OCR Wants Opinions to Develop HIPAA Audit Program
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is having a HIPAA Audit Review Survey and is looking for comments from entities that need to undertake HIPAA compliance audits to get data to enhance upcoming audit systems.
From 2016 to 2017, OCR held the second step of its HIPAA compliance audits. The audit program requires documentation requests on certain areas of the HIPAA Security Rule, HIPAA Privacy Rule, and Breach Notification Rule. The audit results showed which elements of the HIPAA Regulations were appearing difficult for HIPAA-regulated entities and business associates.
The audit review survey is being performed to acquire facts concerning the results of the audits on the audited organizations and their thoughts on the audit procedure. The target is to know the effectiveness of the audit plan in examining the work made by HIPAA-covered entities and their business associates to adhere to the HIPAA Guidelines and gauge the influence of the audits on covered entities and business associates enforcing the measures to abide by HIPAA.
The survey will avail the audited organizations with the option to share feedback on the helpfulness of HHS HIPAA guidance and communications, how quick the online submission site was to use when publishing documentation expected by auditors, and if the disclosed information of the audits and the audits themselves truly helped to strengthen entity compliance.
OCR is likewise looking for responses to the problem that the audits are causing on covered entities and business associates with regards to the needed documentation and answers to audit-linked requests, such as the consequence on day-to-day business. Questionnaires will be made up of 39 questions and will be given to Privacy and Security Officers at 166 HIPAA-regulated entities and 41 business associates. OCR says that the details obtained will be utilized to boost future HIPAA compliance audits and the launched survey could suggest OCR is considering doing one more round of audits or even commencing a permanent audit system.
The HITECH Act necessitates the HHS to do yearly audits of HIPAA-regulated entities to evaluate adherence to the HIPAA Regulations, and although there has been conversation regarding the years related to a permanent audit program, it has not been pushed through yet. Rather, OCR performed its first HIPAA audits in 2011 and the subsequent phase of audits in 2016 to 2017. OCR mentioned that it plans to conform to this condition of the HITECH Act nevertheless the department is confronted with a serious funding scarcity and there are no indications that Congress shall give any additional cash.
OCR has the alternative of awe-inspiring more civil monetary fines for HIPAA violations and can utilize the collections to spend on an audit system; nonetheless, a reinterpretation of the HITECH terms led to the decrease of the penalty sums and that has considerably lowered the finances OCR has earned from enforcement actions. OCR is requesting Congress to add to the maximum civil monetary penalties for HIPAA violations which should help to fix OCR’s funding issues, and this is more possible than the HHS being granted a higher funding.
Doing investigations requires resources and it may take several years before financial fines can be enforced or cases resolved. The most current enforcement action by OCR was settled in 8 years. OCR has been through a rearrangement to strengthen effectiveness by better utilizing its resources and that may have granted OCR extra bandwidth to commence handling the backlog of data breach investigations, which could bring about more enforcement actions. Whether that is going to be adequate to pay for a pricey permanent audit program is yet to be seen, nonetheless, it is apparent that such a program is essential. The last case of HIPAA audits revealed extensive HIPAA Regulations non-compliance and though OCR has grown in enforcement activity lately, the odds of being inspected or audited and having to pay financial charges is very minimal. Therefore, whenever there are other priorities for resources, many HIPAA-covered entities do HIPAA compliance later.
CMS Updates Guidelines to Permit Texting Patient Details and Patient Orders
The Centers for Medicare and Medicaid Services (CMS) at the Department of Health and Human Services (HHS) has revised its guidelines on texting patient data among members of the healthcare team and sending texts of patient orders. Healthcare teams are now authorized to text patient details provided they utilize a HIPAA-compliant texting program to do so, and as long as they follow the Conditions of Participation (CoPs). The CMS additionally permits the text messaging of patient orders.
In January 2018, the CMS released a QSO-19-10-Hospital, CAHs modified memorandum about Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs), seeing that numerous hospitals had implemented a safe text messaging program for connecting with hospitals and CAH team members; nevertheless, the CMS mentioned that text messaging about patient orders from a provider to a member of the care team does not conform with the CoPs because of problems about privacy, record keeping, and the confidentiality, integrity and security of systems during the time. At the time the memorandum was made, many hospitals could not make use of safe text messaging tools to integrate information into electronic health records (EHRs). Advancements in technology in the last 6 years, for instance, the usage of encryption, make sure that sensitive health information can be sent and saved safely and developments in technology, specifically the application interface functionality of text messaging systems, permit the sending of information to EHRs.
Though texting patient orders is already authorized, Computerized Provider Order Entry (CPOE) is the recommended way of order entry by a company. When an order is inputted through CPOE and instantaneously downloaded into the EHR system of the hospital or CAH, it is allowed under the CoPs considering that the order is dated, timed, verified, and quickly put in the medical record. Nevertheless, providers should make use of and keep systems/platforms that are protected and encrypted. They need to ensure the credibility of author identification and reduce threats to patient privacy and confidentiality, as per HIPAA requirements.
Furthermore, procedures and processes must be enforced that consistently examine the protection and integrity of the texting systems/tools to steer clear of negative results that can compromise the health care of patients. Any company that decides to include texting patient data or orders within the EHR must make sure that the platform satisfies the demands of the HIPAA and HITECH Act.