By Jack Anderson
April 15, 2014
You will probably not be included in the small number of business associates singled out for audits by HHS/OCR but this model will surely be adopted by covered entities as a way of ensuring that their business associates are HIPAA Omnibus Rule compliant. As part of auditing the covered entities OCR will ask them for their list of business associates and select candidates for audit from those lists.
This model of “desk audits” was employed by Figliozzi and Company who were employed by CMS to do audits of covered entities who received stimulus funds for attesting that they qualified for meaningful use (MU). Forty-seven (80%) of 59 providers failed audits conducted in April 2012. One important area was Core Measure 15 which required a HIPAA risk assessment, remediation of identified risks, and an on-going risk management program. We actually got phone calls from CEs asking if we could back date a risk assessment. Those who failed the “desk audit’ were subject to an on-site audit and if they were found to have falsely attested the first step was having them return the stimulus funds and next investigating for fraud.
So what can you expect from a desk audit? Here is Adam Greene:
“Your documents really need to speak for themselves,” says Greene, a partner at law firm Davis Wright Tremaine and a former OCR staff member, in an interview with Information Security Media Group.
“If you’re a well-organized organization, I think these desk audits will make things significantly easier,” Greene says. “On the other hand, if you’re not a well-organized organization, this could be a bit tougher on you. OCR has indicated they are not going to do follow-up questions … so you want your policies and procedures to tell a good story of your compliance. You won’t have the same opportunity as [in the pilot program] to explain things to the auditors.”
I always tell people that documentation is what helps build a legal firewall around your company and that from the auditor’s viewpoint if you didn’t document it you didn’t do it. Our task centered methodology takes you through a series of assignments required under the HIPAA Omnibus Rule and documents your activities. For most of our clients this is done under the supervision of a privacy and security expert we call Helper. They also answer all of your questions through our Notes feature and these interactions are recorded as well. All of this documents you on-going HIPAA compliance and is displayed through our Compliance Meter(tm). In addition to this top level “at a glance” display your could allow an auditor access to your site to view all of your activities, thus providing complete transparency.
Let us help you build that “legal firewall” around your company do that you can sleep soundly knowing that if the auditors or their letter shows up tomorrow you are ready for them.
For more information or a hands-on demonstration email me at jack@compliancehelper.com or call me at 707-217-8864