Got $1.5 million to spare? That’s how much a Massachusetts eye and ear practice just had to pay the U.S. Department of Health and Human Services (HHS) in order to settle potential violations of the HIPAA Privacy and Security Rules after a personal laptop was stolen containing unencrypted PHI.
Breaches like that are why the HHS-directed Office of Civil Rights (OCR) has launched Phase 2 of their HIPAA audits, this time, focusing on small to medium-sized healthcare providers like you. No one is immune—not even me. I recently received a pre-audit notification. At this point, it’s no longer IF you’re going to get audited but WHEN.
In HHS’s own language, this “Phase 2 HIPAA Audit Program reviews the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”
Translation: they’re looking for noncompliance with and vulnerability in the way providers, in this case chiropractors like you, handle PHI, whether electronic or paper. Estimates say that over 250,000 people have been affected by a business associate breach alone. In other words, OCR is painfully aware there’s a problem.
What should you be looking for? What should you do? Here is what’s likely to happen:
- You will get an email from the OCR. And they don’t care if it gets overlooked or winds up in your spam folder. They consider you notified, either way. Check your spam folders every few days.
- You’ll will have two weeks to respond from the date of the email which is one of the reasons to answer promptly.
- That initial email will ask for your address, contact information, and other email addresses so they can go to the next step with you. IMPORTANT: if you don’t answer, they’ll find your info from public records and continue the process anyway.
- After the OCR has verification of your information, they’ll send you a pre-audit questionnaire asking for detailed documentation and information about how your office handles everything from privacy notices, file requests, and cloud storage to your software and how you handle electronic device use among your staff. More importantly, they expect to see that you have written policy and procedure and that you are actively training all staff, including new hires.
- You have just ten days to send all of this requested documentation.
- The OCR will send you a draft report based on your information, and you may have the opportunity to respond. If so, your comments will be included in the final report.
- If they find there’s a significant problem, they’ll do an on-site audit in your office.
Are you ready for your audit? If not, you can learn more at chirohealthusa.com, by watching our free compliance webinars, including “HIPAA Wars,” a great primer on on preparing for the impending audits. You’ll also learn more about becoming a provider with ChiroHealthUSA. Offering ChiroHealthUSA to your patients costs you nothing. Your patients pay just $49 a year and that allows you to discounts your fees to your patients and members of their immediate families. This helps you grow your practice but more importantly, it helps you protect your practice while continuing to provide good patient care.