 |
HIPAA Audit Nightmares
In March 2007, the Office of Inspector General thoroughly audited the HIPAA security policies and procedures at Piedmont Hospital in Atlanta. The results have never been made public, but the mere specter of such an audit sent shockwaves throughout the healthcare industry. In February 2008, the Centers for Medicare and Medicaid Services (CMS) announced that it will begin performing “compliance reviews” of covered entities’ HIPAA schemes. According to the director of CMS’s Office of E-Health Standards and Services, CMS has contracted with PriceWaterhouseCoopers to perform 10 to 20 of these “compliance reviews” between February and September of this year. However, these are merely the initial “reviews” in what is expected to be an ongoing campaign of such inspections extending into the foreseeable future. CMS has not said which facilities would be inspected first, but it has stated that it will begin with those facilities where complaints are pending or repetitive. Healthcare providers in Mississippi are at lower risk for these early HIPAA audits, simply due to the comparatively lower volume of patients and fewer opportunities for HIPAA issues to arise. However, as time wears on, the chances for a HIPAA audit at a Mississippi hospital increase. To be prepared for such an audit, hospitals should complete a full review of their HIPAA compliance programs and materials to ensure that they have the requisite documentation on hand. In addition, hospitals should review their various departments and offices within the facility to verify that personnel are properly following those policies and procedures. The Piedmont audit and the current “compliance reviews” are focused primarily on compliance with HIPAA’s Security Rule (mostly technical). To assist hospitals in preparing for myriad technological issues involved in the 2008 reviews, CMS has issued a sample of the documents and persons most likely to be requested for these inspections. Download a copy at http://www.cms.hhs.gov/Enforcement/Downloads/InformationRequestforComplianceReviews.pdf. (For an unconfirmed list of the OIG audit requests, see Jaikumar Vjayan’s article at http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9025253.) A review of the sample list makes clear that CMS and OIG are concerned primarily with the information technology issues involved in HIPAA and the interaction between people and technology. For example, CMS expects to interview the lead IT personnel at the hospitals, as well as the directors of human resources and training. Thus, while CMS wants to see the technical security of the computing systems, it also obviously wants to inquire about how personnel are being trained in the technical requirements of HIPAA. The impetus of these concerns with security is no doubt the pandemic of lost laptops, hacked networks and other technological security lapses in recent news, as well as the ubiquitous use of PDAs and cell phones (text messaging). In light of these obvious risks, and considering the current efforts to convert all systems to electronic medical records, there can be little question that CMS is anxious to mitigate the risk of unauthorized disclosure of private health information that has drastically increased of late. So what can Mississippi hospitals do to prepare for the inevitable review of their HIPAA programs? First, start with a review of the CMS sample document mentioned above. Approach that list of items as though CMS were already, in fact, performing the audit. Thoroughly and aggressively identify and locate all relevant HIPAA documents and materials, and create a list or index of the locations of those documents for the future. Next, immediately begin addressing any weaknesses identified in the review of the CMS sample. Remedy those weaknesses and thoroughly document the efforts to bring those areas into compliance. CMS and OIG give positive feedback for active efforts toward compliance. Third, ask a legal professional or HIPAA security specialist to assess the program after the internal review to identify any other areas of concern and immediately remedy those items. Finally, once the hospital has completed a thorough review of its compliance with HIPAA Security Rule requirements, immediately turn to the task of reviewing the hospital’s compliance with the Privacy Rule and all other aspects of HIPAA. While CMS is presently concerned with technology and security, HIPAA is a multi-headed hydra that must be confronted comprehensively. Piecemeal compliance will not ensure a “passing grade” with CMS or its auditors. Further, many professionals believe that the only way to truly comply with HIPAA is to harmonize the covered entity’s HIPAA policies to work together as a single structure. This can only happen with a fully comprehensive compliance plan that goes beyond technological concerns. In the end, remember the new HIPAA audits are likely just the beginning of a long future of CMS’s focus on compliance with Security Rule requirements. Recent legislation in Congress indicates that new rules regarding that technical world may be approaching. To be sure that an audit of your facility is a dream, instead of a nightmare, consult your legal and HIPAA professionals and start managing that compliance effort now. Damon Carpenter is an attorney with Wise Carter Child & Caraway, PA. July 2008 Tags:NoneBookmark:
|
Digg
Facebook
Technorati
Newsvine
Google| Google Ad Blocks |
 |
| Add our RSS Feed |
  |
| Copyright © and Trademark ™ 2008 All Rights Reserved Copyright Statement | Privacy Statement | Terms of Service |
