There are two new ‘HIPAA sheriffs’ in town…both ready to monitor and audit your HIPAA compliance practices. Recently, the OCR granted the authority to assess healthcare’s HIPAA compliance practices to State Attorney Generals (AGs) and the firm KPMG under the 2009 HITECH Act.
Steps to Survive a HIPAA Audit
In preparing for a visit from your State AG or a HITECH auditor, BridgeFront and the OCR recommend these steps:
1. Implement an annual employee training program
2. Ensure you’ve documented patient information safeguards
3. Review privacy and security policies and procedures
4. Vigilant implementation of policies and procedures
5. Regular internal audits and risk assessments
6. A prompt action plan to respond to data breach incidents
OCR Announces State Attorney General HIPAA Authority
This spring, the OCR announced its new HIPAA training program for State Attorney Generals (AGs). Under the 2009 HITECH Act, AGs now have the authority to bring civil actions on behalf of state residents for HIPAA violations.
“Most state AGs are elected into office…which means there is more pressure to pursue HIPAA violations, particularly if there’s a ‘good story’ behind the data breach. They want to be seen as protecting the little guy,” says Jeff Drummond, health law partner in the Dallas office of Jackson Walker, LLP.
HITECH Auditors Set to Begin
Last week, the Department of Health and Human Services (HHS) awarded a $9.2 million contract to the consulting firm KPMG to launch its HIPAA audit program as mandated by the HITECH Act. The HHS will work with KPMG to roll out the program in three phases, says Susan McAndrew, OCR’s deputy director for health information privacy…starting later this year.
“This is just another opportunity for covered entities to take a moment for a self-assessment,” McAndrew says. “This will help them down the road in terms of building their own capacity for a robust compliance program…”
In a recent BridgeFront compliance study more than 60% of participants indicated they use online education as part of their compliance program.