Recently, the Center for Medicaid Services ("CMS" which is an arm under Department of Health and Human Services) sent out a bulletin that threatens random HIPAA audits of covered entities, which will target healthcare providers, insurers, and employers which use self-administered health insurance plans. These audits could be conducted by the U.S. Office of the Inspector General (OIG) or private auditors contracted to carry out the audits by CMS. The authority for these audits is found at 45 C.F.R. 160.300-160.316.
What you need to do to be ready
As a part of this warning, CMS provided a checklist of the type of information that an auditor will demand from the covered entity. I recommend that you review your HIPAA policies and, if feasible, make sure that the procedures and protocols suggested by the audit checklist are implemented. The checklist is located in the link below.
The checklist provides us with a clue as to what may be asked for by an auditor. While HIPAA regulations may not require the actual implementation of each item in this list depending on the nature of the covered entity, to be safe, it is my recommendation that each of the listed items be addressed to determine if the security measure is feasible, and if so, then implement it. You need to document your analysis and know what measures are mandatory and what are addressable under the regulations.
1. Conduct an analysis of what "addressable" items listed in the checklist have not been included in your policy, and then, in working with your IT department, generate the necessary documentation to support a conclusion that the item is either feasible or infeasible.
2. You need to have a companion records management and retention policy, and incorporate this (or at least cross reference it) within the HIPAA policy.
3. Review Business Associate Agreements and Third Party Administrator Agreements to ensure the items referenced in the checklist are addressed.
What is a covered entity?
Use the CMS chart in the link below to see if your company qualifies as a covered entity.
Additional resources provided by the author
Conduct an Internet search for additional web articles and information on the issues discussed above.
Our Rating is calculated using information the lawyer has included on their profile in addition to the information we collect from state bar associations and other organizations that license legal professionals. Attorneys who claim their profiles and provide Avvo with more information tend to have a higher rating than those who do not.
What determines Avvo Rating?
Experience & background
Years licensed, work experience, education
Legal community recognition
Peer endorsements, associations, awards
Legal thought leadership
Publications, speaking engagements
This lawyer was disciplined by a state licensing authority in .
Disciplinary information may not be comprehensive, or updated. We recommend that you always check a lawyer's disciplinary status with their respective state bar association before hiring them.