8 essential steps to prepare for a HIPAA review

  • August 01 2016, 6:36am EDT
The HHS Office for Civil Rights has sent out inquiries to 167 healthcare organizations and business associates, asking them to submit evidence that they're in compliance with HIPAA privacy, security and breach notification rules. While most provider organizations won't face scrutiny, OCR's effort provides importance guidance about what will be included in future HIPAA audits.

8 steps of essential prep for a HIPAA review

These suggestions, from Elizabeth A. Delahoussaye, privacy officer and senior vice president of compliance for CIOX Health, will help organizations weather future audits and improve HIPAA compliance.

Comprehensive documented risk assessment

Promptly address any deficiencies and complete all action items. Build on the assessment outcomes to create a strong risk assessment management program. Conduct a follow-up security risk analysis periodically to identify, address and document deficiencies that may occur.

Content Continues Below

Written HIPAA policies and procedures

These should reflect privacy and security standards along with any risks or vulnerabilities identified during the assessment process.

Incident response plan for responding to breach of protected health information (PHI)

Implement breach notification policies and procedures that are aligned with requirements under the HIPAA breach notification standards. Conduct practice rounds to prepare staff for a real event should it occur.

Current Notice of Privacy Practices

Provide printed copies of the most recent notice to patients and also make the notice available on the organization’s website.

Content Continues Below

Safeguards to protect all forms of PHI

This applies to paper, electronic and verbal PHI, including mobile devices and storage media. For employees who have personal devices, implement a BYOD policy aligned with HIPAA standards. Keep an up-to-date inventory of all systems and mobile devices.

Workforce training program

Conduct and document training for new employees. Conduct and document ongoing training for all workforce members.

Business associate agreements

Organizations must maintain a current inventory of all business associates. Agreements should be updated and implemented in compliance with current HIPAA requirements.

Content Continues Below

PHI transmission policy

Verify that all PHI is encrypted, or document a risk analysis to support the decision not to use encryption technology.