By Jack Anderson
March 2, 2014
There are many things that can trigger an audit; a patient complaint, a whistleblower, your own breach, a business partner’s breach, a state attorney general, HHS/OCR, a company hired by HHS/OCR to do unannounced audits, but the most likely source will be a business partner seeking “satisfactory assurances” that you are HIPAA compliant.
Healthcare law firms are advising their clients to strengthen their business associate agreements with indemnification clauses designed to shift liability to the business associate. They are then advising them to verify HIPAA compliance through surveys or audits. The first phase may just be a small ten question survey but the second phase may be asking for copies of recent risk assessments or policies and procedures that have been updated to meet the HIPAA Omnibus Rule standards. HIPAA regulations state that if they detect “a pattern of non-compliance” they must ask the company to remediate or mitigate these risks and if they can’t or won’t they must “sever the business relationship”.
We get calls and emails every day from business associates who are being asked to prove their HIPAA compliance. Many times there is an important contract that is dependent on that prooof. Proof of HIPAA compliance is a tricky proposition because HHS has given no one the authority to “certifiy” compliance. What is required beyond having uptodate policies and procedures is documentation of on-going HIPAA compliance activities. According to HHS, if you didn’t document it you didn’t do it. Getting HIPAA compliant takes an effort, staying HIPAA compliant requires accomplishing monthly tasks and documenting them.
Software such as our Prepare/Care services are critical to maintaing compliance. You get a monthly tasks list and any updates to policies and procedures. As you check off the tasks and update your polcies and procedures the system documents your activities and reflects you scores through our Compliance Meter(tm).
Take a look at one of our videos on our website at www.compliancehelper.com to see how this works.