Post

By Tom Meadows, HIPAA Compliance Officer, HIPAAwise.com On May 1st, the OCR released new information regarding a covered entities responsibility for completing an appropriate risk analysis.  Based on the dismal results that were achieved during the phase 1 and 2 audits of covered entities, it is clear there is still much confusion. Let’s start by reviewing the OCR’s random audit results.  Over the last 3 years the OCR conducted random audits of around 200 covered entities and business associates.  Here is a summary of those results:  

Rating		% of Audited CEs	% of Audited BAs
1	Audit results indicate the entity is in compliance with both goals and objectives of the selected standards and implementation specifications.	0%	7%
2	Audit results indicate the entity substantially meets criteria; it maintains appropriate policies and procedures, and documentation and other evidence of implementation specifications.	14%	12%
3	Audit results indicate the entity efforts minimally address audited requirements; entity has made attempts to comply, but implementation is inadequate, or some efforts indicate misunderstanding of requirements.	32%	37%
4	Audit results indicate the entity made negligible efforts to comply with all the audited requirements; e.g. policies and procedures submitted for review are copied directly from an association template; evidence of training is poorly documented and generic.	33%	29%
5	The entity did not provide…evidence of serious attempt to comply with the rules and enable individual rights with regard to PHI.	21%	15%

Looking at these results in more familiar terms we find that not a single covered entity received an “A” on the Risk analysis requirement and only 14% received a “B”.  More than half of covered entities received a “D” or an “F”. Now consider that most settlements and fines imposed on covered entities (all settlements over $1,000,000) involved NOT having a proper risk analysis in place.   It is time to get serious. Roger Severino, Director of the OCR is all about enforcement.  He took over under the new administration after these audits were completed.  His determination was in essence, ‘Why continue to audit when it appears that very few covered entities are within acceptable parameters of compliance?’ The HIPAA combined text is an enormous document that includes more than just risk analysis, such as policies and procedures, employee training, business associate agreements, to name a few. Because it is so extensive, many providers feel they have a little of everything but seem to consistently ignore completing a risk analysis. The poor performance demonstrated during the random audits has shown the OCR that they need to step up enforcement.  Bottom line, what the OCR learned from the audits is that covered entities are not complying with the risk analysis component of the HIPAA laws.  Fines are calculated as much as $1,000 per day over the period an appropriate risk analysis was not in place. I urge you to attend the HIPAAwise discussion to be given at the Heartland Conference. We will walk you through everything you need to know to ensure you understand the differences between your HIPAA Gap Analysis vs. your HIPAA Detailed Risk Analysis. Even if you believe you have everything you need to satisfy the Requirements set forth in the HIPAA Combined Text, the results of Phase 2 Audits suggest you are probably lacking an acceptable Detailed Risk Analysis. It’s a small amount of your time that could save you millions if you are wrong. Would you like an easy and affordable HIPAA compliance solution? If the answer is yes, then you need HIPAAwise. HIPAAwise is a comprehensive HIPAA security assessment and compliance program software tool that allows you to implement and maintain a HIPAA compliance program in one on-line location. To learn more, or to schedule a live demonstration of HIPAAwise, contact us today! Attending the VGM Heartland conference? Learn more about this topic on Wednesday, June 20 when Tom presents! Later that afternoon be sure to join us in the theater for live demonstrations of HIPAAwise and take advantage of our Heartland special pricing! For more information, or to register, visit http://www.vgmheartland.com!