John DiMaggio

Will your skilled nursing facility face a HIPAA audit in 2016? Now is the time for SNF providers to test, analyze and remediate any vulnerabilities in HIPAA Security, Privacy and Breach compliance.

The Office for Civil Rights’ 2016 audit program is currently underway, with a protocol so comprehensive that significant enforcement actions are expected.

Understanding OCR’s audit protocol can help you assess and determine your facility’s potential performance, should an audit occur. The protocol encompasses a broad scope of requirements and implementation specifications from HIPAA Privacy, Security and Breach Notification Rules. Included in the protocol are 89 Privacy requirements, 72 Security requirements and 19 Breach Reporting requirements (see the OCR Audit eBook link at the end of this article for a complete listing of potential audit topics).

OCR will identify a subset of audit topics from among the 180 potential audit items. Since a facility has no way of knowing which of the 180 topics OCR will select, it is best to be prepared to demonstrate compliance with all 180 topics. Think of it like studying for a 20 question final exam: Since you don’t know what material will be on the exam, you study the entire textbook!  

OCR protocol promises an exhaustive review of each audit topic ultimately selected.  This will include verification that policies and procedures exist, and that the organization performs the necessary requirements. Additionally, OCR will obtain and review Rule Policies and Procedures to ensure all required elements are included and executed in accordance with HIPAA requirements.  

For security items, if the item is “Addressable” vs. “Required”, AND the entity has chosen an alternative measure, OCR will obtain documentation as to why the alternative was chosen and evaluate that documentation to determine if the alternative is equivalent to the implementation specification.

Even if your skilled nursing facility is not selected for an OCR audit, keep in mind that failure to comply with HIPAA regulations can result in hefty fines, negative publicity, reputational damage, legal fees and lengthy government corrective action plans. Breaches or complaints can lead to OCR investigations and bring additional costs including credit monitoring fees for affected residents. The extent of these costs can be driven or mitigated, based on the demonstrated compliance of your organization.  

For more information on OCR audit protocol, or to learn about the actual audit process, anticipated failing points and best practices for audit readiness, download our OCR Audit eBook.

John DiMaggio is the CEO at Blue Orange Compliance. To learn how BlueOrange Compliance can help you turn HIPAA complexity into HIPAA compliance, visit blueorangecompliance.com.