The audits are coming, the audits are coming!

photo: wikimedia commons

Paul Revere! credit: Daderot commons

The HIPAA blogs have been all a-twitter lately about the fact that OCR is reinstating their random audit program. Yes, this is kindof a big deal, but before I talk about what it means to therapists, let’s make sure we are all on the same page.

The Office of Civil Rights (OCR) is the federal department in charge of HIPAA & HIPAA enforcement. (I lovingly refer to them as the “HIPAA Police.”) There are 3 ways the “HIPAA Police” can find their way to your proverbial doorstep.  

  1. Self-report of HIPAA breaches. If you have a breach, you are required by law to report it to OCR. 
  2. Complaints. Whether you have actually violated HIPAA or not, clients can call the OCR hotline and file a complaint about their privacy rights, potentially triggering an investigation. 
  3. Random Audits. The unlucky lottery–yes, this is a thing.  

In 2012 there was a pilot audit program, although until recently the audits were on hold, but the program is now back. Technically speaking, even solo private practitioners are subject to being selected for these audits.  The OCR’s website, under the heading “Who Will Be Audited?” says:

Every covered entity and business associate is eligible for an audit. These include covered individual and organizational providers of health services.

But… do I believe that the solo private practice therapists reading this article need to worry? Thankfully, no. First off, from a numbers perspective, OCR is conducting audits of 150 covered entities and 50 business associates–so 200 audits out of a pool of millions of providers. Secondly, from a common sense perspective, I believe (hope!) that OCR will prioritize audits of large providers, where the scrutiny of medical privacy and security could potentially benefit thousands if not millions of people, as opposed to small providers like a solo therapist who might only see a few hundred clients over decades.

But does this still matter to the solo private practice therapist? I say yes. It’s another sign from the powers that be that HIPAA compliance is important. It’s the law, and I argue that protecting the privacy and security of our clients’ information is the ethical thing to do as well.

So, hey, if the voice of a modern-day Paul Revere whispering in your ear (the audits are coming, the audits are coming!) is what it takes to get you to do a little more of your own HIPAA compliance work, then let me hang the lantern for you.  :^)

One of the actual lanterns!  See it here.

One of the actual lanterns! See it here.