HIPPA Audits Are Here – Dr. Pruitt Opines

“It’s unfortunate in the land of the free, that anyone fears retribution from rented authorities with badges. ”

I want to know if it is it the Republicans or Democrats who stand against ineffective, parasite infested government regulations that needlessly raise the cost healthcare. HIPAA’s bipartisan support makes it hard to tell.

 Get ready for even more nonsense, Doc. “HIPAA Audits Move Forward” by Howard Anderson was posted today on HealthcareInfoSecurity.com. Three unnamed physicians and one really unlucky dentist are included in the first 20 audits.


 Anderson writes: “It’s official: The new HIPAA compliance audit program has begun. The 20 organizations selected for the initial test phase of the program are preparing for site visits in the coming weeks, federal regulators confirm. After that, about 130 more organizations will face audits later this year.”

 Inevitably, it won’t be long until KPMG auditors working under a $9.2 million contract with HHS will be looking to make examples of mouthy dentists. That’s why I can’t blame HIPAA covered dentists for their silence. If I were a Covered Entity like 90% of the dentists in the nation, I certainly wouldn’t be pointing out federal stupidity.

 Ominously, it’s been 6 years, and I’m still the only dentist in the nation who dares to question the value of HIPAA in dentistry. It looks to me like most dentists’ silence can be attributed to pervasive fear of obscene, bankruptcy-level fines for a capricious, subjective finding of “willful neglect” by a KPMG auditor having a bad day. It’s unfortunate in the land of the free, that anyone fears retribution from rented authorities with badges. Want to know a secret? Shortly after KPMG won the government contract to audit dentists’ compliancy, they had to disclose that one of their employees lost a hard drive containing 4500 patients identities. OOPS! (If you happen to be audited, it wouldn’t be a good idea to mention that incident).

 How to prepare for an audit the OCR way

 A month ago, attorney Adam Greene, a former OCR official, suggested that HIPAA covered entities should prepare for an audit by:

 – Addressing the entire lifecycle of electronic and hard copy protected health information, identifying where such information is created throughout the organization, how it is maintained, and how it is disposed of;

– Creating a compliance cycle that regularly modifies policies and training in response to recurring issues and emerging threats; and

– Conducting a comprehensive review of policies, procedures, other documentation, and training.


 If those tedious, meaningless obligations aren’t scary enough for busy dentists who are sincerely trying to keep their patients’ identities secure, in August, Greene suggested that “entities that have never imposed an internal HIPAA-related sanction may have a problem.” He added that not having issued a sanction “doesn’t mean you have never had a HIPAA violation.” Incredible.


 As any thinking, literate human, and a few exceptionally smart family pets can figure out, Mr. Greene’s takeaway lesson is shocking: If nobody in your office has yet been officially sanctioned, Doc, it’s time to choose someone to take the first hit for the team, and for others to get in line for their bustin’ as well. Actually going through the motions of coming down hard on various employees for minor HIPAA violations on an irregular schedule is much better than trying to backdate numerous sanctions in the frantic 10 days following an audit notice from OCR. Besides, that’s likely to land you in jail.

 Regardless how you prove you vigorously sanction HIPAA violations every now and then as expected, don’t forget to pin down the details with those whose carelessness you document according to HIPAA requirements. It would reflect badly on the dentist’s dedication to compliancy if upon questioning by a KPMG auditor, a staff member couldn’t recall why he or she was sanctioned one or more times.

 It’s no surprise that HIPAA has failed to even slow down the number of data breaches from dental offices. Nor has HITECH lessened the temptation of dental patients’ stolen identities that go for $50 each. Think about it. A dental practice’s 3000 patients’ PHI quietly downloaded onto a flash drive within minutes can put $150,000 in the thief’s pocket, tax free. What’s more, the dentist might not learn of the heist until a law official is seated in the waiting room with a long list of identity theft victims with a dentist in common. How scary is that?

 Mr. Greene’s feel-good busywork and cosmetic sanctions offer Americans as much protection as the 1960s’ patriotic “duck and cover” campaign intended save our nation’s school children during a nuclear war.

 Silence from citizens gives tyranny a strategic advantage.

 D. Kellus Pruitt DDS

Editor’s Note: Dr. Pruitt is a Ft Worth dentist. See also http://learn2empower.blogspot.com/2011/12/health-organizations-not-prepared-for_30.html