Magazine article Behavioral Healthcare Executive

Five Steps to Protect Your Organization from HIPAA Audits: Protect Your Organization from New Audits Being Conducted by the HHS Office of Civil Rights

Magazine article Behavioral Healthcare Executive

Five Steps to Protect Your Organization from HIPAA Audits: Protect Your Organization from New Audits Being Conducted by the HHS Office of Civil Rights

Article excerpt

Violations of the Health Information Portability and Accountability Act of 1996 (HIPAA), are serious business for behavioral health professionals. It is not uncommon for such violations to cost healthcare providers more than $1 million in penalties or settlements.

Until recently, such settlements and penalties arose almost exclusively from patient complaints alleging compromised protected health information. Now, psychiatrists, psychologists, therapists and other behavioral health practitioners must be wary of a new source-the HIPAA audit.

The audits are made possible under Section 13411 of the American Recovery and Reinvestment Act of 2009, which established the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has engaged KPMG, LLC to conduct pilot audits of covered entities to run through December 2012.

The pilot will include audits of up to 150 covered entities of all sizes. This can include any healthcare provider that transmits health information in electronic form. Behavioral healthcare providers, psychologists, psychiatric clinics, behavioral health managed care companies, psychiatric hospitals and others are all at risk.

Audit process

An audit begins with a notification letter requesting evidence of a covered entity's HIPAA privacy and security compliance efforts. Thirty to 90 days following receipt of the requested information, KPMG will conduct an on-site visit. The on-site visit will include interviews with the entity's leadership, examination of the physical space and operations, review of consistency of the entity's practice with its stated policies and observation of the entity's compliance with the HIPAA rules.

[ILLUSTRATION OMITTED]

Based on its findings, KPMG drafts a report and turns it over to the audited entity for review. Within 10 business days, covered entities may provide written comments, concerns and corrective actions taken to address any potential violations. KPMG then provides a final report to OCR.

Steps to prepare and protect

This year's pilot period provides behavioral health entities with an opportunity to prepare themselves for an audit. Below are five steps to HIPAA audit protection.

* Update or create HIPAA policies. A policy drafted even a few years ago may be out-of-date. Where policies have not been updated recently, work with a professional specializing in HIPAA compliance to have them reviewed and brought up-to-date. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.