When it comes to audits of any kind, no one wants to get “the letter.”
Statistically speaking, there is approximately a 1 in 20 chance right now that you, as a chiropractor, will get audited THIS YEAR.
In fact, in any given year.
That’s just based on a random sampling and that’s just the start.
If your practice does a significant volume, is heavy on one particular service or your approach is different, the chances that you will be audited go way up.
And while this may (hopefully) cause you to take precautions to make sure you are billing, coding and documenting everything correctly, there is another audit letter that can be just as threatening and just as damaging to your practice.
Why You Should Pay Attention to Chiropractic Audit Trends
As you may have heard, the Office of Civil Rights is now responsible for HIPAA compliance and is administering audits to discover if covered entities (basically 99.99% of all healthcare practitioners, including chiropractors) are in fact compliant. If not, as you may have suspected, the OCR then doles out the fines (for civil penalties) and pursues prosecution (for criminal violations).
While HIPAA compliance may not have been much of a concern in the past, there is a tangible trend towards auditing that you probably have noticed from payers such as Medicare, BCBS and other third-party insurances. You might have also noticed that in the midst of these trends are a lot of dollars at stake. Translation= auditing is big bucks.
Medicare alone recovers over $1 billion through audits and currently has a backlog of over 600,000 audit-related appeals — enough to keep them busy for years to come. And, unfortunately, chiropractors have not been faring so well as of lately according to Medicare audits. Sadly, we are #1…again…in having the WORST claims error rate among all health professions. Worse, these news is widely publicized and other payers can smell the blood too.
But the real threat from audits isn’t actually from any SINGLE payer. At this point, they ALL are in the game and want money. And the OCR is no exception. So HIPAA audits prove to be an easy way for them to raise some quick cash.
There among the easiest targets for that cash — you guessed it — chiropractors.
The Audit Letter You HOPE You Don’t Get
For most DC’s, we imagine HIPAA compliance to be a form or two we hand out to our patients (not frequently enough) and a word or two we mention to our employees about privacy (not nearly enough). Beyond that, HIPAA compliance is a murky set of policies, procedures or paperwork we don’t quite understand (if we are honest).
And to that degree, a letter from the Office of Civil Rights (administering HIPAA compliance) would be most unwelcome.
In fact, it would reveal a TON of items we probably don’t know we are responsible for and a few more that we did, but haven’t truly taken care of.
The letter would also contain a notification that the OCR was going to stop by for a visit to see how close or how far away from compliance you really are. (And then of course, tally up your fines afterward).
Examples From An Actual OCR Letter
Data breaches are the single most common HIPAA healthcare violation. To be specific, the “lost or stolen laptop” probably ranks as #1. The reality of any data breach is that it’s always 100% unplanned. But the aftermath and damage caused by the data break (or any HIPAA violation) is always in direct proportion to the amount of planning you did BEFORE it happened.
Have all your HIPAA compliance procedures and policies lined up accurately? You get to minimize the damage. Everything out of order, missing or never present? Gulp.
Here a are few of the items OCR asked the covered entity (that’s YOU) to supply within 20 days of the receipt of their HIPAA compliance audit letter following an alleged violation:
- List in detail the protected health information (PHI) that was made available to unauthorized individuals.
- Give copies of any notes, documents and reports relating to any internal investigation including of any forensic analysis, conducted by the covered entity, or its designated contractor or agent, of the alleged incident.
- Detail any corrective measures taken as a result of this alleged incident.
- Indicate whether you conducted a breach risk assessment for the alleged incident. If so, please provide a copy of the breach risk assessment.
- If you determined that a breach of patients’ PHI occurred as a result of this incident, please indicate, as applicable, whether you notified the affected individuals, the media, and the HHS Secretary. If you notified the affected individuals, the media, and the HHS Secretary, please provide OCR with documentation of said notifications.
- Furnish a copy of the covered entity’s policies and procedures with respect to uses and disclosures of PHI and safeguarding PHI developed pursuant to HIPAA.
- Provide a copy of the covered entity’s business associate agreement with the vendor that was in effect at the time of this incident.
- Include a copy of any risk analysis performed pursuant to 45 C.F.R 164.308(a)(1)(ii) prior to the date of the incident and any risk management plans developed as a result of the risk analysis.
[Details of this letter are attributed to and first appeared here]
And the letter will ask for dozens of additional items, so need we go on?
Oh yes, let me not forget. The OCR will ask that you provide the information requested within 20 days of the receipt of the letter.
The Take Home Message For Chiropractors
The details of this letter probably reveals a lot about how dedicated (or not) you are to being compliant. Unfortunately, I know of few DC’s who could satisfy these demands in their entirety and promptly within the timeframe requested.
If you are one of them, congratulations.
Everyone else should seriously consider how their lack of comprehensive compliance procedures can cause a great risk to their practice and to their bottom line. (Considering the average “Level 2” violation fines start at $1000 per violation, the chunk of chance for non-compliance can be substantial.)
Assess Your Compliance Risk Now
There are two types of folks who will read this.
- The first will view the information, give it some thought, and proceed to do nothing. I can’t force you to be compliant but I can cautiously tell you why you should be concerned.
- The second will read this, become concerned and seek to take action. Congrats — You have figured out that worrying about compliance does nothing but taking action puts you on the right path!
If you are in Group 2, let me recommend the first step, which is to take an RISK ASSESSMENT.
Once you can understand the level of risk from which you are currently operating and the specific items you need to improve, you are on your way towards compliance and I trust, will take the necessary steps to getting there.
To help you in that regard, we’ve developed a FREE RISK ASSESSMENT that you can take which will give you a basic outline of your risk levels and also give you specific items you need to improve compliance.