Get Ready for Increased OIG Scrutiny in 2016

By Susan Dooley

In 2016, what should HIPAA compliance officers expect to see in the way of privacy and security
enforcement? Heres what we know from 2015.

OIG Tells OCR to Start Auditing

First, the Health and Human Services (HHS) Office of the Inspector General (OIG) flat-out told the agency
charged with enforcing HIPAA, HHSs Office for Civil Rights (OCR), to get serious about enforcement. In a
September report, the OIG said that when covered entities (CEs) like health insurance companies,
pharmacies, and medical practices fail to safeguard patients protected health information (PHI), these
breaches expose patients to serious risks. These risks include fraud, identity theft, invasion of privacy,
and other harm. The OIGs September report maintained that the OCR is falling short in protecting
patients from these risks.
And thats not the only reason that OCR is on the hook. OIG also blamed OCR for failing to implement
the required CE audit program mandated by the HITECH Act, which required OCR to get an audit
program started by 2010. OIG also said that when OCR does charge a CE with failing to meet privacy rule
standards, OCR typically fails to follow up with proof that these CEs have corrected the lapses.

The Coding Institute LLC, 2222 Sedwick Road, Durham, NC 27713, Eenterprise Contact: Sam Nair, Direct: 704 303 8150,
shyamn@codinginstitute.com

OCRs Wall of Shame Logs 23 Breach Incidents in December

On the heels of the OIGs rebuke, OCR got busy in December, logging 23 reported breach incidents in
one month. The Wall of Shame, which is officially called the OCR Breach Portal, displays HIPAA breaches
that affect 500 or more individuals. Nineteen of the December breaches involved providers and four
affected health plans. Twelve of the breaches involved unauthorized access and disclosure, seven were
due to theft, three caused by hacking and IT incidents, and one was an incident of improper disclosure.
Interestingly, nine of the December breaches were low-tech, involving paper and/or film, plus one that
involved paper, film, and a desktop computer.
The largest breach in December 2015 belonged to St. Lukes Cornwall Hospital in Newburgh, New York,
which affected 29,156 people. This breach was caused by the theft of a portable electronic device. Most
other breaches in December affected far fewer people.
Overall, 2015, dubbed The Year of the Healthcare Hack by the Washington Post, was a record-breaking
year for healthcare breaches. In total, the health records of more than 102 million Americans were
improperly accessed or misused last year. Eight of the 10 largest healthcare provider hacks of all time
occurred in 2015, with the largest belonging to an insurer whose hacking-related breach affected 78.8
million people.

Get Ready for OCR Audits in 2016

After a year like 2015, you can expect OCR to stop licking its wounds and start getting busy trying to
ensure security of PHI. Providers should anticipate tougher and more frequent audits this year.
Here are some steps to take to prepare for OIG audits:
Gather information about your organizations existing security infrastructure, including its PHI- sharing
relationships with business associates (BAs), as well as with downstream providers.
Evaluate health IT vendors to make sure theyre compliant with your existing BA agreements. You might
want to ask BAs to prove their compliance with results from a recent security risk assessment.
Identify members of your team who will be prepared to respond to an audit request.
Conduct a mock HIPAA audit to fully assess you secure your organizations systems really are.

Are You Ready For OIG?

Is your organization ready for a knock on the door from the OIG? Have you taken any special steps to
prepare for possible audits in the near future? Let us know.

The Coding Institute LLC, 2222 Sedwick Road, Durham, NC 27713, Eenterprise Contact: Sam Nair, Direct: 704 303 8150,
shyamn@codinginstitute.com

Manage Your Health Information With Less RiskRead Health Information

Compliance Alert!
Staying compliant with protecting health information is more important than ever, which is why Health
Information Compliance Alert can be your most trusted HIPAA compliance partner. Offering you expert
analysis and hands-on tools to improve your organizations risk management efforts and HIPAA
compliance, The Coding Institutes Health Information Compliance Alert newsletter is the indispensable
resource for health information management at all levels of healthcare, from the single provider
practice to the multifacility healthcare institution. Request your free sample today!

Health Information Compliance Alert

Timely News and Analysis on HIPAA, E-Health, Privacy, Security & Technology
Healthcare organizations are under growing pressure to comply with the Health Insurance Portability
and Accountability Act (HIPAA) in 2016 as violations could lead to multi-million dollar penalties. Ignoring
the constantly-evolving HIPAA rules and regulations could be a big risk. Small entities including physician
practices struggle to have all the policies and procedures in place to effectively meet the requirements
and protect the privacy of patient health information. Hence, posing them to HIPAA compliance
catastrophe in 2016.

Why Compliance is more important than ever before?

Whether you are a small physician practice, hospital or business associate (BA), you need to understand
why compliance is more important than ever before. With the recent spurt in breach reporting and the
new random audit program, HIPAA compliance is something that every HIPAA entity and BA need to
take seriously.
HIPAA violations incur multi-million dollar penalties
If you dont take necessary steps to protect your patients rights and health information, you could be
hit with significant fines and penalties. And with the increased HIPAA fines starting at $10,000 in cases of
wilful neglect, following the privacy requirements and being in compliance are more important than
ever.
So how can you close HIPAA compliance gaps and get your policies in order?
Take expert help. Just subscribe to Health Information Compliance Alert!
Surefire tips, helpful advice, and expert guidance all in one resource!
Our monthly newsletter, Health Information Compliance Alert, will assist you in keeping HIPAA audits
and penalties at bay. The newsletter provides regular updates on the HIPAA compliance audit program,
insight on what you need to produce if you are audited by the HHS Office of Civil Rights, the new rights
that you must add into your policies, notice of privacy practices, and much more.
Get the most reliable, accurate, and timely coding instruction from the experts for just pennies a day
with Health Information Compliance Alert.
The Coding Institute LLC, 2222 Sedwick Road, Durham, NC 27713, Eenterprise Contact: Sam Nair, Direct: 704 303 8150,
shyamn@codinginstitute.com

Heres just a sample of the expert guidance and tips your peers are getting in every issue:

Weigh the pros & cons of communicating with patients via texting.
Could your practice be headed for a HIPAA compliance catastrophe?
Is a consent form a good idea for email communications? Get answers.
Kick off your cyber security action plan with this checklist.
Is a complete security risk analysis optional for small providers? Get help here.
Backup devices: Learn 3 critical lessons from the latest data breaches.
Debunk 10 myths about HIPAA security compliance.
Implementing new technology? Perform a risk analysis or pay the price. Heres why.
Ask 7 questions of your EHR developer.
Are you doing these 3 things when inventorying your BAs?
Avoiding data breaches: Find out who gets a report, and when and what must it say.
HIPAA in 2016: Prepare yourself for big trends.
Dispel 4 common PHI disclosure-related myths.

As a subscriber, youre connected to the industrys hottest resources at no extra cost:

SuperCoders Specialty Alert Archive
E-Subscription and E-Subscription + Print subscribers can look up a keyword-searchable database of
Health Information Compliance Alert on SuperCoder.com. Look up and review more than 180 archived
issues of the newsletter. A $199.95 value.
And, as always, you are entitled to our 100% Money-Back Satisfaction Guarantee. Call 704 303 8150
today to start receiving all of the compliance answers your team will ever need.

Enterprise Contact:
Name: Sam Nair
Title: Associate Director Enterprise Practice
Email: shyamn@codinginstitute.com
Direct: 704 303 8150

Desk: 866 228 9252, Ext: 4813

The Coding Institute LLC, 2222 Sedwick Road, Durham, NC 27713

The Coding Institute LLC, 2222 Sedwick Road, Durham, NC 27713, Eenterprise Contact: Sam Nair, Direct: 704 303 8150,
shyamn@codinginstitute.com