As reported by a press release on HHS.gov the U.S. Department of Human Services website, Massachusetts Eye and Ear Infirmary, Inc., a specialty hospital located in Boston, agreed to pay the fine for a HIPAA violation that occurred when an unencrypted personal laptop containing patient prescription and clinical information was stolen. This is an extreme case, as $1.5 million is the maximum fine a single provider can receive in a calendar year (not including business associates). However, the HIPAA Security Rule, which protects the security of patients’ electronic personal health information, has become the most commonly violated rule, and 2016 has become the year to be even more cautious with HIPAA compliance.
2016: The Year of HIPAA Phase 2 Audits
The HHS Office for Civil Rights (OCR) recently announced the launch of the HIPAA Phase 2 Audits, which is the next step after the initial audits that took place in 2011 and 2012. Here is what you need to know:
- The purpose of the Phase 2 Audits is to collect data that will be used to take the pulse of overall HIPAA compliance across the nation. From this data, the OCR hopes to “present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable [it] to get out in front of problems before they result in breaches.” Read more.
- Despite the fact that the Phase 2 audits are primarily designed to collect data, if an audit report indicates HIPAA non-compliance, a compliance review investigation will be initiated, which could result in HIPAA violation penalties ranging from $100 to $1.5 million as well as possible criminal charges.
- The first round of Phase 2 Audits will focus on roughly 200 providers and the next round will include the providers’ business associates.
- The majority of Phase 2 will consist of desk audits, but some on-site audits may be conducted, and all audit candidates will initially be contacted through email. The OCR has acknowledged that their audit request emails may go into candidates’ spam or junk folders, but even those who do not respond can be entered into the candidate pool.
- Once selected as an audit candidate, providers must fill out a questionnaire before being entered into the candidate selection pool. Click here to view the questionnaire.
- Phase 2 audits are expected to end by 2017.
How to prepare for an audit and remain HIPAA compliant.
1. Prepare audit materials. From adding the OCR to your email contacts to preemptively compiling the information that you will need in the event of an audit, JDSupra Business Advisor provides some suggestions and resources for audit candidates. Read more.
2. Check up on your current system. Chiropractic Economics magazine prescribes a series of steps to allow you to conduct your own Electronic Health Record audit to help you see where you can improve if you get hit with an official HIPAA audit. Read more.
3. Purchase HIPAA-compliant equipment. Chiropractic tools may come equipped with HIPAA-compliant software and safeguards. For example, the PulStar system’s software allows DCs to email patient reports through a secure server so that patients and referring physicians can view progress reports instantly and without fear of HIPAA violation.
Another important safeguard installed on the PulStar device is a Drivers License Swipe Reader, which prevents any person other than the patient (carrying his own personal drivers license) from viewing a patient’s personal electronic health records.
The iMac desktop or Macbook laptop (provided with the G3 Full Suite or G3 Tech Suite) allows our doctors to turn on disk wide encryption using FileVault with just a few clicks. This helps protect the patient’s data from unauthorized access as well. For more information about PulStar, click here.
Want to try the PulStar? Click here to find a PulStar chiropractor near you!