Under the Health Information Technology for Economic and Clinical Health Act, the US Department of Health and Human Services' Office for Civil Rights is now required to perform periodic HIPAA compliance audits. Phase 1 audits, which focused solely on covered entities, were completed in 2011 and 2012. Phase 2 audits, which will include both covered entities and business associates (e.g., medical billing companies, software vendors), are scheduled to begin at any time and be completed by June of 2015.
To find out if physicians are prepared for the upcoming audits, NueMD conducted a survey of medical practices and billing companies across all 50 states. Almost 1,200 business responded to the survey (87% medical practices, 13% billing companies). Of those surveyed:
- 58% of respondents said they had a HIPAA plan; 23% said they did not; 19% were unsure.
- 66% of respondents were unaware of the HIPAA audits.
- Only 35% of respondents said their business has conducted a HIPAA-required risk analysis.
- Only 24% of managers, owners, and administrators at medical practices reported that they've evaluated all of their Business Associate Agreements.
This data seems to suggest that the majority of physician practices are not adequately prepared for the upcoming audits. Mike Sacopulos, CEO of the Medical Risk Institute, estimates that 85% or more of small- to medium-sized practices have some sort of deficiency when it comes to HIPAA compliance. His reasoning is that in Phase 1 of the OCR audits, only 11% of audited entities, which included large third-party payers and hospital corporations, were found to be HIPAA compliant. "I would say that if they found across the board with all these big entities that there was 89% noncompliance that we could expect it would be just as high if not higher in small to medium-sized practices," Sacopulos said in the article.
According to the Health Information and Management Systems Society, complying with the HIPAA regulations can be challenging for all healthcare organizations, regardless of size. However, smaller practices face the additional challenge of having limited resources to research reliable sources of information on what is actually required by HIPAA and to then find ways to address the requirements.
There are a few things practices can do to prepare for a HIPAA audit:
- Conduct a risk analysis of your practice. This risk assessment tool can help.
- Review the OCR audit program protocol and make sure you have addressed everything in the "Audit Procedures" column.
- Make sure that staff receives adequate training.
Family physician David Kibbe, MD, MBA told Family Practice Management that the best way for physicians to approach the HIPAA regulations is to break them down into small and manageable categories and tasks. "The familiar problem-oriented approach you use to evaluate patients' medical problems can be helpful as you assess your current security situation and prioritize what needs to be done to meet the HIPAA challenge," he said. "The idea is to manage HIPAA compliance the same way you solve your patients' problems—one at a time and as the result of careful examination, diagnosis and, where necessary, consultation."