Healthcare practices can use the deferment to complete their required annual Security Risk Analysis
IRVINE, Calif., (January 27, 2015) —In what may come as a relief for several healthcare providers, there is still uncertainty about when the next round of HIPAA Audits will start. What you have right now is time to look at your medical practice’s state of digital security and compliance status in line with the Omnibus Rule changes if you have not already done it.
Since last fall, there have been warnings to healthcare providers that HIPAA Audits are ‘coming soon’. However, the latest news reports show that they are tweaking their online portal, making other technical improvements, and adjusting audit protocols, which can run into many weeks or even months. What you can do is keep an eye out for updates and new announcements about the audit program.
If you think this new round of audits will not be as intense as the last round, think again. Just in case you have been living under a rock for the last ten years, the size and scope of the federal government have grown to epic proportions.
“The Federal Machine shows no signs of slowing or shrinking anytime soon. The market is managed by huge, bureaucratic organizations that employ thousands of people that do nothing all day but grind through minutiae. This leads to things like the looming ICD-10, a diagnostic coding system that governs the classification and reporting of diseases and injuries,” says Jared Festner, Medical ITG’s HIPAA Specialist.
With more than 140,000 different codes, the ICD-10 gets specific. Was the patient struck by a chicken? Enter code W6132XA. Were they struck by a goose? That is a separate code—W6152XA. Also, code S1087XA covers unexpected hickeys on the neck. There is one code for assault with a hockey stick (Y0801XA), another for assault by a letter bomb. Finally, there is V91.07XA, for patients burned by flaming water skis. (Burned by flaming water skis a second time? That’s V91.06XD.)
American health care providers must update from ICD-9 to ICD-10 this year. You have until October 1st, 2015. The law is written in black & white at the beginning of the Federal Register, under a rule titled “Administrative Simplification.”
“If you think for one minute your practice won’t be under the microscope for everything from device encryption, to making sure that every policy & procedure is completely filled out and updated on a yearly basis, you’ll be kicking yourself once your receive fines up to $1.5 million per offense,” adds Festner.
The repercussions of non-compliance
Auditors will be looking for patterns in determining whether to check on a provider. Information about many similar breaches and a lack of action from the provider can be a major factor in the ‘whether or not to audit’ decision. However, keep in mind the audits are random and you can never tell if you will get caught in the net. HIPAA auditors are out to set as many examples of non-compliance as possible. They may have a point, given that HIPAA data breaches have climbed 138 percent and fines have ranged from $800,000 to $4.2 million over the last few years.
If you cannot prove compliance, not only will you come under the auditors’ radar, but you will also be liable for settlement fines anywhere from $215,000 to up to millions. Large healthcare organizations may be able to afford six-figure or more fines but cannot escape a loss of reputation and public goodwill. For small medical practices and doctors with twenty or fewer employees, a hefty fine can be a major sting affecting their very survival. Better safe than sorry is a good attitude to have given the consequences of failing an audit. Think you are immune from public scrutiny once you pay your fine and serve your time, think again. The “HIPAA Wall of Shame” will have its webpage indefinitely.
What kind of audits are you looking at?
Auditors originally planned to conduct 400 covered entity desk audits and many on-site audits. Then, they brought the number of desk audits down to less than 200 covered entities and did not put a cap on the intended number of on-site audits. Please remember covered entities are not necessarily single medical professionals. A covered entity can be an organization as small as one physician and as large as a chain of hospitals spanning across the country.
Many small and midsized practices, as well as single doctors, are probably not prepared for an audit. There are two levels of scrutiny:
- A desktop audit that assesses practice’s network security. It will target provisions responsible for many compliance failures in pilot audits.
- An on-site audit examining compliance with a broad list of HIPAA policies and procedures.
If you do not have a plan in place, start by conducting a security risk assessment to find potential vulnerabilities. It is best to make the most of the time you have until the audits begin instead of stressing out and scrambling at the last minute. Medical ITG conducts security risk assessments for their clients so they will not put their medical licenses or even the existence of their practice in jeopardy.
“The option to disregard these audits is no longer an option,” replies Festner. “The only choice you have is whether or not you bet with your medical license, or with your wallet. We’ll support you either way.”
For more information about Medical ITG’s Security Risk Assessment Program, please visit medicalitg.com, call toll free at 1-877-220-8774, or send an e-mail to info@medicalitg.com.
About Medical Information Technology Group
Medical ITG is an expert Healthcare IT company in Irvine, CA. Using our cutting-edge options in HIPAA Compliance, HIPAA/HITECH/OMNIBUS Policies, and Procedures, Medical ITG will manage our clients’ complex day-to-day IT demands. Also, Medical ITG will help prepare healthcare organizations for tough HIPAA Audits through our comprehensive Security Risk Analysis Program.