Joined at the HIPAA: HHS and OCR Get Serious with Phase 2

Member Providers

Dr. R. A. Foxworth, FICC, MCS-P

Dr. R. A. Foxworth, FICC, MCS-P

Holy HIPAA, Batman! The Office of Civil Rights (OCR) announced their “official” launch of Phase 2 of their program this spring, and no one is immune—not even me. I recently received my own pre-audit email. Since it’s only a matter of time before you will likely receive a letter of your own, here’s what you can expect and how to respond.

The first and most important thing to know is that “all audit candidates,” in the OCR’s language, will be notified by email only. Be aware that if this email gets overlooked or goes into your spam folder, you are still responsible and will still be considered a candidate. You may still end up under audit so check your spam folders every few days.

That first email asks you for your contact information, among other things. If you don’t answer, the OCR will simply go to public information sources to contact you with your pre-audit questionnaire. In other words, you can put your head in the sand, but you can’t hide.

Next, you’ll get a pre-audit questionnaire, and you’ll have 10 days to respond. What are they looking for? PHI and privacy vulnerability. So they’ll be asking questions about how you handle requests for patient files (both paper and electronic), how you handle Business Associate Agreements and with whom (e.g., anyone who has the opportunity to view PHI), your notice of privacy as well as how and where it’s posted, practice privacy forms, PHI information storage (Do you back up to a cloud server? Do you back everything up before a major move or remodel?) and a host of other questions about how your office handles:

  • Firewalls
  • Anti-virus software
  • Screen-savers
  • Passwords
  • Security measures
  • Smart phones and other mobile devices

The OCR doesn’t just want to know that you have all these things in place, they also want to know that you have a written policy and procedure for each one of them and that you have ongoing training in place for your entire staff, as well as new hires. They will ask for documentation to support your claims, including your most recent Facility Risk Assessment, your HIPAA compliance manual as well as other policies and procedures, and copies of your Business Associate Agreements.

The OCR hasn’t said what the penalties will be if they find privacy compliance issues, but one thing’s for sure. The penalties for a privacy breach can be severe. In Massachusetts, an ophthalmology practice just agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the HIPAA Privacy and Security Rules after finding a laptop containing PHI, including clinical and personal information as well as prescriptions.

If you’re not nodding your head and saying, “Yes, I know what and where all that stuff is, and we’re on top of it,” you probably need our help. Visit chirohealthusa.com and view our webinars on HIPAA, as well as many others on compliance, to make sure you understand exactly what’s about to happen and prepare for the storm.