In Part 1 of this series, we examined the purpose and general background of the HIPAA Audit Program. In this second part of the series, we will take an in-depth look into the HIPAA Audit findings to see what issues are tripping up providers the most. Remember: while the pilot phase of the program was intended to be educational, OCR has stated that future violations can and will be accompanied by sanctions, up to and including civil monetary penalties.
In its 2012 HIPAA Audit Pilot Program, OCR sought to create a cross section of providers and payers to assess the trends in HIPAA compliance. Included in this sample were large/medium/small provider groups, community hospitals, outpatient surgery clinics, pharmacies of all types, and many other entity types. However, despite the wide mix of auditees, OCR found patterns of HIPAA noncompliance about the Security Rule, the Privacy Rule, and the Breach Notification Rule. At a high level, OCR recently covered some of these major issues:
1. Security gaps accounted for 60% of the audit findings
2. Only 11% of all selected entities had no discovered HIPAA violations
3. Smaller providers struggle the most with HIPAA compliance
Specific to the Security Rule findings, OCR learned that nearly two-thirds of all entities (including about 80% of all providers) either had not performed or had an incomplete risk assessment on file. Moreover, issues of access management, media movement (including PHI-containing mobile devices), and data encryption were found to be serious areas of concern, accounting for over one-third of all Security Rule violations. OCR even went as far as to diagnose the underlying cause: entities are simply unaware of the requirements they are violating.
Fortunately for those selected in the pilot program, this “willful ignorance” was not enough to, in most cases, prompt sanctions. However, this is about to change. OCR undertook the year-long pilot to collect data about where the biggest HIPAA compliance gaps were to share with those who will be audited in the future. Providers have been effectively put on notice. So if you are a provider and have been neglecting your risk assessments, allowing workforce members to share PHI on their mobile devices, or are not encrypting all PHI in motion, now is the time to start righting the ship before the full audit program was rolled out in 2014.
In Part 3 of this series, we will cover the extension of the HIPAA Audit Program as well as the best practices providers should adopt to minimize their audit exposure.
With over two decades of technology entrepreneurship background, Krishna Kurapati started QliqSOFT with the strong desire to solve clinical collaboration and workflow challenges in US Healthcare. During the late 90s, Krishna co-founded IPCell to build the first Cable IP Telephony switch, eventually selling the company to Cisco Systems. In 2003, he started Sipera (acquired by Avaya Systems) to solve security issues for Unified Communications' and raised over $30MM in venture funding. Additionally, he has been actively involved in the early-stage financing of startups in both the US and India.
Engaging Patients and Connecting Care Teams Through Interactive Digital ConversationsLearn More
Prior to the pandemic, telehealth visits ─ delivering patient-provider visits virtually ─ was an afterthought in the care continuum — ill-regarded and little-used beyond patients in rural areas who had few care choices. Virtual visits comprised less than 1% of all outpatient visits. Private insurers generally follow guidelines from the Centers for Medicare & Medicaid Services (CMS), which allowed telehealth in only limited circumstances and paid at 30% below in-office reimbursement rates.