Tag: primary source

The HIPAA Audit Program and you

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has begun it’s next phase of audits to confirm that organizations are in line with HIPAA protocol. The 2016 Phase 2 HIPAA Audit Program is looking to strengthen it’s Health Insurance Portability and Accountability Act (HIPAA) enforcement efforts by being more proactive.

For 2016’s Fiscal Year, the budget for OCR’s office increased by $4 million over the year before in anticipation of these audits. They will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards (laid out in Phase 1) and implementation specifications of the Privacy, Security, and Breach Notification Rules.

These audits were mandated by the HITECH Act to conduct periodic random audits to assess entity compliance with HIPAA. These will primarily be desk audits, but some on-site audits can occur. This could be anything from a drop in one-hour audit to a multi-day operational audit.

Let’s look back:

Before phase 2 (the audits) began, they started with phase 1:

“HIPAA established important national standards for the privacy and security of protected health information and the Health Information Technology for Economic and Clinical Health Act (HITECH) established breach notification requirements to provide greater transparency for individuals whose information may be at risk. HITECH requires the HHS Office for Civil Rights (OCR) to conduct periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules. In 2011 and 2012, OCR implemented a pilot audit program to assess the controls and processes implemented by 115 covered entities to comply with HIPAA’s requirements.  OCR also conducted an extensive evaluation of the effectiveness of the pilot program.  Drawing on that experience and the results of the evaluation, OCR is implementing phase two of the program, which will audit both covered entities and business associates. As part of this program, OCR is developing enhanced protocols (sets of instructions) to be used in the next round of audits and pursuing a new strategy to test the efficacy of desk audits in evaluating the compliance efforts of the HIPAA regulated industry. Feedback regarding the protocol can be submitted to OCR at OSOCRAudit@hhs.gov.” – HHS.gov Read More The HIPAA Audit Program and you

Slipping Through the Cracks in the Process

More and more public watchdog groups, press and user groups are finding holes in the system that may be of concern to those who are hiring or credentialing medical providers.  The article dated June 30, 2014 from NPR demonstrates the complexities and timing issues.  Some providers are able to circumvent the billing process and continue to receive payment for years after being acted upon by the various state medical boards. http://www.npr.org/blogs/health/2014/06/20/323889329/sanctions-common-against-doctors-with-odd-medicare-billing?ft=1&f=1001

Credit Reporting Agencies focusing on hiring, compliance groups and credentialing organizations have the mission to surface issues beyond just the exclusion data repositories like the Office of the Inspector General (OIG) or one of the many Federal sites that track violators.  As you know, being excluded from the Federal Medicare process is only one element of the wider net that is needed to get all the data to make a hiring, risk or just plain due diligence decision.

The problem is often just timing.  A scenario might be a provider is arrested for a crime and adjudication begins.  Maybe a state medical board reviews the incident and takes action.  The various states may jump into action and exclude the provider from receiving Medicaid payments which is administered from the states even though the money comes primarily from the Federal tax dollars.  The license may be affected at the board level and it make take time to get into the exclusion process.  Hearings have to be set and conclusions reviewed.

It is the due process that takes time and we all appreciate the need for it.  But if you are a hiring entity or compliance group you may get caught in the cracks.  The key is to check the various Federal, State and board actions that will blanket the whole process.

It is possible to get an accurate, up to date picture and TyphoonDATA has a solution with will cast a wide net, verify the false positives and close the cracks into a simple to use click process.

If you would like to discuss, call us at 800.780.5901 or email us at RRupert@typhoondata.com or SSkyhawk@typhoondata.com .  We would love to help you with your mission.