Can you believe that it has been almost a decade since the HIPAA laws were put into effect?
And like many pharmacy owners, has your HIPAA Policy and Procedure manual sat on your book shelf and collected dust?
Well things are changing, and NOW is the time to make sure you have reviewed your HIPAA Policy and Procedure Manual, make all the necessary updates and amendments and, most importantly, be sure you are following the Policies and Procedures laid out in the Manual.
Why? One word — AUDITS.
As part of the American Recover and Reinvestment Act of 2009 (ARRA), specifically the HITECH Act, the Office of Civil Rights (OCR) is required to perform periodic audits of a covered entities HIPAA Compliance Program. To accomplish this, the OCR has contracted with KPMG LLP (KPMG) to conduct performance audits of covered entities, including pharmacies. As part of the initial pilot audit program, KPMG will be auditing a total of 150 covered entities this year between June and October.
According to KPMG, “the objective of the Performance Audits is to 1) analyze the key processes, controls or policies relative to selected requirements of the Rules as specified in an audit protocol established by the OCR, and 2) to provide our observation.” These audits will be performed both on-site and off-site.
Based on notices already sent out by KPMG, the on-site audits could take up to a week and will be scheduled with you or your staff. During the on-site audits, KPMG will:\
- Meet with key members of your organization responsible for your HIPAA Compliance.
- Collect verbal and documented information related to your HIPAA Compliance.
Prior to an on-site audit occurring and to assist with the smoothness of the audit, KPMG does request that no later than 15 days after their documentation request is received, you provide them with certain documentation related to your compliance.
Please remember that KPMG is acting on behalf of the U.S. Department of Health and Human Services (HHS) and as such will not enter into any non-disclosure agreements with a covered entity.
Stay tuned as I cover the basics of HIPAA Compliance in the weeks to come.