Another type of audit is coming for certain companies
Several years ago, Congress passed the Health Insurance Portability and Accountability Act, known as HIPAA for short. This purpose of this law is, in part, the protection of people’s medical information. This is a privacy issue and a data security issue. Many of the readers of this article may have had to sign an additional form to allow their family members access to any medical information about themselves. This is part of what that law required.
Another part of this law required certain companies to create company policies and procedures that would make companies comply with this law. This could include who has access to medical records and under what circumstances and how to keep electronic records secure, to name a few of the policies and procedures required by law.
In 2009, Congress passed another law called the Health Information Technology for Economic and Clinical Health Act, or HITECH. Under this law, the Department of Health and Human Services was mandated to conduct periodic audits to ensure that entities covered by HIPAA were complying with that law. Before HITECH, that federal department investigated potential HIPAA violations only on the basis of specific complaints that were filed.
The new audits will cover a wide range of entities, large and small, and will include all three types of covered entities, including health care providers, health plans and health care clearinghouses. These audits will require an on-site visit and someone from the audited entity will need to provide the auditors with specific documentation.
Although the audits at the present time are only part of a pilot program, these audits will attempt to gather information to create and share best practices learned from the audit process and provide guidance based on any deficiencies found. Since most experts do not believe that covered entities, such as small medical practices, are prepared for such audits, HHS is expected to detect a significant amount of non-compliance. In part, this may be due to regulations that have been frequently updated or added, and the fact that technology is constantly changing.
If HHS conducts an audit and there are minor adverse findings, HHS will work with that entity to take corrective action. However, if there are serious deficiencies, HHS is authorized by law to take formal enforcement action, which may include a settlement agreement with a corrective action plan or even a civil monetary penalty.
While the pilot program is not auditing numerous entities, it is expected that more of these audits will be conducted in the future. It would be a good idea to do a self-assessment to look for high-impact issues, such as data security and privacy rules, and to self-correct to avoid auditing issues in the future.