Preparing for OCR HIPAA Audits

Preparing for OCR HIPAA Audits

When it comes to protecting health information, the importance of conducting risk assessments and partnering with HIPAA-compliant business associate can hardly be stressed enough.Medical billing and coding outsourcing to companies that do not adhere to HIPAA regulations can result in massive settlements.

Maintaining HIPAA compliance has become an increasingly difficult challenge for health care entities. Common causes of data breaches include internal threats, weak security controls, outdated software or web browsers, and cyber attacks. Health care providers also need to execute a proper business associate agreement (BAA) with their business partner.

Phase 2 of the audits of covered entities and their business associates (BAs) of the HHS Office for Civil Rights (OCR) was formally launched in March 2016. The aim of the HIPAA Audit Program is to review the policies and procedures adopted and employed by covered entities and their BAs to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. Health care entities and their BAs have to be ready to face these audits.

Risk Assessments are Crucial

To prepare for the OCR HIPAA audits, health care entities need to ensure that their privacy and security measures are comprehensive and up-to-date. A vigorous risk assessment process is crucial for the security of patient health data. Entities need to ensure the following:

  • have the right security policies and procedures in place
  • conduct security risk analysis on an ongoing basis
  • reevaluate potential risks to e-PHI (protected health information)
  • are properly training employees
  • their business associate relationships, such as with a medical billing and coding outsourcing company, is appropriately documented
  • physical and electronic data is secure

According to The Department of Health and Human Services (HHS), conducting risk assessments helps health care providers identify potential weaknesses in their systems, security policies and processes. These assessments will also help them implement appropriate security measures to address the risks identified in the risk analysis, potentially preventing adverse security events and health data breaches.

Know your Business Associates

OCR requires health care entities to identify their business associates and will ask for lists and contact information for BAs. A “business associate” is a person or entity that performs certain activities or functions that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. These activities and functions include but are not limited to: medical coding services; claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; medical billing services; benefit management; and practice management.

Under the Privacy Rule, the covered entity has to obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity. These assurances must be in the form of a written contract or other agreement between the covered entity and the business associate.

A HIPAA compliant medical coding service company will have a comprehensive slew of security measures in place to safeguard the information entrusted to them by their clients. These would include computers with disabled external drives, prohibition of electronic devices including laptops and PDAs onsite, physical security checks, password protected computers with firewalls and antivirus software installed, shredding of damaged hard copies of patient information on site, and 256 bit AES encryption for all transferred files.

OCR plans to complete desk audits of covered entities and business associates over the course of 2016. HIPAA covered entities should keep track of OCR-related developments and take proactive steps to ensure their organizations are compliant with HIPAA requirements and that their business associates such as their medical billing and coding outsourcing partner is also HIPAA compliant.

OCR’s HIPAA Audit Program to Return

OCR’s HIPAA Audit Program to Return

Under the HITECH Act, the Department of Health and Human Services (HHS) is mandated to conduct periodic audits to ensure that HIPAA covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.

HHS’ Office for Civil Rights (OCR) recently published a notice in the Federal Register in which it announced the return of its HIPAA Audit Program. An announcement was made that it will be submitting an Information Collection Request (ICR), which is in accordance with their HIPAA Audit Program Survey titled "HIPAA Covered Entity and Business Associate Pre-Audit Survey". This request will be sent to the Office of Management and Budget (OMB) to be approved under the Paperwork Reduction Act of 1995. Through this request, the OMB is looking for feedback on the proposed HIPAA survey, and how it might affect businesses.

It plans to survey up to 1200 HIPAA covered entities (health plans, healthcare clearinghouses, certain healthcare providers) and business associates to determine suitability for the OCR’s HIPAA Audit Program. Questions in the survey will likely relate to data such as the number of patient visits or insured lives, use of electronic information, revenue, and business locations.

Once the survey has been concluded, the next step for the OCR is to bring back the HIPAA Audit Program, which has been inactive since its pilot HIPAA audit program in December of 2012.

OCR’s pilot audit program was held in 2011-12. Since then, it has been evaluating the audit program and revising the audit protocols to reflect changes made to the Rules by the HIPAA/HITECH Act Omnibus Rule. The pilot audit program only audited the compliance of covered entities, while the new program will be auditing both covered entities and business associates.

This next round of HIPAA compliance audits is expected to be more focused and targeted on high priority issues – rather than the broad-based audits of the pilot program. OCR has recently indicated that its future audits would most likely focus on key areas of concern identified by new initiatives, enforcement concerns, and Departmental priorities.

Preexisting Condition Exclusions under HIPAA – An Overview

Preexisting Condition Exclusions under HIPAA – An Overview

Preexisting Condition Exclusions under HIPAAPre-existing condition exclusion signifies a limitation or exclusion of benefits for a health condition on the grounds that it was present before the coverage begins irrespective of whether any diagnosis, medical advice, care or treatment was recommended or received before that day. Suppose a person who has high blood pressure enrolls into a new health plan. The coverage for treatment related to high blood pressure will be denied in the new plan as it is a preexisting condition. Some preexisting conditions may be specified in the plan documents. Others, though not specified may operate to exclude healthcare benefits because a condition existed before coverage began.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has put forth a protection measure that insists on limited use of preexisting condition exclusions by a new employer plan.

  • Preexisting condition exclusions can be applied only to those health conditions for which medical advice, diagnosis, care, or treatment was recommended or received within a 6-month look-back period (6 months before the date on which the individual enrolled into the plan). The first day of the coverage or waiting period (the time period after an employee or a dependent becomes eligible to enroll under the terms specified by the plan) designated in the plan is considered as the enrollment date. This means that if you had a medical condition in the past for which no medical advice, diagnosis, care or treatment has been received within six months prior to your enrollment date in the health plan, it cannot be regarded as a preexisting condition to which an exclusion can be applied.
  • There are certain cases for which preexisting condition exclusions cannot be applied such as pregnancy (irrespective of the previous coverage the woman had or not) and health conditions of a newborn, an adopted child under age 18 or a child under age 18 placed with a family or individual for adoption (unless the child receives cover under creditable coverage within a period of 30 days since the birth, adoption or placement for adoption and does not undergo a break in coverage). Genetic information may not be considered as a preexisting condition if the diagnosis of a condition is absent.
  • Though HIPAA does not prohibit plans from having a waiting period, for a plan that has both periods, the maximum preexisting condition exclusion period starts when the waiting period begins.
  • The prior creditable medical coverage of an individual can reduce the maximum preexisting condition exclusion period applied by a group health plan to that individual, if there is no significant break in coverage for more than 60 days. Suppose an employee had health coverage in a company for 14 months before he left his job. He got a new job after three months and enrolled into new health plan which provides health coverage for 8 months. That employee won’t get credit for 14 months of coverage as there is a break in coverage for more than 60 days. If he had enrolled into a health plan within 60 days after he left the job, then he would have received coverage for 14 months. Creditable coverage includes coverage under a group health plan (COBRA continuation coverage), an HMO, an individual health insurance policy, Medicaid, or Medicare and does not include coverage comprising just “excepted benefits,” as for instance coverage solely for limited-scope dental or vision benefits. Days in a waiting period are not considered while determining the significant break in coverage.

Even though the maximum preexisting exclusion period is 12 months (18 months in the case of late enrollees), the plans determine the actual period once you produce the certificate of creditable coverage. Usually information about an individual’s creditable coverage is obtained via a certificate provided by an earlier health plan or health insurance issuer. Individuals can also submit other evidence of creditable coverage.

Providers offering services to patients have to be aware of preexisting condition exclusions under HIPAA. A professional medical billing company with its efficient insurance verification services can help healthcare providers reduce claim denials based on these preexisting condition exclusions. They are able to check benefits in a timely manner and prevent any issues from coming up during revenue cycle management.

HIPAA Omnibus Final Rule – Tips for Physician Practices to Ensure Compliance

HIPAA Omnibus Final Rule – Tips for Physician Practices to Ensure Compliance

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights published the “HIPAA Omnibus Rule” on January 25, 2013 to reinforce the privacy and security requirements for Patient Health Information (PHI) established under the Health Insurance Portability and Accountability Act (HIPAA). The compliance date for this rule is September 23, 2013. It has a bearing on both covered entities (health care providers who transmit PHI in electronic format) and business associates (a person or company who handles PHI on behalf of the covered entity). So, what should a physician practice do to comply with the new HIPAA rule? Well, read on.

  • The rule provides patients the right to obtain the electronic copy of their health records and to have the designated health record sent to a third party. A written authorization from the patient is required separately before selling PHI, receiving marketing communications and disclosing psychotherapy notes. Due to these reasons, physician practices should review their notice of privacy practices and update their policies and procedures to implement the new changes. They should train their workforce on the Omnibus final rule.
  • The old law defined security breach as an event which would cause impermissible use or disclosure of PHI. But, the new law modifies the definition that even the risk of impermissible use or disclosure of PHI will be considered as security breach. That is, if you store patient records without password protection or encryption in a laptop and that laptop is lost or stolen, then it is considered as security breach even if the data is not accessed by anyone. The physician’s office must conduct a complete risk assessment to ensure that the PHI remains safe on the system, it is not transmitted unsafely (for example, an unsecured e-mail) and check if there are any other possible risks.
  • Business associates and their subcontractors can be held liable for security breach with the new law. For example, if a physician’s office is outsourcing their billing to a medical billing company and somebody steals the PHI during the billing process, then the company is liable for security breach. At the same time, if the company has brought in a subcontractor for running network cable and electric lines, then the subcontractor is also liable for the breach. Hence, it is very important for physician practices to review all business associate agreements and check whether they need to be revised or modified.
  • There will be more frequent HIPAA audits and the auditors will be given incentives for identifying security problems. Also, the fines with penalties are higher. All physicians’ offices should conduct at least a quarterly risk assessment to stay clear of security issues.

To put in a nutshell, it has become more challenging for physician practices to comply with the new HIPAA rule. If administrative tasks are outsourced, then they should rely upon a company that offers HIPAA compliant medical billing and coding services and has strict security measures in place. Such a company provides the service of employees who are well-trained in HIPAA rules, password protection and encryption for PHI during its storage and transmission and has other safeguard measures such as thorough checking of employees, and restrictions on bringing in electronic devices.

HIPAA Compliance Deadline Is Too Near: What You Have to Do

HIPAA Compliance Deadline Is Too Near: What You Have to Do

The HIPAA/HITECH Omnibus Final Rule which came into effect on March 2013 to improve the privacy and security requirements had a 180-day compliance period. That period is going to end on September 23, 2013. The new rule not only covers employers who sponsor HIPAA-covered plans, but also insists that vendors who provide services to HIPAA-covered plans (for example insurance brokers, pharmacy benefit managers) and business associates also to follow the HIPAA regulations. The U.S. Department of Health and Human Services (HHS) can take action against both parties in case of HIPAA security breach. So, what should an organization that supports HIPAA-covered plans or a business associate do to comply with HIPAA/HITECH Omnibus Final Rule before the deadline?

  • Put into Practice or Revise Security Policies and Procedures – Security breach can lead employers and business associates to make costly settlements under the new law. It is very important for both parties therefore to implement or update security policies and procedures according to the new law to reduce the risk of security breach. Conduct a risk assessment to ensure the safety of Protected Health Information (PHI) and check whether the new privacy policies and procedures mitigate the potential risk of security breach.
  • Revise or Implement Privacy Policies and Procedures – If you are an employer that sponsors HIPAA-covered plans, then you must have already implemented HIPAA privacy policies and procedures. To comply with the new HIPAA law, you should update all those policies and procedures as there is new standard for identifying security breach and new procedures apply to requests for accessing PHI. The Omnibus Final rule not only curbs disclosure of PHI, but even the risk of disclosure. For example, if you store PHI in a computer or transmit it through the internet without password protection or encryption, then it is termed as security breach under the final rule even if it is not accessed or used by anyone. At the same time, it is the legal responsibility of business associates also to implement privacy policies and procedures that comply with the final rule.
  • Have or Revise Business Associate Agreements – The Omnibus final rule insists to add new provisions in business associate agreements along with earlier provisions such as business associates should comply with the requirements of the HIPAA Security Rule, they should report any security breach to the relevant covered entity, they should have business associate agreements with their subcontractors who have access to PHI, and they should comply with the requirements of the HIPAA Privacy Rule while handling any responsibility given to them by the covered entity. So, if you are a business associate, it is imperative to enter into business associate agreement with your subcontractor. If you are an employer, review the business associate agreements and update them to add new provisions. Though several vendors are already updating the agreements, covered health plans are given the deadline of September 22, 2014 to update existing business associate agreements.
  • Renew HIPAA Privacy Notice – Employers must update their HIPAA Notice of Privacy Practices on or before September 23, 2013 to inform the participants in HIPAA-covered plans about new rights and restrictions regarding the use of PHI. Employers can post the notice in their website or distribute it within 60 days of the effective date.
  • Training for Employees – Employees with the organizations that sponsor HIPAA-covered plans or business associates should be informed about HIPAA regulations and what they should do to ensure compliance. Only then can both parties meet the complex HIPAA compliance obligations. Refresher training can be provided for employees.
HIPAA Privacy and Security Changes and Policies Mentioned in HITECH Act

HIPAA Privacy and Security Changes and Policies Mentioned in HITECH Act

HITECH Act: IT Policies & Procedures

The healthcare IT component of the ARRA (American Relief and Recovery Act) is commonly referred to as the HITECH (Health Information Technology for Economic and Clinical Health) Act. The HITECH Act covers a wide range of healthcare IT initiatives.

The electronic security measures mandated in HITECH are similar to any business that needs to protect confidential information. Electronic Protected Health Information (EPHI) must be unreadable to unauthorized persons for EPHI to be considered secured.

Encryption of data is important

The new HIPAA regulations require that all servers, flash drives, workstations, laptops and other devices that store data should utilize data encryption technology. This will ensure there is no chance of unsecured EPHI.

Encryption of network transmissions

The transmission of EPHI over the internet should be encrypted. The most common secure technologies used are Secure Sockets Layer (SSL), IPSecurity (IPSec) and Transport Layer Security (TLS).

Utilize encryption on wireless access points

In medical offices they use laptops and tablets that will communicate through wireless access points. Make sure that all your WAPS use encryption techniques and assign a security key to access your network.

Encrypt your copiers

Digital copiers have built-in hard drives. If you dispose of a copier by selling it, the data on the hard drive may be unencrypted. If so, it is unprotected and can be accessed by others.

Maximize the use of patient portals

In a patient portal, standard email is used between the parties to inform that a message is available to be viewed on the portal. The party that receives the message logs into the portal to receive and reply to the message. In this way, the EPHI is restricted within the portal website, and the encrypted information is secure.

Secure remote access

Companies provide teleworkers remote access that includes virtual private networks, remote system control, and individual application access. They should use antivirus for protection of data.

Use firewalls

Any local network that is connected to the Internet should use firewall to avoid unauthorized access.

A proper backup plan is required

Although not new to HIPAA under HITECH, the HIPAA security rule does require all EPHI to have a backup/disaster recovery plan.

A medical billing company can help you maintain the standard, security and privacy of your outsourced work at an affordable budget.