Updating hipaa policies and procedures
This announcement caused some panic among businesses unsure of their ability to pass a compliance review.
Department of Health and Human Services’ Office for Civil Rights (OCR) warned healthcare professionals and their business associates of its intention to launch a series of random HIPAA compliance audits throughout 2016.
A business associate is any person or group that generates, stores, receives, or transmits PHI on behalf of the covered entity with which they’re affiliated.
A covered entity is any health plan, healthcare clearinghouse, or healthcare provider that electronically transmits PHI.
The Health Information Technology for Economic and Clinical Health (HITECH) audit act was effective starting in 2010, but the OCR has yet to implement an audit program that will proactively evaluate the compliance status of covered entities and business associates.
A 2015 report released by the Office of Inspector General found the OCR’s oversight of HIPAA compliance to be lacking.
Generally, an audit will require an organization to provide records of its compliance efforts dating back several years.
Before 2016, the OCR was only investigating non-compliance situations after a complaint, tip, or media report had been filed thus 98% of closed privacy cases were the result of a complaint.
A business and its employees should understand what a HIPAA compliance audit entails and what steps should be taken to adhere to HIPAA standards.
When an organization is audited, they will be evaluated on aspects like patient privacy requests rights for PHI, individual access to PHI, administrative, technical and physical safeguards, the use and disclosure of PHI, HIPAA Breach Notification Rule policies and changes to PHI.
However, it’s important to note that some states define these roles differently and businesses should check with their legal counsel or state trade association to determine the state’s specific rules.
In Texas, for example, covered entities are classified as any organization in possession of PHI, meaning business associates are subject to the same regulations imposed on covered entities.
The HIPAA law to safeguard patient health data is a critical arrangement that is well-known to the people working at the physician’s office.