What to do if you are notified of a HIPAA onsite audit
The very idea of being audited, regardless of by whom, is a bit disturbing. Covered entities, such as physicians, and their business associates have been subject to audits by the Office for Civil Rights (OCR), a department within the Department of Health and Human Services (HHS), for the last several years. And there’s another new set of audits coming.
Currently, Phase 2 of the Health Insurance Portability and Accountability Act (HIPAA) Audit Program is underway. During 2016, covered entities and business associates may be asked to submit documents for a desk audit of their HIPAA compliance. Beginning next year, HHS will commence conducting onsite audits. In an onsite audit, auditors visit the practice; in a desk audit, the practice sends in documents to CMS for review.
Peter Blenkinsop, a partner at the Washington, D.C., location of law firm Drinker Biddle & Reath, says all covered entities and their business associates could be subject to either, or both, type of audit.
“You can absolutely have an onsite audit without having had a desk audit. You could also be chosen for both,” he told Medical Economics. “The onsite audits will be broader and may cover all aspects of an organization’s privacy and security practices.”
Blenkinsop says that an organization selected for an onsite audit will first receive a letter explaining how the program works and who will be conducting the audit. Next, there will be a pre-audit questionnaire and the covered entity will have 10 business days to complete and return it. Then, HHS will schedule the audit, which could last anywhere from three to 10 days.
Although the audit protocol for Phase 2 of the HIPAA Audit Program has not yet been published, the protocol from Phase 1 is available and Blenkinsop advises practices use that to help prepare for Phase 2. There were two areas where HHS found significant deficiencies during Phase 1, and Blenkinsop thinks there is a good chance Phase 2 audits will focus on those areas.
“One of the primary deficiencies they found in Phase 1 was that many covered entities had not done a thorough risk assessment of their vulnerabilities,” says Blenkinsop. “A second area where there were a lot of deficiencies was that of addressable safeguards. The security rules include a list of addressable safeguards that covered entities and business associates either must address or document why they were not addressed.” During the Phase 1 audits, many organizations failed to document why they didn’t implement some of the safeguards, he says.
Preparing for an onsite audit
A notification of an audit is nerve-wracking, regardless of how compliant your organization is. Having people come to your place of business and look at all of your records is stressful. Blenkinsop makes several points that may help soothe jangled nerves. First, he suggests having some kind of brief training for the people who will be interacting with the auditors. “Go over where the policies and procedures are stored, how they should respond to questions, and what they should expect in general,” he says.
Another important thing to keep in mind is that auditees do have the opportunity to view and comment on the draft audit report, says Blenkinsop. It is comforting to know that you will have the opportunity to correct any inaccuracies. Additionally, Blenkinsop says, “Although there is an enforcement element to these audits, the primary purpose [of the HIPAA Audit Program] is to help HHS understand where there needs to be more guidance and training.” If there is a serious compliance issue, then HHS may conduct a compliance review, which is a more focused review with the potential of taking some kind of enforcement action. Covered entities and business associates that have taken serious steps to try to comply are unlikely to be in a situation where they are being penalized by HHS as a result of an onsite audit.
Finally, although the results of an individual audit are subject to requests from the public through the Freedom of Information Act, HHS has said that in the absence of such a request, the results of individual audits will only be published in the aggregate, or with the name of the organization audited removed.
10 Ways to Build Resilience
Resilience is defined as “the capacity to recover quickly from difficulties.” And if ever there was a profession facing “difficulties” it is physicians. The “recover quickly” part is no slim accomplishment either.
Wayne Sotile, PhD, “one the world’s most seasoned clinicians specializing in life coaching for physicians,” says that today’s healthcare system faces unrelenting change and the mismanagement of that change along with the fatigue it brings is causing an epidemic of costly burnout for health professionals. Sounds pretty bad.
But the medical profession must do much more than just endure. It must flourish. Doctors have a great trust. When it comes to the dealing with the stress of today’s medical profession—adapting, coping, adjusting, and managing—some doctors are better at it than others.
My physician-dad was a fine model for resilience. He knew how to compartmentalize things. Maintaining control, being positive, and seeking support were skill sets I observed in him. In fact, it wasn’t until he retired from medicine that I felt he lost his coping skills.
According to an American Psychological Association report, The Road to Resilience, “being resilient does not mean that a person doesn’t experience difficulty or distress. Emotional pain and sadness are common in people who have suffered major adversity in their lives (e.g., doctors). In fact, the road to resilience is likely to involve considerable emotional distress. Resilience is not a trait that people either have or do not have. It involves behaviors, thoughts and actions that can be learned and developed in anyone.”
The APA offers these 10 ways to build resilience:
1. Make connections. “Accepting help and support from those who care about you and will listen to you strengthens resilience.”
2. Avoid seeing crises as insurmountable problems. “Try looking beyond the present to how future circumstances may be a little better.”
3. Accept that change is a part of living. “Accepting circumstances that cannot be changed can help you focus on circumstances that you can alter.”
4. Move toward your goals. “Do something regularly—even if it seems like a small accomplishment—that enables you to move toward your goals.”
5. Take decisive actions. “Rather than detaching completely from problems and stresses and wishing they would just go away, act on adverse situations as much as you can.”
6. Look for opportunities for self-discovery. “People often learn something about themselves and may find that they have grown in some respect as a result of their struggle with loss.”
7. Nurture a positive view of yourself. “Developing confidence in your ability to solve problems and trusting your instincts helps build resilience.”.
8. Keep things in perspective. “Even when facing very painful events, try to consider the stressful situation in a broader context and keep a long-term perspective.”
9. Maintain a hopeful outlook. “Try visualizing what you want, rather than worrying about what you fear.”
10. Take care of yourself. “Pay attention to your own needs and feelings. Engage in activities that you enjoy and find relaxing.”
Medscape’s 2016 Physician Compensation Report
One of the most anticipated surveys among the physician community has been released by Medscape. Most specialties saw an increase in compensation between 4% and 12%. Two experienced a significant decrease. Where do you stand?
Over the past 6 years, the Medscape Physician Compensation Report 2016 has evolved with the changing healthcare landscape as questions focus beyond just compensation. “We have spent more time asking questions about the impact of healthcare reform, such as participation in health insurance exchanges, participation in ACOs, and influx of patients due to the affordable care act,” says Leslie Kane, senior director, Medscape Business of Medicine, in an interview with Physician’s Weekly. “We have also focused more on paying attention to how doctors are reacting to changing and falling reimbursement by questioning their attitudes toward insurers.”
Among comparing many facets of practicing medicine, the report, of course, compares compensation. Internal Medicine and Rheumatology saw the highest increases in salary compared to 2015, both at 12%. Following closely were Dermatology and Nephrology at 11% and Ob/Gyn at 10%. Allergy and Pulmonary Medicine were the only specialties to experience compensation decreases—and significant ones—at 11% and 5%, respectively.
Source: Adapted from: Medscape Physician Compensation Report 2016
Michael Smith, MD, medical director and chief medical editor, WebMD, told us that “despite all the negativity we hear about being a physician in today’s medical practice—paperwork, insurance companies, technology challenges, burnout etc—being a doctor is still a satisfying and financially rewarding career overall.” Dr. Smith sites the income increases for both specialists and primary care physicians, particularly Internists who saw a 12% rise in income, and how it is outpacing income increases seen by other American workers.
Like in every career and industry, there are those who are unhappy. But Kane feels the overall message from the survey is a positive one. “We see that 64% would choose medicine again. We also see that their relationships with patients and their ability to find diagnoses and solve problems are still a highly rewarding part of the job,” she says.
Despite being on the lower end of earnings, 73% of family physicians and 71% of internists were at the top of the list of physicians most likely to choose medicine again. Those least likely to choose medicine again are plastic surgeons (47%), radiologists, and orthopedics (both 49%). All three of these specialties were in the top 10 in earnings.
Dr. Smith echoes Kane’s sentiment, encouraged by the findings of the survey. He notes that while paperwork and dealing with insurance companies have taken a toll on physicians, “In the end, the reasons many of us wanted to be a doctor still stand true today. Doctors value their relationships with patients and enjoy diagnosing medical problems and finding answers to those challenges.”
View the full Medscape 2016 Physician Compensation Report
Source: Physician’s Weekly | April 6, 2016
Planning for the Unexpected
This very important tool, Offsite Remote Backup service often times gets overlooked. I’ve witnessed a lot especially when it comes to a medical office’s computer, server or network crashing. This scenario is never a good one and all who are involved begin hoping for a technical miracle—meaning patient data is quickly restored and accessible like it used to be within minutes of the occurrence. When I visit with MediPro clients I typically try to ask them if they are backing up their practice management and or electronic health records software. Some medical staff are unsure, others say a resounding “Yes” and then the question is posed, are you taking your external back up mechanism offsite with you at the end of the day? Think about it—tis the season for natural disasters–tornados, hurricanes, landslides, floods and fire. Just one of these episodes alone can completely wipe out a physical building structure or damage your computer infrastructure within seconds. The worst part of these disasters are usually unpredictable in reference to the scope of damage and devastation.
Ideally, a medical office should have at least two forms of daily back up service, one of the best being Offsite data backup and storage. It’s not surprising that some MediPro clients have taken advantage of our offsite data backup program called iGuard. It just makes sense to have your medical software vendor partaking in this process since we know what files are most important to retain in case data restoration is needed. The best part is iGuard starts out at a very affordable $12.95 a month and varies in price based upon the size of data you want us to capture every day.
So far this year, there have been two practices who were not using our iGuard service who lost all of their data and it couldn’t be recovered. How did this happen? It was a combination of computer hardware failure and the oversight of an IT Professional. In the event that your practice may become paralyzed should this instance happen to you, it is a good idea to give MediPro a call now at 1.800.759.1321 to see how we can help. The enrollment process is simple and set up is easy with a phone call and an Internet connection.
In closing, happy belated World Backup Day, Happy Spring, and kudos to you for taking a proactive approach in protecting your priceless patient data with MediPro’s iGuard service!
Dana Deardorff is the Office Administrator at MediPro, Inc. She is working toward her 12th year in the medical software industry and understands the many challenges independent physicians face in today’s healthcare marketplace.
MediPro Insider – March 2016