HIPAA privacy audit tool

Healthcare Financial Management, Feb, 2006 by Linda S. Ross, Michael J. Friedman

Many covered entities (healthcare providers, health plans, and healthcare clearinghouses) heaved a sigh of relief after finalizing their Health Insurance Portability and Accountability Act Notice of Privacy Practices, adopting policies and procedures, and conducting workforce training. Reports from the U.S. Department of Health and Human Services Office of Civil Rights, which is charged with enforcing the privacy rule, however, indicate that complacency comes at a price. As of Nov. 8, 2005, 16,175 complaints have been filed with OCR, and conversations with OCR representatives indicate that complaints are being filed at an increasing rate.

Approximately one-half of all complaints received have focused on impermissible disclosures or disclosures that the complainant thought were improper. From the covered entity's perspective, the greatest problem has been rogue employees--those who do not follow the privacy policies and procedures. OCR notes that, so far, only a small number of complaints have led to civil penalties. As time goes by and the necessary compliance steps are presumed to be better understood and implemented, however, OCR expects the number of complaints that result in civil penalties will increase. In other words, OCR will be less tolerant of well-intentioned mistakes, omissions, and failures.

HIPAA violations typically arise when real-life situations demonstrate shortcomings in a covered entity's notice of privacy practices, policies and procedures, or the extent to which the covered entity's workforce complies (or fails to comply) with those NPPs, policies, and procedures. Adoption of NPPs and policies and procedures and completion of initial workforce training are preliminary, but by no means the final, steps in ensuring HIPAA compliance.

In light of increased levels of complaint investigations and referrals to the U.S. Department of Justice, covered entities would be wise to audit their HIPAA compliance as part of their commitment to compliance and risk management.

A HIPAA self-audit should include two phases. The first phase is to examine the extent to which the covered entity has met the documentation requirements mandated by the HIPAA statute and regulations. The second, and perhaps more important, phase is to assess the extent to which the covered entity and its workforce are actually complying with the HIPAA compliance policies, procedures, forms, and initiatives instituted by the covered entity. This phase should involve on-site visits to various locations of the covered entity where personal health information is used or disclosed and should include observations of daily operations involving the use and disclosure of PHI, such as in a waiting room of a particular hospital clinic. It also should include monitoring access to PHI and steps taken when improper access is discovered.

The number of blatant yet correctible HIPAA violations that occur regularly is surprising. Identifying your own HIPAA shortcomings enables you to correct them and reduce the risk of HIPAA violations and the commitment of personnel, time, and financial resources required to respond to a government-initiated investigation.

Linda S. Ross is a partner, Health Care Department, Honigman Miller Schwartz and Cohn LLP, Detroit (lross@honigman.com).

Michael J. Friedman is a partner, Employee Benefits Department, Honigman Miller Schwartz and Cohn LLP, Detroit (mfriedman@honigman.com).

SELF-AUDIT TOOL

The form that follows is one of nearly 100 templates that comprise an integrated toolkit developed to help covered entities assess their HIPAA compliance. This assessment consists of a review of documentation/policies and an on-site review of compliance practices. The template focuses on business associates and is intended for use during an on-site review of compliance practices.