Gazelle Consulting

New Enforcement: Ongoing HIPAA Audits

In September of 2015, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG).

The OCR will be beefing up their compliance investigations and expanding their audit program in 2016. They plan to focus on more proactive efforts to identify non-compliance in business associates and repeat offenders.

New HIPAA Enforcement in 2016

It’s a common misconception among providers and business associates that HIPAA laws “have no teeth” and that violations will only incur a slap on the wrist. The OCR, who was legally mandated to enforce HIPAA compliance in 2006, has been working hard to change that perception. Their enforcement activities have included outreach and education to providers, response to complaints, and data breach investigations.

Despite the numerous enforcement activities already under way, the OCR recently came under scrutiny from the Office of Inspector General (OIG) who criticized their HIPAA oversight program. The OIG is calling for more proactive identification of non-compliant providers and business associates and improvements to their investigation process.

Based on these recommendations the OCR has agreed to do the following:

  • Obtain documentation (i.e. evidence) of all corrective actions taken by covered entities involved in an investigation.
  • Improve the search functionality of their case tracking system.
  • Require all OCR staff to search for prior breach incidences when opening a new case.
  • Continue to expand outreach and education efforts to Covered entities.
  • Fully implement a permanent audit program.

Implications of Ongoing HIPAA Audits

The OIG’s criticism focuses on the OCR’s reactionary enforcement activities, pointing out that they only investigate cases in response to complaints, tips, or media reports.  The OCR’s expansion of their outreach and audit programs will enabled them to discover non-compliant businesses and providers before a breach occurs.  

Additionally, organizations that have already had one or more breach or complaint will be coming under greater scrutiny. Through their improved investigations, the OCR will be tracking the corrective actions taken by businesses and providers and will be keeping a closer eye on repeat offenders.

Most importantly, the OCR has agreed to expand their Phase II audit program.

Random audits will begin in 2016 and extend to a permanent audit program that will target both covered entities and their vendors. This casts a much broader net when it comes to HIPAA oversight and it highlights the importance of having a solid HIPAA compliance program as a vendor.

What should you do to prepare?

  • Start now! – You don’t always get a warning shot. Use this opportunity to develop your HIPAA compliance program or identify gaps in your current activities.
  • Focus on training – HIPAA training goes a long way both in protecting you from a breach and in the eyes of the OCR. Make sure your employees receive training at least once per year.
  • Get help – Look online for HIPAA compliance starter kits or resources. Both the OCR and HHS frequently publish guidance on HIPAA compliance. If the task of becoming compliant seems overwhelming seek out experts who can efficiently guide you towards a solution.

Takeaways

  • HIPAA enforcement is serious business and as a provider you can expect to see increased enforcement this coming year.  
  • Covered entities AND business associates will be targeted for random audits, starting in 2016.
  • Organizations with a previous breach or complaint should prioritize completion of corrective actions and HIPAA initiatives, as the OCR will be looking more closely at repeat offenders

Does all this talk of audits and enforcement give you compliance-anxiety? Gazelle Consulting is here to help!

Give us a call today at (503) 389-5666 or email us at info@gazelleconsulting.org. We make HIPAA compliance feel like a walk through a grassy savanna!

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

Popular Posts

  • 2018’s Most Interesting HIPAA Violation Cases

    2018’s Most Interesting HIPAA Violation Cases

    Since the 2003, the Enforcement Act, an addendum to HIPAA that gave the OCR the right to enforce HIPAA on behalf of the HHS, we’ve seen an ever increasing number of fines and breaches.

  • The Specter of HIPAA Enforcement

    Who Enforces HIPAA?

    HIPAA, which stands for the Health Insurance Portability and Accountability Act, is enforced by the Office for Civil Rights (OCR), which is an arm of the Department of Health and Human Services (HHS).

  • How to Handle the Loss or Destruction of Medical Records

    Whether it be an delete happy IT admin, a theft, or a glitch in your system, lost health records can have an impact on your patients...

  • Stronger HIPAA enforcement

    HIPAA Consent Form – How to Obtain HIPAA Authorization

    Earlier this month, the Office for Civil Rights (OCR) announced a new plan to strengthen HIPAA enforcement in response to criticism from the Office of Inspector General (OIG). The OCR will be beefing up their compliance investigations and expanding their audit program in 2016.

  • What is the Purpose of HIPAA?

    What is the Purpose of HIPAA?

    HIPAA compliance can be confusing. Is it HIPAA or HIPPA? Do I need to be HIPAA compliant? Who enforces HIPAA? Gazelle Consulting is here to answer your questions and help you to achieve compliance quickly and painlessly!