The Californian multi-specialty physician’s group, Imperial Valley Family Care Medical Group (IVFCMG), has recently been audited by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) following a potential breach of patients’ protected health information.
A laptop computer containing sensitive patient information was stolen from the physician’s group – a reportable breach under Health Insurance Portability and Accountability Act (HIPAA) Rules.
OCR investigates all breaches of PHI that impact more than 500 individuals, and this security breach was no exception. After reporting the incident through the OCR breach portal, the physician’s group was notified of its audit. The group was asked a comprehensive range of questions relating to the breach, the breach response, and the its compliance program. A response to all of the questions needed to be provided promptly, along with supporting documentation to demonstrate compliance. Failure to produce the documentation could have resulted in a sizable HIPAA violation penalty.
IVFCMG was able to comply with the request, answer the questions, and supply the documentation easily thanks to its use of The Guard – a HIPAA compliance software platform developed by The Compliancy Group.
The Guard uses the Compliancy Group’s ‘Achieve, Illustrate, Maintain methodology’ to ensure compliance with HIPAA Rules. By adopting The Guard, HIPAA-covered entities are guided through their compliance programs and can ensure not only that HIPAA Rules are followed, but that all appropriate documentation is created to demonstrate compliance – Documents that must be produced in the event of a HIPAA audit.
In addition to helping with HIPAA compliance, The Guard includes the Compliancy Group’s Breach Response Program, which guides covered entities through the steps required by the HIPAA Breach Notification Rule.
Through the Breach Response Program, IVFCMG identified the procedures that needed to be completed and was able to investigate and respond to the breach in a timely fashion. The Breach Response Program also helped IVFCMG report the incident to appropriate authorities and create all appropriate documentation to provide to auditors.
“One of the things I was most impressed with Compliancy Group was their responsiveness,” said Don Caudill, IVFCMG’s Chief Strategic Officer. “These are serious deadlines we were being faced with, but Compliancy Group was there every step of the way. They handled the time frames to deal with OCR and gave us guidance about what actions to take.”
When OCR auditors contacted the Californian physician’s group to investigate the breach, a fast response was possible thanks to adoption of the Compliancy Group’s HIPAA Audit Response Program. When the Compliancy Group was notified of an investigation into a potential HIPAA violation, its experts supplied IVFCMG with all the appropriate reports to demonstrate compliance with HIPAA Rules as requested, within the strict timescale set by OCR.
“As a former auditor and co-founder of our company, I’ve built The Guard and developed our Audit Response Program to address the necessary HIPAA regulatory standards for CEs and BAs. In the event of an audit, there’s no better way to handle your organization’s response than by providing your auditors with everything they need to properly assess the scope of the violation. Our goal is to help bridge the gap between auditors and our clients so they can continue to satisfy the law,” said Robert Grant, Chief Compliance Officer of Compliancy Group.
Adoption of The Guard and participation in the Compliancy Group’s Breach Response and Audit Programs has ensured no single HIPAA covered entity has ever failed an OCR or CMS HIPAA-compliance audit.
OCR Increasingly Issues Financial Penalties for HIPAA Violations
OCR has yet to issue a financial penalty to a covered entity for HIPAA violations discovered through its audit program; however, investigations of data breaches are a different story. Last year, OCR issued one civil monetary penalty (CMP) to a HIPAA covered entity and agreed 12 settlements to resolve potential HIPAA violations discovered during investigations into complaints and data breaches. This year, OCR has issued one CMP and agreed eight settlements with covered entities. If HIPAA Rules are discovered to have been violated, financial penalties can be expected.
With enforcement activity increasing, it is more important than ever for covered entities to comply with HIPAA Rules and be able to demonstrate HIPAA compliance to auditors. By adopting a HIPAA compliance software platform such as The Guard, covered entities can relax and be confident that they will pass an audit.