Starting in February of 2016, the Office of Civil Rights (a division of the US Department of Health and Human Services) began phase 2 of the HIPAA audit program. What does this mean for dental practitioners and other health service providers? What does a health service provider need to do to be prepared for an audit? And what happens if a provider isn’t prepared?
Let’s start with a little bit of history on HIPAA audits. In 2011 the OCR began Phase 1 of the HIPAA audit program. They selected 115 covered entities to audit for HIPAA compliance. A covered entity is defined as: health plan providers, health care clearinghouses, and health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. At the time, they weren’t worried about Business Associates or other tangentially related businesses. These audits were very targeted and didn’t affect most health practitioners.
Fast forward to 2016 and the OCR has begun Phase 2 of this audit program. Instead of targeting just 115 providers, they are now compiling a comprehensive list of all medical service providers in the United States and will be reaching out to each provider via phone, mail, or email. Click here to view a sample contact letter. Once they add you to their list, they will make contact to find out who your HIPAA compliance officer is and ask for your HIPAA compliance documentation. They will expect you to have comprehensive documentation that generally adds up to somewhere between 50 and 150 (sometimes more) pages of legal documents, policies, training records, and other documentation.
You should already have a binder that contains all of this documentation ready to go. Part of being HIPAA compliant is being able to prove that you are HIPAA compliant. When performing HIPAA risk assessments for our clients, we generally find HIPAA documentation to be lacking or non-existent. If you don’t already have a HIPAA compliance binder, start one today. You’ll need copies of all of your policies surrounding HIPAA, records of employee HIPAA trainings, results of recent and regular internal HIPAA audits, and other documentation. If you don’t know where to start, contact J.J. Micro at 636-556-0009. With our PracticeProtect™ offering, we will help you every step of the way towards full compliance and documentation.
What happens if you are contacted and you aren’t ready for an audit? The OCR will give you 10 business days to respond with your documentation. If they don’t receive your documentation within 10 days, they will schedule a site audit. During a site audit, they will still want to see all of your documentation, but they will also want to interview your employees and look for any potential breeches or lack of documentation. From there, they will begin levying fines based on the severity of potential breeches. Benign issues could be $100 per issue, serious issues can be up to $50,000 per issue.
On average it takes somewhere between three and six months for one of our clients to go through the process of becoming HIPAA compliant. Do not wait until you are contacted by the OCR to begin the process. 10 business days is not enough time to gather all of the information, come up with your own policies, document everything, and provide the proper training for all of your employees. Get started now with PracticeProtect™!