This page contains a Flash digital edition of a book.

HIPAA Audits Enter Phase 2 Why that matters BY ROBERT KURTZ


n March, the US Department of Health & Human Services’ Office

for Civil Rights (OCR) announced the launch of its next phase of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) audits of covered entities and their business associates. See professionals/compliance-enforcement/ audit/phase2announcement/index.html for more information. “This news should be a wake-up

call for ASCs and all health care pro- viders covered under HIPAA to take a close look at what they are doing and have in place concerning HIPAA com- pliance,” says Lani Dornfeld, head of law firm Brach Eichler’s Palm Beach, Florida, office and a member of the firm’s health law practice group. “If the OCR sees a serious lack of

HIPAA compliance when it performs these audits, there will be further scru- tiny of that provider or business asso- ciate outside of the audit process,” she says. “OCR will separately engage in a compliance review of that particu- lar organization. There have already been quite a number of heavy fines and penalties this year against orga- nizations found not to be in compli- ance with HIPAA, and there are likely more to come.” On the surface, it might seem like the announcement of “Phase 2” of the HIPAA audit program is not significant for ASCs as “OCR indicated that these audits are meant to be used as a tool to measure compliance,” Dornfeld notes. The audits, however, might ultimately serve to identify covered entities, like ASCs, and business associates that are not in compliance with HIPAA.

What You Need to Do Properly protecting patient privacy and complying with HIPAA can prove


If the OCR sees a serious lack of HIPAA compliance when it performs these audits, there will be further scrutiny of that provider or business associate outside of the audit process”

—Lani Dornfeld, Brach Eichler

ASCA’s HIPAA Workbook for ASCs

Download a copy of ASCA’s HIPAA Workbook for ASCs at and make sure your facility has access to the best practices in ASC HIPAA compliance. This resource is available for free to facility and corporate members of ASCA; nonmembers may buy it.

challenging. “HIPAA is such a complex law with very onerous requirements,” Dornfeld says. “As a result, compliance in some organizations may be lacking. Providers are taking some measures to protect patient information, but they are not necessarily doing what HIPAA requires, and that can get you into trouble. “To me, the time, energy and money that will be spent by a provider to deal with the serious consequences of non- compliance will be far more extreme than the cost to put in place and main- tain a proper HIPAA compliance pro- gram,” she says. “Some providers believe this cost to be prohibitive but it will seem like nothing in comparison to OCR penalties.” A HIPAA compliance program includes many components. Dornfeld advises ASCs to closely examine the HIPAA Breach Notification, Privacy, and Security Rules. They should also

perform a risk analysis, as mandated under the security rule, to identify and address risks and vulnerabili- ties to electronic medical informa- tion. “You must have the proper peo- ple involved in these efforts, which includes privacy officers and security officers,” she adds. ASCs also would be wise to provide ongoing HIPAA training, she says. “While annual training in a formal way is expected by the government, periodic training throughout the year is critical. This can include providing information in emails, inter-office memos and during discussions at staff meetings. This kind of intermittent, informal training serves to remind staff of its legal obligations and help prevent potential negligent breaches.” Dornfeld says some ASCs might be coming up short in compliance efforts due to a misunderstanding concerning their electronic systems. “Just because you are told a system is HIPAA compliant does not mean your ASC is HIPAA compliant. That is a really big misconception and leads some providers to believe they do not need to do anything more than use that system.” Doing what is necessary to put

together a proper HIPAA program is simply the best protection against incidents and governmental interven- tions, she says. “It is a preventative measure and one every provider must be undertaking.”

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30