Stephen Morreale, a former investigator for the U.S. Department of Health & Human Services, believes that the worst thing a healthcare organization being investigated for fraud or a breach can do is make the investigator wait.
"If you're going to have me wait in a waiting room with other customers and not treat me with respect, given the position and the work that I'm called there to do, then that's going to go against you," he says in an interview with HealthcareInfoSecurity. "You have to have the people who receive these agents be ready to put them in a conference room and get the appropriate company official there."
Some of the most common types of investigations HHS conducts include: durable medical equipment suppliers overcharging home health agencies, spikes in billing data, complaints from competitors and tips from former employees, according to Morreale. The threat of data being shared over the Internet is a relatively new threat, he says, and as such, it often is one that's not properly addressed.
"The problem that people will have--and I really want to make this clear--is that as many entities go to electronic medical records, they have to realize that they may still have records that are held that are on paper," Morreale said. "If you don't give the government everything, then you've got a problem. I think the supposition is when that happens, you're hiding something."
To make sure your organization is prepared at all times for any HIPAA audit or investigation, risk assessment documentation and other compliance evidence must be kept in a central location, Mark Dill, director of information security at Cleveland Clinic, told HealthcareInfoSecurity earlier this year.
Starting Oct. 1, 2014, a permanent HIPAA security audit program will begin, according to OCR officials.
To learn more:
- read the full interview
5 recommendations for preparing for a HIPAA audit
Health privacy regs, metadata fuel heated debate
OCR: HIPAA mega rule in its 'last clearance lap'
Hospital use of data breach insurance increases as incidents multiply
Most not ready for HIPAA audits; data breaches abound