HIPAA Phase Two Audits are coming—are you ready?

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to safeguard patients’ protected health information (PHI).

The “portability” part of the act refers to ensuring that patients can retain health coverage if they change jobs or become unemployed. It’s the “accountability” part that affects healthcare providers most strongly because it regulates how they must handle PHI.

In general, providers can disclose PHI if necessary to facilitate treatment and payment for services, otherwise they must obtain the patient’s permission in writing. The Privacy Rule that specifies these requirements and responsibilities also mandates that providers take reasonable steps to keep PHI confidential, and appoint a “privacy officer” who is in charge of the provider’s HIPAA compliance activities.

Patients who believe that their PHI has not been treated in compliance with HIPAA requirements can file a complaint with the Department of Health and Human Service’s Office for Civil Rights (OCR). To get a sense of how much of a risk this might pose, consider that between April 2003 and November 2006, the OCR fielded nearly 24,000 complaints regarding possible violation of privacy rules.¹

On March 21, 2006, the OCR announced that it was launching Phase 2 of the HIPAA Audit Program. The first round of audits will consist of approximately 200 “desk audits” focusing on healthcare providers, and the second round will target their business associates.

Ignorance of HIPAA provisions is no excuse for noncompliance. All persons who create and manage PHI are responsible for adhering to the provisions of the act.

Image courtesy of Scrypt Inc. Used with permission.

The OCR’s desk audits will mainly consist of a request for certain records and the completion of a questionnaire. These may, in some cases, be followed by on-site audits, which would be more detailed. The penalties for HIPAA violations can be severe—generally $50,000 per occurrence—but the goal of the OCR’s auditing program is to alert providers of possible breaches of PHI and prevent them before they happen.