Preparing for a HIPAA Audit or complaint investigation

Have you reviewed your privacy and security policies and procedures in the last year or two? If not, you should do so in order to ensure they are current. Why? First of all, a disgruntled patient may choose to file a complaint about you with the Office of Civil Rights (OCR), which is required to investigate all complaints within its jurisdiction. Second, OCR recently announced it is piloting an audit program that will begin this month and conclude by December 2012. At the end of the pilot program, OCR is expected to continue conducting periodic audits of covered entities as required by law.

In a complaint investigation, OCR will first determine whether a dental practice is a covered entity under HIPAA and whether the alleged incident occurred during a time when the law was in effect. It may ask the dental practice to respond in detail to questions that will help OCR make a determination. If OCR determines the dental practice is a covered entity and the incident occurred at a time the law was in effect, it will ask the practice to provide specific documentation. The documentation can include the following:
  • A written discussion on the results of an internal investigation of the complaint
  • If an employee was disciplined for failing to follow the practice's policies and procedures, a copy of the practice's disciplinary policy, and documentation that the employee was disciplined
  • If the practice takes corrective action, a copy of the policies and procedures developed or changed and documentation that employees were trained on the new or updated policies and procedures
OCR provides a summary of its enforcement process here. To assist it in implementing an audit program, OCR has retained the professional public accounting firm, KMPG LLP. The firm will conduct performance audits using generally accepted government auditing standards. With results of the audits in hand, OCR expects to share identified best practices and to develop guidance for areas that present covered entities with compliance challenges. More information regarding OCR's pilot audit program is available on the OCR web site. Click here to find links to resources on HIPAA and other information privacy requirements.