News / Articles

HIPAA Random Audits – Are You Prepared?

posted by SamK on October 5, 2012

Samuel Kiehl, MD, Executive VP, Accel Anesthesia, LLC

October 5, 2012

Although HIPAA was initially passed in 1996, the Department of Health and Human Services (HHS) is just now starting to seriously enforce HIPAA regulations with stiff fines and performing random audits, as required under the HITECH Act.  Most alarming are the penalties for a data breech of confidential information which could put a practice out of business for even a minor data breech.


For example just last month, a (non-anesthesia) practice in Massachusetts was fined $1.5 million for HIPAA violations.  The investigation by HHS followed a breach report submitted by the practice (as required by HIPAA – “breach notification”) reporting the theft of an unencrypted personal laptop containing electronic protected health information (PHI).  The information contained on the laptop included patient prescriptions and clinical information.  The investigation indicated that the practice failed to take necessary steps to protect the information, such as conducting a thorough analysis of the confidentiality risk to PHI maintained on portable devices, implementing security measures sufficient to ensure the confidentiality of such PHI, and implementing policies and procedures to restrict access to such PHI.  The investigation indicated that these failures continued over an extended period of time.  Similarly Tennessee Blue Cross Blue Shield was fined $1.5 million for a breach violation earlier this year when server hard drives containg PHI for one million individuals were stolen.  HHS is looking hard at not only these large entities, but small practices as well – in March of this year, HHS reached a $100,000 settlement with a five-physician cardiac surgery group, for failure to train employees and other HIPAA violations, including no Policies and Procedures, no Risk Analysis, and no Business Associate Agreements.


We recommend that covered entities look closely at their policies and procedures as they pertain to HIPAA, making sure that documentation is comprehensive and current, including business associate aggrements.  In particular, it is vital to show that you have performed an IT security audit, and that your policies and procedures include a security risk management process.  Additionally, facilities need to ensure their staff is trained on HIPAA law and proper procedures.  If your employees know their responsibilities as pertaining to privacy and other HIPAA matters, you will be that much safer.  Accel Anesthesia can assist you in your efforts to  meet HIPAA requirements, educate employees, as well as many other services.