We have discussed the facts about the changes to the HIPAA laws and tackled some of the specific changes and issues that you, as pharmacy owners, need to review within your current HIPAA Compliance Program. But, you may be still asking yourself, “In all the years I’ve been in business, no one has ever come to review my HIPAA policies or look at my Disaster Recovery Plan, so why should I worry about the Omnibus HIPAA Final Rule?”
In the past, HHS sent auditors in response to complaints and/or breaches; now, you may be audited without cause. Congress has allocated money for the HHS Office of Civil Rights (OCR) to conduct audits, and any fines that result will go to fund more audits. The potential fines, civil and criminal, have increased to a maximum of $1.5 million for each type of violation and up to 10 years of imprisonment.
Between 2011 and 2012, the OCR conducted a Pilot Audit Program to gauge if covered entities truly are HIPAA compliant. The OCR hasn’t released the results of the pilot audits, but they have stated that only two of the 61 healthcare providers audited were fully compliant. From bits of information the OCR has released, it seems providers tend to be non-compliant in the following areas:
1) Disaster Recovery Plan
2) Risk Analysis
3) Minimum necessary rules
4) Notice of Privacy
5) Policies and procedures manual
6) Adequate employee training on the pharmacy’s HIPAA policies and procedures.
The HIPAA Audit Program began around October 1, 2013, so don’t put your HIPAA updates on the back burner. There are programs out there that can make this easy for you. HIPAATrack, presented by NCPA, powered by PRS is the quickest, most cost effective way to be compliant with the HIPAA Omnibus Final Rule.
So, don’t panic, but don’t be complacent, either. Get your HIPAA house in order; then relax.