The Office for Civil Rights (OCR), the agency within the U.S. Department of Health and Human Services tasked with HIPAA compliance enforcement, is about to start formally notifying various healthcare providers and plans that they have been selected for an audit. Those covered entities selected will be required to submit specific documentation to OCR that demonstrates how their respective organizations are complying with HIPAA compliance requirements.
The goal with the Phase 2 Audit program is to determine how well covered entities are implementing the correct policies and procedures for HIPAA compliance. If the results of the Phase 2 audits are anything like the first audit, OCR is probably going to see disappointing data indicating most organizations are not fully complying with all the requirements.
There is an easier way to find out the status of current compliance with covered entities, not to mention a less costly way, in saving the taxpayers money in paying a contractor to gather the needed results. Published reports showed that OCR paid about 9 million dollars to the global audit firm KPMG in 2012 to conduct the Phase 1 audits.
NueMD released the results of their follow-up survey to the original survey conducted in 2014, which looked at the status of HIPAA compliance. In the updated survey, 927 respondents, which included practices and billing companies, answered a number of revealing questions about the current status of HIPAA knowledge and compliance. For comparison purposes, OCR is looking to identify about 200 covered entities for the Phase 2 audit.
So what did NueMD find out in their updated survey? Overall HIPAA compliance is still not close to where it needs to be with most organizations. With so many HIPAA data breaches occurring on what seems like a daily basis, the survey clearly shows why this is occurring.
Here are some significant findings of the survey:
- Regarding the annual requirement for HIPAA Security Awareness Training, the 2014 survey indicated 62% of owners, managers and administrators claimed they provided training for their staff annually — now that number has dropped to 58%.
- Appointing HIPAA Security and Privacy Officers is another requirement for compliance. The survey found an actual decrease in these appointments. Although appointments were only a few percentages down, the study said, “These may not be extraordinary changes, but the numbers are moving in the wrong direction!” Agreed.
- On the positive side, the survey showed, “A region that suggests a correlation between increased awareness and improved compliance is that of Business Associate Agreements,” (BAA). In 2014, 60% of the respondents were aware of the use of BAAs, where in 2016, 68% now claim to know more about these rules.
- Another positive finding was in the awareness of the HIPAA Omnibus updates. In 2014, respondents indicated 64% were aware of the updates in law. That percent increased to 69% this time around. There are many additional patient rights afforded by the Omnibus Rule that healthcare providers must be aware of. Although there was an increase, providers must do a better job in understanding their responsibilities under Omnibus.
The NueMD updated survey is a great barometer to gauge overall HIPAA compliance efforts, but as the survey shows, covered entities still have a long way to go to make sure they fully understand all the requirements and just not some.