Is a HIPAA audit coming? 8 critical steps in preparing
Once the feds come knocking, it’s too late to prepare a defense—experts suggest starting now.
8 ways providers should prepare for an OCR HIPAA Audit
Taking the opportunity to strengthen an organization’s privacy and compliance program will help maintain control of patient data and avoid compliance headaches, which could include a costly and time-consuming HIPAA audit, says Shane Whitlatch, executive vice president at FairWarning, which offers a suite of data protection and compliance services. Now is the time to start preparing for an audit. A provider that gets a notification letter from the HHS Office for Civil Rights has only 10 days to respond. Whitlatch offers the following eight best practices to prepare for an audit.
Prove you have set HIPAA policy and procedure boundaries
Under HIPAA, organizations are required to implement reasonable and appropriate policies, procedures and standards. These must be documented to prove they’ve set boundaries, and made expectations and standards transparent. Absent these requirements, protected health information could be put in jeopardy.
Focus on PHI
HIPAA regulations state that electronic systems holding ePHI must allow access to those who have been granted access rights. A best practice is to monitor all systems holding ePHI, including electronic health records, cloud applications and mobile devices. By monitoring with a full lifecycle platform, entities can detect, investigate, mitigate and remediate inappropriate activity to address incidents. This also helps identify employees who need training, sanctioning or retraining, and fosters a culture of privacy and compliance.
Conduct risk assessments
Covered entities must conduct risk assessments to determine the probability of compromised health information. The main goal is to determine whether the organization needs to report a breach as required by the law.
Develop an incident response plan
A comprehensive incident response plan can help contain incidents that otherwise could turn into reportable breaches that must be sent to the Office for Civil Rights. Once created, the incident response plan requires frequent evaluation and changes as the organization naturally evolves.
Know your users
In a large survey of users of EHRs and cloud applications, FairWarning found that 26 percent of users were poorly known or unknown to the care provider. This means the users are not being monitored or audited, making it difficult to train them or sanction them if there is a breach. Organizations can improve compliance by implementing identity correlation technology in their EHRs and cloud applications.
Identify high risks
The breach notification rule must not be ignored, and organizations need to develop a compliance plan that adheres to the rule. Identify high-risk assets and ensure the risk analysis of these assets is current. These should include technical and non-technical assets that are business-critical.
Don’t skimp on business associate agreements
For vendors handling PHI, a business associate agreement is essential as it helps ensure both parties are accountable for creating, receiving or transmitting PHI in a secure and intended manner. Any organization can sign a BAA, but do they have the proper protocols in place to responsibly handle ePHI?
Implement ongoing training
Some 58 percent of healthcare breaches involve insiders, FairWarning data show. To ensure employees are fully absorbing the policies and regulations of their day-to-day work, training should be treated as an ongoing process, not a one-time event. Clearly communicate expectations and train accordingly through a learning management system.
To encourage compliance, the OCR has put audits—and fines—in place. Of course, organizations want to avoid paying fines and enduring bad publicity, but the real motivation should be the desire to keep patient data safe and earn the trust of those being served. These best practices will help position the organization for a compliance program that also lays the groundwork for both future technology adoption and future regulations.