Episode 409: The Forthcoming Return of Random HIPAA Audits Transcript

 

Liath Dalton 

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co host Evan Dumas. And

 

Liath Dalton 

I’m Liath Dalton and we are Person Centered Tech. This episode is brought to you by Therapy Notes. Therapy Notes is a robust online Practice Management and Electronic Health Record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records. Meet with clients remotely, create rich documentation, schedule appointments, and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user, go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 409: The Forthcoming Return of Random HIPAA Audits.

 

Liath Dalton 

Ah yes, the random HIPAA audit program, which kind of led previously to this sense that there was in fact a HIPAA police.

 

Evan Dumas 

Haha.

 

Liath Dalton 

Which, if you have been part of the PCT community for any extended period of time, you have heard us say that there is no such thing as the HIPAA police. And that is still the case with this. And the audit program when it was in place, which it first was in place in 2012. And then again, there was a two year period of these random HIPAA audits being done in 2016 and 2017.

 

Liath Dalton 

It has been totally dormant since the end of 2017. But we would say that the purpose of that audit program was not to be the HIPAA police but to discover where there are gaps in compliance so that they can be addressed. Not with the primary purpose being penalties or punitive consequences. But just because the audit program is considered to be something that’s supportive of understanding where there are gaps and identifying what’s necessary to address them.

 

Evan Dumas 

Mhmm.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

Which leads us to where we are now, which is that in the middle of February, on February 12, Health and Human Services published a notice in the Federal Register, that there is going to be a resumption, there is intention to resume the random HIPAA audit program. And we don’t have an exact timeframe for when that will officially begin. The sort of chatter is that it’s likely to be resumed by the end of the year. So what we want to talk about, because our focus is always on being able to be proactive wherever possible, equipping you with what you need to know, to be able to navigate this and have peace of mind in place. Right? So Evan, what was the largest gap in compliance with the HIPAA requirements and standards that was previously identified in the prior random audit periods?

 

Evan Dumas 

It was risk analyses, that people didn’t do their risk analyses.

 

Liath Dalton 

Indeed, and that’s part of why we have said that we know that the risk analysis standard and that fundamental requirement of HIPAA compliance is and has been, historically, the least complied with, but it is being heavily emphasized as the most important because, you know, we can’t protect against risks and put reasonable safeguards in place to prevent their realization or lessen their impact if we haven’t identified what they are in a thorough and intentional way.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So that part kind of comes as no surprise. Other notable gaps were related to HIPAA Notice of Privacy Practices, the client facing forms, where they’re being informed of their rights under HIPAA, not containing required language and components, and not having the necessary customization that is specific to like, psychotherapy, keeping of psychotherapy notes and the additional components around state restrictions and where there are protections that are even more stringent than what’s afforded under HIPAA in place. And then the other big piece, which the Office of Civil Rights, the HIPAA regulators, takes really seriously, is when rights of access were not being followed. Where clients or patients were being restricted from accessing their health records, when they had rights of access, though, that component of things is not going to be the primary focus of this random audit period, because they already have an active Rights of Access Initiative

 

Evan Dumas 

Oh yeah.

 

Liath Dalton 

that has been ongoing for the last couple of years. So really, I think the primary piece that they’re going to be looking at is the risk analysis component. And part of what informs us knowing that is because they’ve also been emphasizing that in other recent communications and bulletins, mainly in response to the Change Healthcare debacle.

 

Evan Dumas 

Hahah, yeah.

 

Liath Dalton 

And the letter to all HIPAA covered entities and business associates that they recently released, saying, you know, this whole incident emphasizes the importance of all parties that are subject to HIPAA really managing their compliance with the standards, and in particular, the risk analysis requirement.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

So we know that that is top of mind for them. And so, as we’re kind of announcing this, this piece of information to you, since they have recently made known that these random audits are going to be resumed, that that is their intention, our desire is to help you prepare and and have your ducks in a row in advance.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

And that is going to consist of having formal compliance in place as best as possible.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And the main components of that are having a documented, quote, thorough and accurate HIPAA security risk analysis, having a risk mitigation plan that you work your way through, and having comprehensive policies and procedures. So there’s, like the formal compliance requirements. And, of course, the goal of it is that these not just be performative or on paper, but really translate to being implemented in practice.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

Because the end goal is to be safeguarding client information. That’s the whole purpose and utility of this, and that’s in everyone’s interest here. So hopefully, being aware that this is on the not too distant horizon gives you a chance to identify any areas where you don’t have formal compliance in place and and take action sooner than later to

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

get them there so that you just have peace of mind – I’ve got this covered in the event that that I might be one of the selected HIPAA covered entities for

 

Evan Dumas 

Yeah.

 

Liath Dalton 

such a random audit.

 

Liath Dalton 

Now, I will say in the previous random audit period, the number of HIPAA covered entities that were audited was 166.

 

Evan Dumas 

Mmm.

 

Liath Dalton 

So still,

 

Evan Dumas 

Yeah.

 

Liath Dalton 

you know, the total number, the odds are small.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So that’s, that’s not to say that it couldn’t happen to you. But the the audit factor should should not be the the primary motivating factor for managing these these pieces of formal compliance, it really should be that they’re supportive of safeguarding client info,

 

Liath Dalton 

and therefore, your practice. And so that’s the kind of most recent news. And we hope that it inspires you to put it on your short term to-do list to manage the formal compliance requirements, if that has not yet been done. And of course, we have resources and support to assist you with that.

 

Evan Dumas 

Mhmm.

 

Evan Dumas 

Mhmm, exactly.

 

Liath Dalton 

Evan, would you say a little bit about what your favorite things about the risk analysis are, in terms of like equipping folks to manage compliance, and why we refer to it as a two birds one feeder solution?

 

Evan Dumas 

It’s really, what folks I hear what people get from it is that it’s a really non-judging non-shaming practice, which they don’t see a lot of in their HIPAA compliance work. They see a lot of “Oh, you’re not doing it right, that’s bad.” But we have a pretty compassionate and educating approach to it. And you know, I’ll always let people know when they’re doing something not right. And if they believe one way or the other, you know, we’ll do that risk exploration together. But folks really like it because it is a total overview of all of their risk surface area in regards to HIPAA, and then a plan for what to do about it. And we break that down into bite sized chunks, and try to make the whole thing pretty manageable when it starts out just being a mountain of unknown height.

 

Liath Dalton 

Mhmm.

 

Evan Dumas 

We then, you know, survey said mountain and make a plan for navigating it. It might just be a hill, so it’s a nice process.

 

Liath Dalton 

And maybe even a molehill.

 

Evan Dumas 

Exactly.

 

Liath Dalton 

Yeah. I like to think of the risk analysis and risk mitigation plan more as a needs assessment and a treatment plan. Right?

 

Evan Dumas 

Mmm.

 

Liath Dalton 

That sounds a lot more accessible in this space, than just risk analysis and risk mitigation plan.

 

Evan Dumas 

Yeah exactly.

 

Liath Dalton 

So if that makes it a little easier to envision applying to your practice, then think of it in those terms.

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

So hope, hope this sharing of news is helpful, and we’ll talk more about some of the other significant HIPAA changes and their implications

 

Evan Dumas 

Mm, yeah.

 

Liath Dalton 

that are on the horizon in our next set of episodes,

 

Evan Dumas 

Mhmm.

 

Liath Dalton 

so stay tuned for those. And in the meantime, take good care.

 

Evan Dumas 

Yeah, take care everybody.

 

Liath Dalton 

This has been Group Practice Tech, you can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.