Call:  (407) 331-6620 or (850) 439-1001
Toll-free:  (888) 331-6620 

Contact Us Online
PAY ONLINE
Subscribe To Our Monthly Newsletter

Seven Things To Know When You Receive A Notice Of Investigation From The Department Of Health

Download Free Copy

HIPAA Audit Defense and Risk Assessments

The Health Law Firm represents physicians, medical practices, hospitals, and other health providers in audits, including Medicare audits, Medicaid audits, and HIPAA audits. The Health Law Firm also assists health providers in establishing compliance with HIPAA regulations. If you have received notification of an impending audit contact The Health Law Firm immediately.

As required by the HITECH Act, the OCR began auditing selected covered entities’ compliance with the privacy and security provisions of HIPAA and its implementing regulations in November 2011. The OCR selected 150 covered entities to be audited in the pilot phase by KPMG LLP (KPMG). KPMG is the audit contractor chosen by the OCR to perform HIPAA audits. The first 20 audits concluded in March 2012. More audits will continue to occur this year.

HIPAA Patient Privacy Complaints.

If you are a patient with a HIPAA privacy complaint, please note: WE DO NOT REPRESENT PATIENTS ON HIPAA COMPLAINTS.

If you are a patient in FLorida who has sustained some actual damages because of a HIPAA privacy violation, please contact our colleague, Attorney Alistair McKenzie, and his firm may be able to assist you.

Whether inside the state of Florida or in any other state, you may file a HIPAA privacy complaint against a physician, hospital, medical group, or other covered entity, online here. The United States Office of Civil Rights (OCR) receives these, investigates them, and will advise you of the results.

HIPAA Audit Process.

The HIPAA audit process was drafted by the OCR and KPMG in November 2011. Entities selected for an audit receive a notification letter from OCR and are asked to provide documentation to the auditor. Every audit includes a site visit. After the site visit and initial investigation, KPMG recommends suggested modifications for the entity to meet compliance standards in a draft audit report. The entity will have an opportunity to respond to the draft audit report, citing any findings made by KPMG that may be incorrect. KPMG then summarizes final results in a final audit report. The final audit report details how the audit was conducted; what the findings were and; what actions the covered entity is taking in response to those findings.

HIPAA Risk Assessment.

The first step you should take if notified of a HIPAA breach or the possible compromise of patient health information is to conduct a risk assessment. The Health Law Firm can conduct a risk assessment for you using guidelines from the Office of Civil Rights. Often such a risk assessment will disclose that there is no further need for an audit, investigation or breach notification.

HIPAA Audit Results.

The biggest privacy issues from the first round of audits involved:

  • Review process for denials of patient access to records;
  • Failure to provide appropriate patient access to records;
  • Lack of policies and procedures;
  • Uses and disclosures of decedent information;
  • Disclosures to personal representatives; and
  • Business associate contracts.

The biggest security issues from the initial HIPAA audits include:

  • User activity monitoring;
  • Contingency planning;
  • Media reuse and destruction;
  • Risk assessment; and
  • Granting and modifying user access.

Tips to Prepare for a HIPAA Audit.

Before the Audit:

  • All policies and procedures required by the HIPAA Privacy, Breach Notice, and Security Rules should be finalized and regulator-ready.
  • Assign individuals in your organization that can speak to each aspect of HIPAA implementation. Be sure they are aware of questions that may be asked by the OCR concerning compliance.
  • HIPAA’s Security Rule requires that covered entities periodically conduct a risk analysis.  The OCR recently released guidance on conducting such an analysis. This risk analysis guidance can be found here. The results of your risk analysis will likely be among the documents requested for review during an audit.  If you have not conducted a risk analysis in the last year, do so now. Evaluate the results and determine how to handle identified risks. Be sure to carefully document each step of the risk analysis process.
  • Train employees on compliance. Maintain documentation that every relevant employee has been trained.
  • Identify all of your vendors that handle protected health information. Negotiate business associate agreements with all such vendors.

During the Audit:

  • Respond to every notice provided by the OCR in a timely manner. All relevant personnel should receive copies of the OCR’s written notice of its intent to audit.
  • Appropriately respond to the draft audit report with any findings that you believe were unfair or inaccurate before the report is finalized. According to the OCR you should have ten days to respond.

After the Audit:

  • When audit is over, enforce compliance measures suggested by the OCR. To avoid further action taken by the OCR.

Contact Health Law Attorneys Experienced in Audits of Health Providers.

 
To contact The Health Law Firm, please call (407) 331-6620 or (850) 439-1001 and visit our website at www.TheHealthLawFirm.com.

Main Office • 1101 Douglas Avenue, Suite 1000, Altamonte Springs, FL, 32714
By Appointment • 37 N. Orange Ave., Suite 500, Orlando, FL 32801
By Appointment • 201 E. Government St., Pensacola, FL 32502 Telephone: (407) 331-6620(850) 439-1001 Telefax: (407) 331-3030

Medicare/Medicaid Audits, Health Care Law, Contracts, Hospital Privileges Hearings, Investigations, DEA Defense, Board of Medicine Defense, Fraud Defense, Administrative Hearings, PRN, IPN, Professional Licensing, Medicare/Medicaid Fraud Defense, Nursing Law, Compliance Plans, Hospital Law, Board of Dentistry, Board of Nursing, Board of Pharmacy, Board of Psychology, White Collar Crime, Pain Management and Pain Medicine Physician Defense, Pain Management Clinic Defense, Zone Program Integrity Contractor (ZPIC) Audit Defense, Recovery Audit Contractor (RAC) Audit Defense, Medicaid Fraud Control Unit (MFCU) Defense, Search Warrant and Subpoena Defense, Board of Psychology Defense, NBME Representation, U.S.M.L.E. Challenges, ABIM Representation, Medical Exam Cheating Defense…and more

Available in the following Florida cities and counties: Daytona Beach, Fort Lauderdale, Gainesville, Jacksonville, Key West, Melbourne, Miami, Ocala, Orlando, Pensacola, Panama City, Sarasota, St. Petersburg, Tallahassee, Tampa, West Palm Beach, Alachua, Baker, Bay, Bradford, Brevard, Broward, Calhoun, Charlotte, Citrus, Clay, Collier, Columbia, Dade, De Soto, Dixie, Duval, Escambia, Flagler, Franklin, Gadsden, Gilchrist, Glades, Gulf, Hamilton, Hardee, Hendry, Hernando, Highlands, Hillsborough, Holmes, Indian River, Jackson, Jefferson, Lafayette, Lake, Lee, Leon, Levy, Liberty, Madison, Manatee, Marion, Martin, Monroe, Nassau, Okaloosa, Okeechobee, Orange, Osceloa, Palm Beach, Pasco, Pinellas, Polk, Putnam, St. Johns, St. Lucie, Santa Rosa, Sarasota, Seminole, Sumter, Suwannee, Taylor, Union, Volusia, Wakulla, Walton, and Washington

By making this website information available for those who access it does not constitute doing business in or having a presence in any state or jurisdiction, nor does it constitute an advertisement sent to or a solicitation made in any state or jurisdiction. This firm is located in and maintains a presence in only those states where the firm maintains an actual physical office. Its attorneys are only admitted to practice in those states specifically listed on their resumes.

Available in the following states*: Alabama, Alaska, Arizona, Arkansas, Connecticut, Delaware, Florida, Georgia, Hawaii, Idaho, Illinois, Indiana, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Vermont, Washington, West Virginia, Wisconsin, and Wyoming

Disclaimer | Terms of Representation

The Health Law Firm logo shown above is a registered Service Mark of George F. Indest III, P.A. – The Health Law Firm, since 2007.

“The Health Law Firm” is a registered fictitious business name of and a registered service mark of The Health Law Firm, P.A., a Florida professional service corporation, since 1999. Copyright © 2024 The Health Law Firm. All rights reserved.