What Factors & Scenarios Trigger a HIPAA Audit?
What Factors & Scenarios Trigger a HIPAA Audit?
HIPAA, the Health Insurance Portability and Accountability Act, is a federal law that regulates the use and disclosure of protected health information (PHI) (HHS, 2021). The law requires organizations and individuals that deal with PHI to comply with strict privacy and security standards to protect this information. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is in charge of enforcing HIPAA regulations and auditing entities that do not follow their regulations.
What is a HIPAA Audit?
HIPAA identifies two groups that must comply with its regulations: covered entities and business associates. Covered entities are healthcare providers, health insurance companies, and healthcare clearinghouses (HHS, 2017). Business associates are organizations that carry out certain services or functions on behalf of a covered entity and need access to protected health information (HHS, 2019). In recent years, HIPAA has been examined to account for new emerging healthcare technologies, websites, applications, and delivery methods.
The OCR performs a HIPAA compliance audit to confirm that covered entities and business associates protect and properly utilize PHI. The audit examines the organization’s compliance plan, policies, procedures, and business associate agreements.
What will trigger a HIPAA Audit?
Here are the scenarios that will trigger a HIPAA audit:
- A HIPAA violation complaint submitted to the OCR against your organization: “Generally, complaints are filed by patients at hospitals who are unable to get their medical records,” Lankanau says. “Other complaints include ‘whistleblower’ type grievances from a staff member against an employer.” Employee mistakes and misconduct can also initiate HIPAA violation complaints.
- A PHI breach at your organization or one of your business associates: A breach of PHI may include an office burglary, ransomware or cyberattack, lost or stolen devices, and inappropriate disposal of PHI.
- Other illegal access to PHI by unauthorized individuals: Unauthorized disclosure of PHI can come in many forms, including employees viewing patient information outside of their job, sharing patient data to the media or individuals that the patient did not approve, or using sensitive PHI for research without the patient’s consent.
- A random audit from the OCR: Your organization may be randomly selected for an audit from the OCR. This is especially true if your organization has been previously audited, prone to HIPAA violations, or involved in PHI breaches.
Watch out for these additional HIPAA violation risks, especially if some employees work from home.
What’s next after an audit is triggered? “The OCR receives the complaint, then announces plans and protocols to audit the organization,” Lankenau says. “If an organization receives an official notice from the OCR of an audit, they should contact any HIPAA consultants they use and get legal counsel.”
How We Keep Your Patients’ PHI Safe
“YES follows all HIPAA guidelines that pertain to Business Associates, including encryption and limited system access,” Lankenau says. “We regularly provide team member training and test for common threats. Our comprehensive security program includes monthly compliance refreshers. We developed our policies with the guidance of outside compliance experts.”
Looking for a trusted, reliable partner to conduct your quarterly coding audits or provide PRN coding support? Trust in our team at YES. Our coding and auditing experts are routinely trained to keep patient information and other sensitive data secure according to HIPAA’s guidelines. Connect with our team to learn more about our cutting-edge services.