As Phase 2 of the HIPAA audit program begins, covered entities (CE) and business associates (BA) will be watching their email for an audit letter from OCR. Of those chosen for audit, most will be selected for a desk audit. They'll have 10 days after receipt of the email to gather requested documents for OCR's auditors.
But how will CEs and BAs know they are collecting the right information? A careful reading of the updated Phase 2 audit protocol (www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html) will help guide CEs and BAs. But if the protocol isn't read carefully, and in full, important documents could easily be left out, leading to inaccurate audit reports and even a visit from OCR's investigators.
The Phase 2 audit protocol expands the Phase 1 compliance areas to reflect changes made by the 2013 HIPAA omnibus final rule. The updated audit protocol also includes information for BAs, which were not audited during Phase 1 but will be in the current round of audits. The protocol contains a description of the audit areas, general instructions and definitions, and a keyword-searchable table.
Phase 2 audits will be conducted in three rounds. The first two rounds will consist of desk audits of specific audit targets, while the third round will be comprehensive audits. Round one audits will target CEs and round two audits will target BAs.
Q: Is it permissible to take pictures of patients for identification purposes as a part of the registration process? Do the patients need to sign a consent form before their picture can be taken?
A: It is permissible to take pictures of patients for identification purposes if the patient agrees to it. Since the Privacy Rule considers full-face photographs to be a patient identifier, it is a good practice to get the patient's written consent to take a photograph and file it with the patient's electronic record. The patient should be allowed to opt out of the photograph if he or she chooses.
Editor's note
Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
When compared to data from past surveys, HCPro's 2016 HIM director and manager salary survey revealed a harsh truth that many HIM professionals already know: There has been little movement in HIM manager and director salaries over the years.
Congressional legislation is often written in a way that obfuscates or, at the very least, makes it difficult to discern the impact or intent of a bill.
Anatomical modifiers qualify a HCPCS/CPT® code by defining where on the body the service was provided. These modifiers are especially helpful to indicate services that would normally be considered bundled but were actually performed on different body sites.
Q: We operate a partial hospitalization program (PHP) and just heard from our billing office that there are new requirements for submitting claims. They want us to close out accounts weekly in order for them to bill them. We have done 30-day accounts prior to this and don’t see why they want to change things. Is there a certain timeframe required for billing these services? This is a huge inconvenience to make this work for the business office.
