Preparing for OCR HIPAA Audits

by | Last updated Jun 19, 2023 | Published on Jun 1, 2016 | Healthcare News

Preparing for Ocr Hippa Audits
Share this:

When it comes to protecting health information, the importance of conducting risk assessments and partnering with HIPAA-compliant business associate can hardly be stressed enough. Medical billing and coding outsourcing to companies that do not adhere to HIPAA regulations can result in massive settlements.

Maintaining HIPAA compliance has become an increasingly difficult challenge for health care entities. Common causes of data breaches include internal threats, weak security controls, outdated software or web browsers, and cyber attacks. Health care providers also need to execute a proper business associate agreement (BAA) with their business partner.

Phase 2 of the audits of covered entities and their business associates (BAs) of the HHS Office for Civil Rights (OCR) was formally launched in March 2016. The aim of the HIPAA Audit Program is to review the policies and procedures adopted and employed by covered entities and their BAs to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. Health care entities and their BAs have to be ready to face these audits.

Risk Assessments are Crucial

To prepare for the OCR HIPAA audits, health care entities need to ensure that their privacy and security measures are comprehensive and up-to-date. A vigorous risk assessment process is crucial for the security of patient health data. Entities need to ensure the following:

  • have the right security policies and procedures in place
  • conduct security risk analysis on an ongoing basis
  • reevaluate potential risks to e-PHI (protected health information)
  • are properly training employees
  • their business associate relationships, such as with a medical billing and coding outsourcing company, is appropriately documented
  • physical and electronic data is secure

According to The Department of Health and Human Services (HHS), conducting risk assessments helps health care providers identify potential weaknesses in their systems, security policies and processes. These assessments will also help them implement appropriate security measures to address the risks identified in the risk analysis, potentially preventing adverse security events and health data breaches.

Know your Business Associates

OCR requires health care entities to identify their business associates and will ask for lists and contact information for BAs. A “business associate” is a person or entity that performs certain activities or functions that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. These activities and functions include but are not limited to: medical coding services; claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; medical billing services; benefit management; and practice management.

Under the Privacy Rule, the covered entity has to obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. These assurances must be in the form of a written contract or other agreement between the covered entity and the business associate.

A HIPAA compliant medical coding service company will have a comprehensive slew of security measures in place to safeguard the information entrusted to them by their clients. These would include computers with disabled external drives, prohibition of electronic devices including laptops and PDAs onsite, physical security checks, password protected computers with firewalls and antivirus software installed, shredding of damaged hard copies of patient information on site, and 256 bit AES encryption for all transferred files.

OCR plans to complete desk audits of covered entities and business associates over the course of 2016. HIPAA covered entities should keep track of OCR-related developments and take proactive steps to ensure their organizations are compliant with HIPAA requirements and that their business associates such as their medical billing and coding outsourcing partner is also HIPAA compliant.

  • Natalie Tornese
    Natalie Tornese
    CPC: Director of Revenue Cycle Management

    Natalie joined MOS’ Revenue Cycle Management Division in October 2011. She brings twenty five years of hands on management experience to the company.

  • Meghann Drella
    Meghann Drella
    CPC: Senior Solutions Manager: Practice and RCM

    Meghann joined MOS’ Revenue Cycle Management Division in February of 2013. She is CPC certified with the American Academy of Professional Coders (AAPC).

  • Amber Darst
    Amber Darst
    Solutions Manager: Practice and RCM

    Hired for her dental expertise, Amber brings a wealth of knowledge and understanding of the dental revenue cycle management (RCM) services to MOS.

  • Loralee Kapp
    Loralee Kapp
    Solutions Manager: Practice and RCM

    Loralee joined MOS’ Revenue Cycle Management Division in October 2021. She has over five years of experience in medical coding and Health Information Management practices.