The long-delayed permanent HIPAA privacy/security audit program finally is on its way, as is the resumption of the Recovery Audit Contractor program, according to audit professionals at health information management vendor HealthPort.

The RAC program is expected to resume in October but with changes, says Dawn Crump, HealthPort’s vice president of audit management solutions, during a talk with Health Data Management at the HFMA Annual National Institute in Las Vegas. The contractors will be reorganized into new geographic regions that more closely match regions for other Medicare audit programs, and possibly at least one contactor may switched, Crump believes. New regions will benefit some providers, who have been subject to RAC audits from up to three contractors.

Crump also notes that the Centers for Medicare and Medicaid Services is expected to introduce more structure to the “discussion program,” an informal and quicker way to resolve disputes when a provider disagrees with a RAC’s decision, rather than going through the formal and backlogged appeals process before administrative law judges. In addition, she expects CMS will reduce the number of records that a RAC can request for audits if providers’ denial rates are improving in problem areas, such as a high-cost drug with improper unit dosing. But Crump adds a caveat to the expectations: “Nothing is on the CMS website, this is speculative.”

Following a pilot program, the HHS Office for Civil Rights, finally expects later this year to launch random HIPAA audits to monitor compliance with the privacy and security rules. Unlike the comprehensive audits in the pilot, the permanent program now is designed to be more limited, but focusing on major threats to confidentiality and security.

The permanent HIPAA audit program will be “desk audits,” a process where OCR looks at an organization’s patterns of compliance, says Rita Bowen, senior vice president of HIM and privacy officer at HealthPort. If a breach was a simple mistake and not emblematic of systemic problems, there won’t be consequences other than a focus on mitigation to fix the mistake.

But failure to comply with a handful of issues--such as whether an organization followed its own policies (which demonstrate that compliance is operational), whether BYOD policies were sufficient and whether encryption was properly utilized--could and likely will result in financial penalties that could be significant, Bowen says. On the issue of encryption, for instance, if an organization encrypts protected information in transit but it is opened with a public key, then the information is still not encrypted end-to-end with a private key and that is not adequate protection.

Another example, she provides: If an organization had a breach and has a policy to retrain appropriate employees, OCR will want to see evidence that the retraining was done. If there was a flaw in an organization’s security policies that caused a breach, OCR will want to see proof that all employees were retrained, according to Bowen. Fines will be part of the audit if an organization did not mitigate weaknesses following a breach and continue to follow through on protections, as OCR will see these actions as willful neglect, she warns.

Even if an organization has not had a breach but OCR finds deficiencies in complying with provisions of the HIPAA rules that an organization should have known about, the organization could be fined. “Failure to know is not an excuse anymore,” Bowen says.

The bottom line is that OCR learned during the attestation process in Stage 1 of the meaningful use program that organizations were attesting full compliance with the HIPAA rules when it later became apparent following a breach that they were not compliant.

The schedule of fines under the HIPAA audit program is in the HIPAA Omnibus rule published in January 2013. If an unencrypted laptop was stolen, there is a specific monetary fine attached to that incidence. If 20 laptops were stolen the fine would be assessed for each of the 20.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access