A little over a year ago, the former Director of the Office for Civil Rights (OCR), Leon Rodriquez, referred to covered entities that did not realize they have business associates relationships in place. He went on to say that some business associates did not know that they were actually business associates. Rodriquez stressed it was both the responsibility of the covered entity and the business associate to understand this relationship does exist.
Regarding ramped up HIPAA compliance, Rodriquez indicated future audits will be narrower in scope and include more organizations than ever before. Covered entities and their business associates also will be audited under the new permanent program, and audits will focus on vulnerabilities that could change year to year as new issues arise.
With Rodriquez’s departure to Homeland Security in June, it seems like the task of continuing the drum beat message of ramped up HIPAA enforcement fell to Linda Sanches.
Sanches, who serves as OCR’s Senior Health Information Privacy Advisor, also has the role of chief compliance enforcer. As the overseer for the HIPAA security and breach notifications audit program, it appears Sanches may know a thing or two about the direction OCR wants to take with future audits. Sanches recently spoke at the Health Information and Management Systems Society (HIMSS) Privacy and Security Forum. However, she did not provide any striking revelations or critical insights about these new audits, just more of what the industry seems to know already, that these audits are coming.
Much like Rodriquez did in the past, Sanches spoke more in generalities than specifics. She indicated OCR was looking at a broader view of the entire healthcare industry as possible criteria for selection of who would be targeted for an audit. Using the National Provider Identifier (NPI) database is a method being considered to select entities like hospitals, practices and dental providers for audits.
Large and small providers with random geographic locations will be part of the selection formula. Dental providers were specifically mentioned, a concern because, in my experience, smaller practices have struggled to meet their compliance requirements because there is a lack of completely understanding the regulations.
As a former Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services, I interpret Sanches’ government speak to mean very simply this: any covered entity or business associate including dental practices may be the subject of a random audit. Now as a HIPAA consultant on the other side of the enforcement table, and as someone assisting healthcare clients and business associates with compliance requirements, I am continuously advising they be prepared and maintain current policies and best practices when it comes to required security safeguards.
What Sanches told those at the HIMSS Forum is similar to advice I give to all clients — make sure you have an up-to-date HIPAA Risk Assessment and Risk Management Plan. The HIPAA Risk Assessment is going to be the first document OCR asks for during an audit or compliance review. Make sure you have a robust sanction policy and process. This is an issue I previously addressed in my blog article titled “HIPAA Security Compliance: What is Your Sanction Policy?”
Being compliant is the best way to sleep at night and not be concerned if you are subject to a random audit. The longer OCR keeps kicking the can down the road when it comes to enforcement and audits, the more time it gives you to review, update and be prepared if the notification comes that you were selected for a compliance review.