This page contains a Flash digital edition of a book.
Get ready A survey performed by HCPro Inc. — a Massachusetts-based health care regula- tion and compliance education, training, and consulting firm — indicates a ma- jority of health care entities aren’t ready for HIPAA compliance audits. Of the 400-plus survey respondents, including health information management direc- tors and compliance officers, only 17 percent said they are fully prepared, and 70 percent said they were somewhat pre- pared. A lack of commitment by senior management to HIPAA compliance was among the reasons they cited for not be- ing fully prepared for compliance audits. Ms. Cowan agrees with Ms. Hiser that physicians need to be ready if the audi- tors come calling. “At this point, all physicians must have


all policies and procedures required by the HIPAA privacy, breach notice, and se- curity rules finalized and regulator-ready. If OCR selects you for an audit, contact your legal counsel, and be prepared to cooperate as necessary during the onsite visit,” she said. Additional preparatory steps to con- sider include:


• Adopt comprehensive privacy policies and procedures that are up to date and specific to the practice. Be cer- tain you have updated, signed busi- ness associate agreements with all business associates.


• Conduct a risk assessment of the practice. If you haven’t done one within the past year, do it now. Focus on successful implementation of poli- cies and procedures.


• Identify “high-impact” vulnerabilities, such as the method used for dispos- ing of PHI.


• Train everyone on staff according to policies and procedures. Train regu- larly and have staff take tests. Docu- ment all training. The privacy officer should retain all training materials.


TMA and Brown McCarroll have oth-


er resources to help physicians comply with HIPAA and prepare for a possible OCR audit. TMA’s webinar “HIPAA and the HITECH Act,” presented by Ms. His- er, guides physicians in preparing and


implementing policies to comply with the regulations. The webinar, which of- fers an hour of ethics continuing medi- cal education, details who must comply, what the federal government considers a breach, and how to conduct a risk assessment. For more information, call the TMA Knowledge Center at (800) 880-7955, or visit http://texmed.inreachce.com. Brown McCarroll developed a we-


binar titled “HIPAA Audits: What They Are Looking For and What You Can Do to Prepare” in case KPMG comes calling. The free webinar discusses:


• Who may be subject to an audit; • The audit process and timeline; • How to prepare for an audit; • What the auditors are looking for; and


• The ramifications of failing an audit. For more information, call (512)


479-9776. Watch the webinar at www .brownmccarroll.com/resource-center/ webinars/list/L5.


What to expect Ms. Hiser and Ms. Cowan previously represented physicians the OCR investi- gated for alleged HIPAA violations. “Thus far, we have been successful in working with the agency to deal with such allegations. To date, none of our clients have been sanctioned or have been required to enter into corrective action plans subject to OCR oversight,” Ms. Hiser said.


She says OCR scrutinized their clients


for inadvertently disclosing PHI such as mailing a bill to a wrong address, failing to verify a person’s identity, not having appropriate breach policies and proce- dures, and having computers containing PHI lost or stolen — to name a few. Physicians who get an audit letter


from OCR have only 10 business days to respond to a request for documentation. Ms. Hiser says OCR likely will request extensive records that could include, but are not limited to, risk assessments, training and incident reports, vendor information, access rights, and manage- ment security procedures. OCR gives 30 to 90 business days no-


tice before an onsite audit. During site visits, KPMG auditors ask employees what they understand about the prac- tice’s HIPAA policies and procedures and observe processes and operations to help determine compliance. Based on their findings, auditors develop and share a draft report with physicians, who then have 10 business days to review it and to submit written comments. “It is wise to consult with an attorney


to assist in legal arguments regarding the scope and application of the rules and justification of your approach to implementation,” Ms. Hiser said. Ms. Cowan also notes that OCR ex-


pects physicians and their staff to know who is responsible for recording and examining activity in information sys- tems that contain PHI. They also should have a list of all information systems that house electronic PHI data, as well


Attorneys at Law FAMILY LAW


We assist physicians with: • Divorce • Prenuptial Agreements • Postnuptial Agreements • Complex Property Division


for a consultation 512.961.8060


Austin, TX 78703 www.mendunimartindill.com July 2012 TEXAS MEDICINE 35


1717 W. Sixth St. Ste. 259


Contact us


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68