Colleen Curtin-Product Manager, 1Call Division of Amtelco
The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services recently released information about Phase 2 of its HIPAA enforcement audit program.
Who will be audited?
The OCR announced that notices have been sent to random Covered Entities, which includes health plans, healthcare clearinghouses, and healthcare providers. Random audits of Business Associates will also start this fall. Business Associates are classified as any business that handles electronic Protected Health Information (ePHI) for a Covered Entity.
What is ePHI?
ePHI is anything transmitted electronically that can be used to specifically identify a patient: name, date of birth, admission/discharge date, date of death, medical record number, telephone number, address, city, state, postal code, e-mail address, and so forth.
Did your organization receive a letter?
If you haven’t received one yet, it doesn’t mean that you won’t get one soon. Audits will take place randomly, and also can be prompted by a complaint submitted to the OCR, or by a report of a security breach.
How long will audits continue?
The OCR has a budget of more than $40 million for audits, and this allocation will continue to increase. Audits will become commonplace for the healthcare industry as time goes on.
What are the financial impacts?
OCR audits are predicted to result in millions of dollars in fines and incurred costs. This will be devastating to Covered Entities as well as their Business Associates.