Ready or not, here they come. As demanded by HITECH, CMS’s Office of Civil Rights is officially gearing up to conduct HIPAA compliance audits of providers.
While the effort should start slowly — it seems OCR will review only 150 Covered Entities in 2012 — the process is likely to pick up speed over the next year or two, so brace yourself.
Wondering what the auditors will be doing? Well, here’s some of the requests OCR made its RFP seeking contractors for the program, below. OCR wants them to deliver:
A timeline and methodology of the audit
Best practices noted
Raw data collection materials such as completed checklists and interview notes;
A certification indicating the audit is complete
The report must include specific recommendations for actions the audited entity can take to address identified compliance problems through a corrective action plan. The report must include recommendations to the Contracting Officer’s Technical Representative regarding continued need for corrective action, if any, and description of future oversight recommendations.
According to audit expert Alex Sotomayor, who was present at a speech given by Deputy Director for Health Information Privacy Susan McAndrew, OCR hopes to turn the HITECH audit process into an “educational” experience. The idea is to create a benchmark for compliance which other covered entities can use to prepare for their own audits.
That being said, CMS has some incentive to hit providers hard, Sotomayor suggests. After all, the Act lets the agency keep any money auditors generate in fines, and it’s hard to believe CMS administrators aren’t keeping that in mind. And it’s worth noting that CMS won’t be doing any initial “off the record” reviews to help providers get oriented — they’re going straight to the “live” audit. If auditors find suggestions of HIPAA problems, the OCR can do a full-scale review and ultimately smack providers with heavy fines. Clearly, CMS is emphasizing the stick over the carrot here.
Given the scale of the threat involved, it’s a shame OCR hasn’t been incredibly clear about its plans. Among other things, it hasn’t even said how many hospitals, physicians or other covered entities will be part of the original 150 providers targeted in 2012. If I were a hospital IT administrator, I’d keep a very close eye on OCR’s progress.