HIPAA audits could catch providers off guard

Friday, March 25, 2016

WASHINGTON – With the Office of Civil Rights gearing up for phase 2 of its HIPAA Audit Program, HME providers could be doing a better job of protecting patient information, legal experts say.

“For the most part, they probably do not take it as seriously as they should,” said healthcare attorney Denise Leard with Brown & Fortunatoin Amarillo, Texas. “I think there are a lot of opportunities to go wrong.”

Last week, the OCR announced plans to obtain and verify contact information for various types of covered entities, including individual and organizational health providers, health plans and healthcare clearinghouses, as well as business associates, to examine compliance with HIPAA and HITECH privacy, security and breach notification rules.

When it comes to protecting patient information, healthcare attorney Edward Vishnevetsky says everyone knows they need to, they might just not know how—or for how long.

“A lot of businesses that close down think they can throw the information away,” said Vishnevetsky with K&L Gates LLPin Dallas. “That’s not necessarily the case. Under HIPAA, you still have to maintain the information even after you’ve shut down.”

Another common mistake HME businesses make is sending sensitive information via email, Drop Box or Google Drive. These services are often not encrypted.

“Providers don’t need to know everything,” said Vishnevetsky. “Just what needs to be protected, how to protect it and what to do if the information gets out.”

In the event of a data breach, providers need to have a plan in place to mitigate the damage. If they fail to, they could face significant penalties, similar to those associated with False Claims Act violations.

“They have to notify the patients, report the breach to the OCR, and if the breach includes more than 500 patients, they have to publish that in the local newspaper,” said Leard.

When it comes to understanding and adapting to evolving security regulations, HME companies, which tend to be smaller, may have their work cut out for them.

“It takes time to modify policies,” said Leard. “It’s the small ones with less than 10 employees that just don’t have the resources.”