The Office of Civil Rights (OCR) has announced the second phase of Health Insurance Portability and Accountability Act (HIPAA) audits to begin early 2016.
Earlier this year, the Office of Inspector General (OIG) issued a report in which it called for greater oversight of covered entities' in regards to HIPAA compliance. The report said new changes needed to be made to better protect the privacy of healthcare patients. Among these changes includes the implementation of a permanent audit program; maintain documentation of any corrective action taken; develop new methods for tracking specific cases; develop policy for checking to see whether a covered entity has been audited and investigated in the past; and to continue the education and outreach of HIPAA training.
In response to the OIG report, the OCR said it would implement the recommendations, and that phase 2 of its auditing program would be begin in early of next year. So, what should you do to better prepare for the upcoming wave of HIPAA audits?
First and foremost, it's important to note that both covered entities and business associates will be targeted during phase 2 of the HIPAA audits. Business associates must also implement the necessary safeguards and procedures to protect patients' data – much in the same way was a covered entity. Furthermore, business associates must also have “agreements” in place that outline the way in which Protected Health Information (PHI) will be used.
One of the most common reasons why covered entities and business associates are cited for HIPAA violations is because they fail to properly dispose of PHI. Tossing a patient's file in the trash isn't sufficient, as it may end up in the dumpster where anyone can access it. Paper files such as this must be completely destroyed so the patient's personal data can no longer be obtained. Incinerating and/or shredding should work in most cases.
Although not a specific requirement for HIPAA compliance, it's recommended that you encrypt all forms of Electronic Protected Health Information (EPHI). Whether it's an email, document stored on hard drive, cloud-based document, etc., all forms of EPHI should be encrypted when possible. Doing so will significantly reduce the risk of an unauthorized individual or party accessing the patient's information.
Of course, these are just a few basic steps that covered entities and their respective business associates can take to prepare for the next phase of HIPAA audits. You may also want to check out some of our previous blog posts here at Allpoint Compliance for more compliance tips and tricks.