OCR Seeks Responses to Enhance HIPAA Audit Program
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is performing a HIPAA Audit Review Survey and gathering comments from entities that need to undergo HIPAA compliance audits to collect data to enhance future audit programs.
In 2016 to 2017, OCR performed its second stage of HIPAA compliance audits. The audit program entails documentation requests on particular facets of the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. The audits pointed out which elements of the HIPAA Guidelines were becoming troublesome for HIPAA-covered entities as well as business associates.
The audit review survey is being done to get facts regarding the impact of the audits on the audited organizations and their views on the audit process. The goal is to find out the efficacy of the audit system in evaluating the efforts made by HIPAA-regulated entities and their business associates to conform to the HIPAA Regulations and determine the impact of the audits on covered entities and business associates following the steps to adhere to HIPAA.
The survey will give the audited entities the chance to share a response on the effectiveness of HHS HIPAA guidance and communications, how simple the online submission website was to use when adding documentation needed by auditors, and whether the conveyed results of the audits and the audits themselves helped to strengthen entity compliance.
OCR is likewise in search of responses on the burden that the audits placed on covered entities and business associates concerning the asked-for documentation and replies to audit-associated requests, which include the effect on day-to-day business operations. Questionnaires will include 39 questions and will be provided to Privacy and Security Officers at 166 HIPAA-covered entities and 41 business associates. OCR states that the data gathered will be employed to enhance future HIPAA compliance audits and the announced survey could show OCR is preparing to conduct another round of audits or even starting a permanent audit plan.
The HITECH Act calls for the HHS to perform audits of HIPAA-regulated entities every year to evaluate conformity to the HIPAA Guidelines, and although there has been discussion in the years concerning a permanent audit program, it has not been done yet. Instead, OCR carried out its first round of HIPAA audits in 2011 and then conducted the following phase of audits in 2016/2017. OCR stated that it expects to abide to this requirement of the HITECH Act however the department is facing a persistent funding lack and there are no signs that Congress is going to be providing any extra cash.
OCR does have the choice of imposing more civil monetary penalties for HIPAA violations and could utilize the money to pay for an audit system; nevertheless, a reinterpretation of the HITECH language resulted in the reduction of the penalty amounts and that has significantly decreased the funding OCR has made from enforcement actions. OCR is asking Congress to increase the maximum civil monetary fines for HIPAA violations which can help to resolve OCR’s funding difficulties, and this is more probable than the HHS being provided more funding.
Investigations need resources, and it could take many years before financial penalties can be imposed or cases settled. The most recent enforcement action by OCR was resolved in 8 years. OCR has gone through a reorganization to boost efficiency by better using its resources and that may have offered OCR more bandwidth to begin managing the backlog of data breach investigations, which could lead to more enforcement actions. Whether that will be enough to finance a costly permanent audit program is yet to be seen, however, it is obvious that such a program is necessary. The last instance of HIPAA audits discovered prevalent HIPAA Rules noncompliance and though OCR has expanded enforcement activity recently, the possibility of being investigated or audited and having to pay a financial fine is very low. As a result, if there are competing priorities for resources, a lot of HIPAA-covered entities put HIPAA compliance on hold.
CMS Updates Policy to Authorize Texting Patient Data and Patient Orders
The Centers for Medicare and Medicaid Services (CMS) at the Department of Health and Human Services (HHS) has modified its rules on texting patient details between members of the medical care team and text messaging of patient orders. Clinical teams are now allowed to text patient data provided they use a HIPAA-compliant texting platform to do so, and as long as they adhere to the Conditions of Participation (CoPs). The CMS additionally permits the texting of patient orders.
In January 2018, the CMS issued a QSO-19-10-Hospital, CAHs Modified memorandum on Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs) in recognition that a lot of hospitals had followed a secure text messaging system for conversing with hospital and CAH team members; nonetheless, the CMS explained that sending text messages about patient orders from a provider to a member of the care team does not comply with the CoPs due to issues about privacy, record maintenance, and the confidentiality, security, and integrity of systems back then. At the time the memorandum was created, the majority of hospitals could not make use of safe text messaging systems to include messages in electronic health records (EHRs). Enhancements in technology in the past 6 years, for example using encryption, make sure that sensitive health information can be transmitted and kept securely and improvements in technology, particularly the application interface features of text messaging platforms, allow the transfer of data to EHRs.
Although texting patient orders is now authorized, Computerized Provider Order Entry (CPOE) is the preferred system of order entry by a healthcare provider. In case an order is inputted via CPOE and instantly downloaded into the EHR system of the hospital or CAH, it is allowed under the CoPs since the order is dated, timed, validated, and immediately put in the medical record. Nonetheless, providers need to employ and maintain systems/platforms that are protected and encrypted. They should make certain the reliability of author identification and lessen risks to patient privacy and confidentiality, according to HIPAA requirements.
Additionally, procedures and processes should be put in place that regularly examine the safety and integrity of the texting systems/platforms to prevent negative outcomes that may compromise the wellness of patients. Any company that opts to incorporate texting patient data or orders into the EHR needs to make certain that the platform meets the requirements of the HITECH Act and HIPAA.