Now is the time for covered entities to get their HIPAA houses in order. Ever since Title II of the Health Insurance Portability and Accountability act (HIPAA) became effective in April 2005, employers – which can be covered entities in certain situations – have known that the Department of Health and Human Services (HHS) has the authority to conduct compliance audits and investigations with regard to HIPAA’s information security provisions. To date, however, these sporadic audits or investigations have been chiefly complaint-driven, relatively few in number, and conducted on a case by case basis with HHS seeking voluntary resolutions between applicable parties.
In 2008, this somewhat innocuous methodology for audits and investigations has changed. HHS has contracted with a private company to perform various surprise compliance reviews and investigations of covered entities relative to HIPAA security rules compliance. For now, it looks like HHS will be performing these compliance reviews and investigations through September of 2008. Following the conclusion of the audits, HHS may impose fines, initiate corrective action plans or take other similar actions.
If you haven’t reviewed your policies and procedures to ensure HIPAA compliance, this is a great reason to do so. Of particular importance are periodic risk assessments and ongoing training programs for those who have access to private health information. You should also continue to be vigilant with respect to any HIPAA-related complaints. Investigate them thoroughly, and take appropriate remedial action. It seems apparent that at least some of the surprise audits that have already occurred were at least partially driven by complaints received by HHS.