Most healthcare organizations charged with HIPAA compliance are not fully prepared for a privacy and security audit by federal regulators, a November survey conducted by HCPro, Inc. reveals.
For hospital leaders, already challenged on the technology front to implement ICD-10, electronic medical records systems, and pursue meaningful use certification, that's not great news. The government has already begun conducting audits.
Earlier this year, the Office for Civil Rights, the enforcers of HIPAA privacy and security, engaged a contractor to audit covered entities and business associates at random. The objective was to assess how many would be HIPAA-compliant by December 31, 2012.
HCPro's survey results show that only 17% of responding organizations said they are fully prepared for an OCR privacy and security compliance audit.
"It is very hard to get your staff to understand how important this is," one compliance officer said. "Each breach we have is due to carelessness and not intentional, for example, not checking a patient name when you mail something out."
Of the more than 400 respondents, which included HIM directors and compliance officers, 281 (or 70%) said they are "somewhat prepared" for a HIPAA compliance audit conducted by the government.
As part the HITECH Act, OCR hired KPMG, LLP, to conduct the audits starting this fall and lasting through December of next year. The audits—targeted for covered entities and business associates—are expected to produce corrective action plans for facilities regarding HIPAA compliance.
"There needs to be an outside agency coming into the hospital and interviewing the employees on a regular basis," one respondent said in the survey. "Most organizations say they don't have the time to implement HIPAA regulations on a regular basis."
At least one survey respondent indicated a lack of commitment from "senior management." Said another respondent, "The C-suite understands patient care, but doesn't understand that system security needs more money to enforce HIPAA."