With HIPAA audits looking to tighten up this year, healthcare advisory organizations are publishing guidance on preparing for audits and also a number of steps to take with your team.
MONDAQ is reporting that, “On March 27, 2017, Iliana Peters, Senior Adviser for HIPAA Compliance and Enforcement at the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) spoke about OCR enforcement, current trends, and breach reporting statistics at the Health Care Compliance Association’s Compliance Institute. Peters stated that guidance on “hot button” privacy issues will be a priority for OCR this year. Practitioners can expect to see guidance ranging from social media privacy, certification of electronic health record technology, and the rationale for penalty assessment, according to a Bloomberg report.”
Bloomberg gave some specific numbers on what could be “earned”, federally, as a result of RAC medicare audits in an article entitled, “Reinstituting RAC Medicare Audits Would Add $40 Billion Per Year To The Federal Budget.” RAC stands for “Recovery Audit Contractor”, and the government’s CMS office has put out a PDF on “The Who, What, When, Where, How and Why” of such audits. According to that PDF, the RAC program mission includes the following objectives:
The RACs detect and correct past improper payments so that CMS and Carriers, FIs, and MACs can implement actions that will prevent future improper payments
- Providers can avoid submitting claims that do not comply with Medicare rules
- CMS can lower its error rate
- Taxpayers and future Medicare beneficiaries are protected
AHIMA (American Health Information Management Association) has published a toolkit for preparing healthcare professionals for on-site HIPAA audits. As HIPAA Journal explains, in coming months the HIPAA audits “will be much more thorough and will look much deeper into organizations’ compliance programs. Not only will covered entities be required to show auditors documentation demonstrating compliance with HIPAA Rules, OCR will be looking for evidence of HIPAA in action. To help with the audit preparation process, the American Health Information Management Association (AHIMA) has updated its HIPAA audit readiness toolkit. The toolkit can be used by covered entities to assess their compliance efforts and determine whether they have all the necessary documentation, policies, and procedures in place to meet all Health Insurance Portability and Accountability Act requirements.”
The updated HIPAA audit toolkit is available to AHIMA members for $99.95. According to AHIMA, “The ‘External HIPAA Audit Readiness Toolkit’ addresses all the key aspects of Phase 2 audits, including helping covered entities and business associates understand their respective requirements. The toolkit also features best practices and tips to meet all the necessary responsibilities.”
A recent article in Health IT Security mentions the AHIMA toolkit, but emphasizes it is just the first step in the process. The article quotes AHIMA IG Advisors Senior Director Kathy Downing, advising that “organizations focus on employee training, education, and awareness. However, it should go beyond just HIPAA training, education, and awareness she added. At this point, providers should be fairly knowledgeable on those overarching concepts. If they’ve been working in healthcare and they’ve gotten your annual training, now it’s time to talk to them about what’s a phishing email? What would a cyber attack look like? What does a ransomware attack look like? It’s about bringing employees up on your current, really high risk areas.”
Furthermore, the Audit & Appeals Fairness, Integrity, and Reforms in Medicare Act (known as AFIRM), first introduced in late 2015, is looking like it may be reintroduced this year. The bill would add more resources to the Office of Medicare Hearing and Appeals to help combat the growing backlog of Medicare claim appeals. “The AFIRM act also would tackle the issue of claim denials from Recovery Audit Contractors, which has been identified as a possible driver of the backlog,” writes Emily Mongan for Knight’s.
How much are the possible fines for HIPAA audits that come up short? Becker’s Hospital Review gave details last year of a series of fines for failed audits including $5.55 million collected from Advocate Health Systems, $4.3 Million from Cignet Health, and $4.8 Million from New York Presbyterian and Columbia University. Becker’s also offered guidance notes for hospitals in a different article including that, “the OCR is selecting entities for audit across a wide range of healthcare providers, health plans, clearinghouses and business associates. The OCR will not audit any organizations currently undergoing a compliance review.”