HIPAA is universally agreed upon process to protect sensitive and confidential patient data. But is it enough to prepare you for the auditing program? 

Preface of HIPAA Act

HIPAA, the Health Insurance Portability and Accountability Act, was enacted by the United States Congress in the year 1996. The primary objective of the law was to protect the confidential data of the patient.

HIPAA act was mainly initiated to set concrete and detailed standards regarding the secure and uninterrupted flow of sensitive patient data. It is mandatory for an organization to meet HIPAA compliance in order to function permissibly in the healthcare industry. The law has established proper standards which demand optimum confidentiality, security, and utilization of Protected Health Information (PHI) or ePHI. PHI is a health information record-keeping tool in the form of physical as well as an electronic system which helps in identifying a patient or a healthcare plan member in the system.

The advent of ePHI has benefitted the Healthcare Information Services (HIS) with a rapid shift in the process of billing, coding as well as in the method of record keeping. The amount of paperwork eliminated has initiated developed techniques like electronic passbooks of patients, better analytics tools in chronic treatments along with efficient billing and coding process. 

Why is the Confluence of HITECH and HIPAA Act considered essential?

Whether you are a business associate, covered entity, hospital or any other medical practitioner in the healthcare industry, you are legally abided to follow both HITECH and HIPAA Act.

As part of the American Recovery and Reinvestment Act (ARRA) of 2009, HITECH Act or the Health Information Technology for Economic and Clinical Health Act was instituted into law in February of 2009. The act was enforced merely to promote the adoption of IT in healthcare, i.e., to encourage the hospitals and other healthcare organization to inculcate maximum use of Electronic Health Records (EHR). The act was purposely initiated to rigorously enforce the regulations and standards of HIPAA which somehow weren’t being correctly followed by the organizations.

In addition to the penalties under HIPPA act, HITECH also required Health and Human Services HHS to regularly investigate the breaches under any willful violations under HIPAA rule. The HITECH Act included another layer of security in the provision of HIPAA. It increased the protection of patient data by applying stringent legal liability for non-compliance of the law.

With this, in the year 2011, HITECH also introduced the practice of monetary incentives for the appropriate and abundant use of Electronic Health Record (EHR). The process of monetary incentives was introduced to encourage more use of technology in hospitals. The design of the reward program has worked wonders in Healthcare Information Services (HIS) as the whole system started to infuse the use of IT in their everyday work. 

The changing pace of hospital and their compliance with HIPAA- how HIPAA auditing kept medical practitioners on their toes. 

The HHS Office for Civil Rights (OCR) has embodied the responsibility of conducting periodic audits of covered entities and business associates. To ensure full compliance with HIPAA regulations, the blueprints of HIPAA audit was originated in the year 2001. The audit program worked through a set of policies which selects a random sampling method of auditing to keep all the healthcare organizations updated and in compliance.

Having regular audits helps an organization to strengthen its privacy and security structure by detecting the place of disclosure of PHI. According to OCR, audits are an essential compliance tool for the organizations to roll with all the latest security measures.

The HIPAA audit protocol by OCR is an effort to ensure that the required entities are meeting the HIPAA compliance proactively. It is a protocol where the spectrum of audit includes an examination of the documents, identification of potential risks, investigation, review, and reporting of the consent documents.

Components and Timeline of HIPAA audits

Before filing for an audit program, you must be aware of all the procedural actions by the OCR. The program consists of a systematic timeline to ensure a balanced and orderly audit of the organization. For HIPAA audit protocols to take place, an organization must be legally working in the healthcare industry. Moreover, the auditee must be able to show how they are complying with the HIPAA breach notification rule.

So, are you one of the auditees? - To comply with the audit program, one must come under any of the following heads mentioned below;

• Covered Entities like healthcare clearinghouses, insurance providers, etc
• Business associates such as billing and faxing companies, practice management firms, third-party consultant, physical and cloud storage providers.
• An organization (public or private) affiliating with a healthcare entity.

Timeline of HIPAA audit 

• Firstly, the auditees are divided into various sections of size, operation, affiliation, etc. Next, the OCR selects the organization from the process of sampling and avoids entities with open investigation complaints as they are already undergoing the procedure.
• Once an organization is selected for a HIPAA audit, it is mandatory that they send the requested data to the OCR through the mail within ten business days from the date of the request.
• The documents requested should be submitted in a digital form and after that sent electronically through a secured online portal.
• After reviewing the documents, the auditor will send back the findings to the entity. The organization will then have ten business days to review and respond with a statement, if any, to the auditor.
• Subsequently, the auditor will report the final audit within 30 business days and will also be obliged to send a copy of the report to the concerned auditee.