Earlier this year, MRO published a white paper, A Proactive Approach to PHI Disclosure Management: Strategies to Prepare Your Healthcare Enterprise for Phase 2 Audits. In the white paper, we shared the most-up-to-date information about Phase 2 of Office of Civil Rights (OCR) HIPAA compliance audits and offered tips to prepare for them by implementing an enterprise-wide approach to disclosure management.

While OCR’s widely anticipated Phase 2 audits are still pending, there has been some activity since publication of the white paper. Here are some updates:

Myth Busted

AHIMA’s June 4, 2015 E-Alert quoted from a FierceHealthIT article that pre-audit screening questionnaires had been sent to potential Covered Entity (CE) auditees. In preparation for an MRO presentation at the MSHIMA annual convention, we reached out to an OCR contact, who replied on June 12, 2015 via email: “The report is misleading. OCR has started verifying contact information of CEs. Pre-audit screening questionnaires have not been sent out.”

Sneak Peek

We also contacted attorney Adam Greene, a nationally recognized authority on HIPAA and the HITECH Act, who provided a link (look for the survey PDF titled “Survey 03 13 2015” under “Instrument File”) to the screening questionnaire. The web page suggests they are seeking 500 respondents.

Audit Focus

OCR’s presentation at the HCCA Compliance Institute in April confirmed that “desk audits” will focus on privacy, security and breach notification. The speaker also emphasized that the OCR will conduct onsite audits, as funds permit, in addition to desk audits. Key focuses by audit type are expected to be:

• Privacy Rule audits: Notice of Privacy Practices and Patient’s Right to Access
• Breach Notification audits: Breach Notification Policy, Breach Notifications to Patients, instances where Breach Risk Assessment concluded no breach, and timeline from discovery to notification
• Security Rule audits: Security Risk Analysis and Risk Management Plan

It’s important to remember that complaints can trigger an investigation that may lead to full-scale audits. Thus, it’s important to be ready for an onsite audit by reviewing the protocol on OCR’s website. The website states: “Please be aware that the protocol has not yet been updated to reflect the Omnibus Final Rule.” OCR is reportedly working on the audit protocol update now. Another task they are tackling is a method for sharing penalty amounts with harmed individuals. We suspect that will encourage more people to file more complaints to the OCR due to possible payouts

Being Prepared

What steps can you take now to prepare?

• Make sure all documentation is up-to-date
• Implement an enterprise-wide PHI disclosure management strategy
• Invest in security technologies
• Train your workforce (we can help)

The Ponemon Institute’s 2015 State of Endpoint Report: User-Centric Risk states that 78 percent of organizations cited employee negligence as the biggest security threat. Privacy and security compliance and breach prevention training are critical. It’s also key to make sure employees fully understand your policies and procedures for PHI disclosure. If an onsite auditor wants to evaluate your privacy and security culture, he’ll solicit information from non-management staff.

To learn more about OCR audits and tips for audit preparation, download our white paper today.

It’s hard to believe that only two decades ago there were not significant penalties for improperly disclosing Protected Health Information (PHI), especially when regulations and oversight seem to become more stringent by the day.

Since the HIPAA breach notification requirement was instituted in 2009, there have been 1,185 breaches of more than 500 records each reported, compromising more than 133 million patient records. Hospitals are subject to penalties of up to $1.5 million per incident per calendar year, and criminal penalties include fines and up to 10 years in prison. There are currently pending judgments of $3-4 billion each in two class action lawsuits, and these figures don’t include the damage to a hospital’s reputation.

The migration to electronic medical records (EMR) systems may improve patient care, but it also makes it more difficult for hospitals to control access and manage patient privacy. According to MRO’s research, hospitals may have more than 40 PHI disclosure points through various departments such as billing, lab and radiology as well as hospital-owned clinics and physician practices.

With that many access points – which do not include HIEs, patient portals and other interfaces – the question becomes whether every employee at each of these disclosure points has been properly trained on PHI access and disclosure guidelines.

Centralization of the Release of Information (ROI) function places the responsibility of disclosing PHI into the hands of highly-trained professionals and offers better control, higher quality and cost savings. Using a single, enterprise-wide system that is overseen by a single department helps organizations standardize processes and enforce policies across the entire healthcare enterprise.

This model allows software and services to be deployed as a common platform, and all departments receive secure technology, comprehensive workflow and quality assurance checks. Best practices place the responsibility for the function with Health Information Management (HIM), which typically has subject matter expertise on health information governance, privacy and PHI disclosure management.

Hospitals that take an enterprise approach through their HIM department find they are able to better manage ROI processes, achieve compliance and reduce liability and financial risk.

Ready to learn more? View MRO’s case study on East Jefferson General Hospital, where HIM leadership standardized PHI disclosure management processes and policies across various hospital departments and 23 physician practices.