|
|
|
Search
01/08/2018 Richard B. Willner, DPM
The HIPAA Audit
One of the byproducts of the passage of the HITECH ACT as part of the ARRA was the mandatory HIPAA Audit with mandatory fines. The passage of these laws were delayed to give time to understand the Regs and to come into compliance. It was not until April 2010 that the Office of Civil Rights (OCR) at the U.S. Dept. of HHS awarded two contracts to Booz Allen Hamilton, Inc. The first contract was for audit consulting support to OCR to help train the auditors. The second contract was to help OCR develop training seminars for state atty generals on HIPAA rules and regs. The HITECH Act is a subsection of the HIPAA of 96. HITECH Security Act part 2 strengthens many of the rules and regs of HIPAA and can be thought of making it stronger, especially for patient health Information (PHI). Prior, to HITECH, HIPAA violations were handled with a letter. This was no big deal. HITECH eliminated the letter. "Wilful neglect" which includes breeches of PHI includes a penalty of USD 1.5M. Most physicians will get a fine of upwards of $10,000 in the real life. But, with ease it can go much higher. Add your legal fees and this is a Game Changer. So, how do you get an audit? 1. Breach or complaint of a breach. A breach of above 500 must be publicly reported. A doctor who uses an iPhone can hit this threshold easily. Loss of the phone will give you great headaches unless one puts certain precautions in place that are beyond the scope of this Note but any 8 year old would know what to do. 2. A complaint by anyone. A patient. A staffer, etc. HHS is mandated to investigate all complaints. 3. When you fill out your $44K app for economic stimulus payments. The App will ask about "Meaningful Use" and will ask questions about HIPAA compliance. You sign the form and you certify that you are HIPAA compliant and you are expected to have the policy and procedure manuals in place, your staffers are trained, and you have your annual audits. You are expected to have prevention, detection, containment, and correction of violations. You are expected to have background checks of staffers. Pass codes, access rights, identification of staffers with remotte access and a detailed list of any terminated employees which documented changes to protect data. You must have a list of authentication methods used to identify users who can access the EPHI. You need copies of the business associate agreements You need to prove physical security. You need to have encryption of EPHI You need to prove absolutely safe transmission of data moved from computers, to smart phones, thumbs, wireless networks, etc. Documentation of which Staffer has which level of security access and which computers they can use. Examples of training programs of staffers and doctors Data backup, testing, recovery. Remote security of all kinds. Documentation appropriate to this. The HIPAA Regs and the HITECT ACT are very hard to read and understand. The fact that audits and enforcements have been weak in the past means that the Agencies will go into hyperdrive now. Over 168 items can be looked at the audit with 25 incidents per item. The failure to comply with the HIPAA-HITECH will be very costly. Remember that this HIPAA Law started MILD and then with time, it became a monster!! We have seen the same with ObamaCare with its huge law, and massive amount of regulations. Even Stevie Wonder can see this. Richard Willner, DPM, Kenner, LA
There are no more messages in this thread.
|
|
|
|