, IVFCMG went to a third-party company for help and approached the Compliancy Group. With the company’s Breach Response Program, IVFCMG had the ability to make certain they completed all the required actions promptly, and all of those steps had proper documentation.
The Breach Response Program is a portion of the Compliancy Group’s “The Guard” HIPAA compliance software program. Compliancy Group streamlines HIPAA compliance, enabling healthcare providers to run their company with confidence at the same time satisfying all the prerequisites of the HIPAA Privacy, Security and Breach Notification Rules. The Guard utilizes the “Achieve, Illustrate, and Maintain” strategy to make sure of continuing compliance, where covered entities are advised by HIPAA compliance specialists every step of the way.
The Chief Strategic Officer of IVFCMG, Don Caudill, said that the Compliancy Group gave a complete report and documentation showing that our HIPAA compliance program adhered to the law – which really helped IVFCMG to avoid large fines. When OCR asked questions regarding another facet of HIPAA Rules, IVFCMG had responded in due time and provided the proof that it complied.
HIPAA compliance software assists covered entities in passing a HIPAA audit, reply properly to OCR investigations of data breaches and complaints, and evade penalties for non-compliance. OCR has doubled efforts in enforcement in the last two years because of the increased incidents of healthcare data breaches. HIPAA Rules non-compliance is consequently more likely to be identified and bring about financial penalties.
Small and medium sized HIPAA-covered entities having restricted resources to allocate to HIPAA compliance benefit greatly from using HIPAA compliance software and getting outside help from HIPAA compliance specialists.