HIPAA compliance: Providers have homework to do

 - 
Tuesday, November 20, 2018

WASHINGTON – The finding that zero of the “covered entities” recently audited by the Office of Civil Rights fully complied with HIPAA requirements is a “wake-up call” for HME providers, says Wayne van Halem.

What’s more, the OCR found that more than 80% of “covered entities” made minimal, negligible or no efforts to comply with the requirements.

“Our industry is really vulnerable here,” said van Halem, president of The van Halem Group, a division of VGM Group. “This is an opportune time for providers to say, ‘This is serious. We need to find out what we need to do and do it. We can’t afford a $1 million fine.’”

The OCR, part of the Department of Health and Human Services, audited more than 200 “covered entities” as part of the second of a three-phase program. The third phase: compiling the results of the audits and forming an educational program to help entities comply with the requirements.

This last phase of the program will be crucial, as the “OCR does a pretty poor job of telling us what those specific requirements are,” says Kelli Ogunlesi.

“The OCR conducted the audits to find best practices and share them industry wide,” said Ogunlesi, a success manager for HIPAAwise, which offers compliance software and has an agreement with The van Halem Group to combine their services. “Based on the results so far, there are not a lot of best practices showcased, but I’m hoping they at least provide guidance on where providers need to bulk up their compliance and documentation protocols.”

It’s important to remember, van Halem and Ogunlesi say, that providers don’t necessarily have to experience breaches to be audited by the OCR.

“There are also random audits where you need to show that you’re doing everything in your power to mitigate willful neglect and that you’re taking steps to reduce vulnerabilities and have documentation that spells out the process,” Ogunlesi said.