KENTUCKY REGIONAL EXTENSION CENTER

HIPAAThe HHS Office for Civil Rights (OCR) has sent out pre-audit screening surveys to covered entities. Once OCR compiles responses, it will do a Phase 2 audit not only of covered entities but also business associates.

While these take the form of Meaningful Use audits, covering incentives paid from January 1, 2011 through June 30, 2014, it’s really more about checking how well you protect ePHI.

This effort is a drive to be sure that providers and BAs are complying with the HIPAA privacy, security and breach notification requirements. According to the National Law Review, OCR found, during Phase 1 pilot audits in 2011 and 2012, that there was “pervasive non-compliance” with regulations designed to safeguard protected health information.

According to HHS Office of the Inspector General (OIG), selection for the audits is random.

So if you get one of the dreaded pre-screening letters, how should you respond?

According to CureMD, auditors will be focused on the following areas:

•Risk Assessment audits and reports
•EHR security plan
•Organizational chart
•Network diagram
•EHR web sites and patient portals
•Policies and procedures
•System inventory
•Tools to perform vulnerability scans
•Central log and event reports
•EHR system users list
•Contractors supporting the EHR and network perimeter devices.

According to CureMD, the auditors will speak to the person primarily responsible for each of these areas, a process which could quickly devolve into a disaster if those people aren’t prepared. CureMD recommends that if you’re selected for an audit, you run through a mock audit ahead of time to make sure these staff members can answer questions about how well policies and processed are followed.

In addition to defending your security precautions, you have to make sure that all parts of your organization are in line. Therefore, you should be mindful while planning for this audit as deficiencies identified for one physician in a physician group or one hospital within a multi-hospital system, may apply to the other physicians and hospitals using the same EHR system and/or implementing meaningful use in the same way. Thus, the incentive payments at risk in this audit may be greater than the payments to the particular provider being audited.

See EMR & HIPAA article here.

Contact Kentucky REC to learn more! Call: 859-323-3090 or Email: kyrec@uky.edu