The HHS Office for Civil Rights (OCR) is gearing up for random audits of healthcare providers and partners. OCR is starting its 2nd phase of its ongoing audit program of CEs (Covered Entities), BA (Business Associates) in 2016. You may recall that HHS’ Office for Civil Rights is responsible for enforcing the Privacy, Security & Data breach rules of HIPAA on covered entities. HIPAA violations are reported to the HHS’ OCR and they also take actions against those that are not compliant. This latest 2016 round of active audits will involve desk and on-site audits of the policies and procedures of ALL covered entities. This audit will include a range of covered entities such as: health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers and their business associates/partners. It will measure these organizations adherence to the standards and the implementation of the specification of the Privacy, Security and Breach Notification Rules.
Risk & Costs of Non-Compliance
The risks and very real costs of non-compliance are well documented. The risks to an organization expand far beyond the financial in the fact that HIPAA violations require significant cost to address, can harm the viability and perception of a brand and ultimate risk loss of the business.
Some Alarming HIPAA Statistics:
According to the US Department of Health and Human Services Office for Civil Rights, between April 2003 and January 2013 they received 91,000 complaints of HIPAA violations, in which 22,000 led to enforcement actions of varying kinds (from settlements to fines) and 521 led to referrals to the US Dept of Justice (criminal actions). The Health and Human Services website details some recent violation fines and resolutions.
- HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software
- $800,000 HIPAA Settlement in Medical Records Dumping Case – June 23, 2014
- Data Breach Results in $4.8 Million HIPAA Settlements – May 7, 2014
- Concentra Settles HIPAA Case for $1,725,220 – April 22, 2014
- QCA Settles HIPAA Case for $250,000 – April 22, 2014
Purpose of These Audits
HHS OCR has a clearly stated purpose of these audits as an effort to improve compliance of CEs (Covered Entities), BA (Business Associates). As the HHS OCR states: “The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches. OCR will broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.”
HIPAA Compliance Takeaway
Organizations should take these planned, active audits as a wake up call. If you haven’t undertaken HIPAA compliance efforts the time is now. The risks of non-compliance are far to many to ignore. The very real financial risks of non-compliance require any CE or BA organization take the time, effort to produce compliance. Have you taken ample efforts to ensure compliance? The auditors are coming and are selecting candidates for audit. If not, we can help. Contact us and learn about how our HIPAA compliance offerings can keep compliant. Until then, feel free to read a few of our other HIPAA related posts or join our newsletter for up-to-date compliance details in your inbox.