Are You Facing A HIPAA Audit – This Law May Help!
A new law was passed in 2021 in regard to HHS and HIPAA audits following breaches, violations, or complaints. The new law empowers HHS to potentially reduce the penalties and end the audit early. Watch the video to learn more!
Links mentioned in the video
Risk Assessment
House Bill 7898 Text
Transcript:
There was new legislation that was signed into law in early 2021 that changes some of the power if you will, or it gives more power to, in some regards, HHS, when performing HIPAA audits, after breaches, or just violations, or complaints, or whatever the case might be. That is good news for a change in this regard, and so we wanted to kind of bring you up to date and give you some information that we think is critically important to at least understand and know how this all works. What the law does is it empowers HHS to be able to reduce fines and penalties and even end audits early if particular conditions are met. Now, this law really does center and focus a lot on cybersecurity, and the reason for this is because there’s a lot of people who are concerned and you know, I could go through all of these protocols, I could set up all of this stuff, and then at the end of the day, we could still have a breach and I still have all these fines and penalties.
What the law does is it actually empowers HHS to be able to look at the scenario and look at this as a good faith effort, if you will, as long as that good faith effort meets a particular condition by the covered entity, then it that it potentially allows them to be able to reduce those fines and penalties, and even end the audit early in certain circumstances. So what does that mean? What does that mean for you? Well, first of all, it’s this they kind of lay out exactly what it takes to be able to have this happen, to have the reduced fines and penalties, etc. One is, as a covered entity, you would have to adequately demonstrate which means you would have to show typically through your HIPAA manual to checklist demonstrate that you’ve updated it kept up with protocols, and you’re actually following the protocols that you’ve established in your HIPAA manual. So you’re you’re adequately able to demonstrate that you have recognized security practices, right? So all of those things that are outlined in your HIPAA manual that outline what you should be doing in regards to your security protocols in your practice, and you must be doing that for at least 12 months.
So in other words, if you get a call tomorrow, heaven forbid, you get a call tomorrow and they say, Hey, we’re going to come in and do a HIPAA audit, you can’t put together your security protocols, then tomorrow afternoon, and assert that you are using those to mitigate the potential fines and penalties. This is something you have to be active with. Now, none of this is new. You know, you still have all of these requirements under HIPAA, all of the security requirements still are in play that were in there before. What this does is it empowers HHS and these circumstances to basically help out someone who has a breach or who has a violation or through a complaint or whatever the case might be, who are taking the appropriate steps or at least attempting to take appropriate steps and deal with that. Now again, what does it mean? One is you’ve got to be doing this for at least 12 months.
Now what we’re going to recommend, what we recommend is, at the very least you need to review that HIPAA manual no less than every six months, and really, that’s because things change a lot changes don’t just live on the 12-month timeframe. Plus, let’s be honest, things get busy in this time next year, you may be on spring break, and so ultimately, you may be sitting at a point where you’re not able to do it within that one-year timeframe, and then you know, heaven forbid, you have a violation a complaint or a breach, and you’re not able to utilize this legislation, this law to help you mitigate those fines and penalties.
So, one, get your HIPAA manual in place and make sure it’s up to date. In fact, linking to this video, we’re going to include a security risk analysis tool that’s actually put together by HHS. So it’s a great tool, actually, HHS partnered with the Office of National Coordinator, the ONC to put together a tool and we’ll give you that link on there, you can jump out and you can actually do a full risk analysis, and risk assessment in your practice to see how you are. Then document it and include all of that risk assessment inside of your HIPAA manual, make sure that you’re addressing the concern, so if something pops up in that security analysis, that risk analysis, and you go, Well, I’m not gonna do anything about it. Well, that’s not actually, you know, recognizing the security practices that you have to do according to this law, but address them and make progress. Find ways to, you know, if it has something to do with remote access, make sure that you take care of enclosed those open loops in your remote access just as an example and that you have those protocols down pat. And then make sure you keep it in place. Make sure it’s in place now and make sure you update it on a regular basis every six months is what at a minimum is what we recommend. Hopefully, this helps you out but it’s good news, the new law last year helping us out if there are violations if there are challenges don’t forget the link that’s attached to this video for that security risk assessment tool. Have a great week.