HIPAA RxLet’s keep this simple as I can always provide you with more information in subsequent papers.  By now most persons in the Unites States are familiar with HIPAA.  Yet the complexity of this simple acronym is far from been understood by the community at large.  Ideally I will like to have the time to explain the differences between HIPAA Privacy, HIPAA Security, the HITECH Act, the Omnibus Rule, the Affordable Care Act and many more but for now let’s concentrate in the HITECH audits. Let me put this in perspective, I have been working as a healthcare consultant for over 20 years yet last year lone I had to deal with more audits that all of the previous years combined.  This year seems to have started at a slower pace, yet I’m already seen the correspondence and based on the proposals from Medicare that are crossing my desk I expect that the trend is going to increase if nothing else.  If you add to that the number of organizations that have not yet started doing audits but will start doing so in the near future my forecast is quite exciting. In plain words, probabilities are that, if you have not been audited you will be.   If you are a Covered Entity your probabilities increase based on the following factors:

  • Submitted Meaningful Use Attestation under the Medicare program,
  • A complaint from an employee or patient.

Keep in mind that there is a chance that you may be audited again even if you have already been hit.  Business Associates are also a target for the future and in the last couple of months they have been mentioned in just about every paper, news release and article I read. So let me be specific in terms of key things to keep in mind:

  • Audits may cover your present and past compliance efforts;
  • Every audit I worked on requested a Security Risk Analysis for the year of the audit and a Security Management Plan;
  • Policies are important but even more if the ability to show that the same were implemented;
  • Staff training and proof of the same is becoming critical.

The sad reality of the case is that there are still many Covered Entities and Business Associates that have not completed a Security Risk Analysis.   Potentially worst is the fact that there are those who have a Risk Analysis that didn’t cover all the required items. Based on the above I simply have to repeat one of my most common phrases: “if you are going to play the game learn the rules”.  Another phrase I will start repeating in the future is: “take control: plan, prepare, execute”.