Add HIPAA audits to the list
WASHINGTON - There's yet another type of audit that HME providers need to have on their radar screens, healthcare attorneys say.
This month, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) launched a pilot program to perform up to 150 audits of covered entities to assess HIPAA compliance.
"There's been a lot of talk about HIPAA, but no one's really been worried about it," said Neil Caesar, president of the Health Law Center in Greenville, S.C. "That's starting to change."
OCR plans to conduct the audits through December 2012.
Thankfully, there are a few things working on the side of HME providers, healthcare attorneys say. First, OCR's audits are likely to target hospitals and insurance companies, at least initially. Secondly:
"(While) there are significant penalties that apply to HIPAA violations, hopefully, early audits will attempt to be 'educational,'" said Asela Cuervo, a Washington, D.C.-based healthcare attorney.
Additionally, because HHS still hasn't released a final rule for the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009--think of it as HIPAA on steroids--OCR will likely be auditing covered entities on basic privacy and security compliance, healthcare attorneys say.
"These initial audits are going to be a preliminary assessment of where people are in classic HIPAA," said Amy Leopard, a partner in the healthcare practice at Cleveland-based Walter & Haverfield. "If you're in trouble there--the privacy rule has been out since 2001 and the security rule has been out since 2003--they're going to throw the book at you."
Since the final rule for the HITECH Act hasn't been finalized, all the OCR can expect of providers is to make "good judgments" about the provisions in the interim final rule, healthcare attorneys say.
"The scope of the act is still fuzzy in some areas, so I don't think people are going to be lined up and shot at," Leopard said.
Still, providers should review where they're at with privacy and security compliance and, if need be, make improvements, healthcare attorneys say, because it's highly probable the pilot program will be extended and/or expanded in some way.
"Initially, these audits will be more corrective in behavior than collective in reimbursement," Caesar said. "But as they start doing these audits, they're going to find violations sufficient for fines and that's going to keep them going."