Last year, healthcare lawyers at Lubell Rosen reported the amendments made to two major regulatory guides in the medical field — the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). Both acts were updated to provide better security and accountability standards for the privacy of protected health information (PHI), electronic protected health information (ePHI), and breach notifications.
Now, to prevent audit violations and ensure that HIPAA and HITECH standards are being upheld, the U.S. Department of Health and Human Services Office for Civil Rights (HHS OCR) has announced its plans to conduct surveys in over 1,200 health organizations, including private practices, hospitals, and their business associates. All of the organizations were affected after the changes made to HIPAA and HITECH in September of 2013.
These surveys, which were announced in February 2014 in a notice to the Federal Register, will encompass 800 covered entities and 400 business partners. This marks the first step taken by the HHS OCR to prepare for the coming audits, although not all the surveyed organizations will be included in the audits as well, according to the notice. The main focus of the surveys will be for the OCR to collect information about the average number of patient visits, electronic information records and usage, average revenue, and the business locations of those who participate. Once this data has been analyzed, the OCR can better determine whether the organizations should be audited under the new regulations.
The OCR’s plan to survey organizations in preparation for upcoming audits is in the wake of the 2011 HIPAA pilot audit program, in which the OCR developed an audit protocol based on the efforts of 115 covered entities. When the findings from these audits were released in April 2013, OCR found that most of the entities included in the audit were in violation of standard levels of all three areas of the audit — security, privacy, and breach notification, according to the current laws. Additionally, two-thirds of the audited entities did not perform comprehensive, accurate security risk assessments, another violation of HIPAA and HITECH standards. The audit lists the most common cause of non-compliance as the organization being unaware that the requirement existed.
The upcoming OCR surveys will be supplemental to the existing compliance efforts, including investigation and complaint measures. The survey analysis will focus on security risk assessments, procedures for breach notification, encryption, policies and procedures, training for all staff members, and implementation of compliance programs. Throughout this process, the surveys will give the OCR an opportunity to evaluate how best to comply with HIPAA and HITECH standards, and uncover any risks or vulnerabilities that may be detrimental in an audit.
At Lubell Rosen, our healthcare lawyers advise doctors and medical organizations about changes to laws and regulations, as well as necessary action plans to prepare for upcoming surveys, audits, or investigations. If you have questions or concerns regarding the HIPAA and HITECH amendments, or your own facility’s procedures and potential audit violations, contact a healthcare lawyer at Lubell Rosen for a consultation today. We have offices in Florida, Georgia, New Jersey and New York, with attorneys ready to discuss the specifics of your case.