Another Type of Audit is Coming for Certain Businesses

Several years ago, Congress passed the Health Insurance Portability and Accountability Act, referred to as HIPAA for short. This purpose of this law is in part the protection of health care information for individuals. This is a privacy issue and a data security issue. Many of the readers of this article may have had to sign an additional form to allow their family member to have access to any medical information about themselves. This is part of what that law required.

Another part of this law required certain businesses to create company policies and procedures that would cause the businesses to comply with this law. This might include who has access to the medical records and in what circumstances and how to keep electronic records secure, to name a few of the policies and procedures required by the law.

In 2009, Congress passed another law called the Health Information Technology for Economic and Clinical Health Act, or HITECH. Under this law, the Department of Health and Human Services was mandated to conduct periodic audits to ensure that the entities covered by the HIPAA law complied with that law. Prior to the HITECH law, that federal department investigated potential violations of HIPAA only based upon specific complaints that were filed.

The new audits will cover a broad range of entities, large and small, and will include all three types of covered entities, including health care providers, health plans and health care clearing houses. These audits will require an on-site visit and someone from the audited entity will need to provide the auditors with specific documentation.

Although the audits at the present time are just part of a pilot program, these audits will attempt to gather information to create and share the best practices learned from the audit process and provide guidance based upon the shortfalls found. As most experts do not think that covered entities, such as small medical offices, are prepared for such audits, it is expected that the HHS will find a fair amount of noncompliance. In part, this may be due to the regulations that have been updated or added frequently and the fact that technology is constantly changing.

If the HHS audits and there are minor adverse findings, HHS will work with that entity to take corrective steps. However, if there are serious deficiencies, the HHS is authorized under the law to do a formal enforcement action, which may include a settlement agreement with a corrective action plan or even a civil monetary penalty.

While the pilot program is not auditing numerous entities, expect more of these audits to occur in the future. It would be a good idea to perform a self assessment to look for high-impact issues such as the privacy and data security rules and self correct to avoid the audit problems in the future.