Everything You Always Wanted to Know about HIPAA Audits
The time isnt certain, but a formal random audit program is coming soon and the office is presently funded through 2014 to conduct them, says information security specialist Tom Walsh, president of Tom Walsh Consulting in Overland Park, Kan.
During 2012, the HHS Office for Civil Rights conducted 115 random HIPAA privacy and security audits in a pilot program. The time isn’t certain, but a formal random audit program is coming soon and the office is presently funded through 2014 to conduct them, says information security specialist Tom Walsh, president of Tom Walsh Consulting in Overland Park, Kan.
Walsh is part of a team of four experts that will walk through OCR HIPAA audits during the day-long Privacy and Security Workshop on March 3, the day before HIMSS13 formally starts in New Orleans. He’ll be joined by Mark Dill, director of information security at Cleveland Clinic; Mary Brandt, vice president of health information management at Scott & White in Temple, Texas; and Lisa Gallagher, senior director of privacy and security at HIMSS.
The team will walk through the workflow of how protected health information gets into a system and is disclosed from the system; where the greatest risks are (think mobile devices) and prevailing best practices; three security components that must be part of meaningful use (risk assessment, gap analysis and a remediation plan); preparing for a random HIPAA audit and readying the body of evidence you will need to present; managing business associates (who are not covered under your cyber liability insurance and give you the bad press when a breach happens); and updates on regulatory initiatives.
The audits are officially called HIPAA Security Audits, but very much include privacy and breach notification rule compliance assessments, as well, Walsh notes. “You need to show documented compliance with all three.”
When an organization is notified that it has been selected for a random audit and, it has 15 days to respond to a request for documents. Having such documents ready and shipping them early is a good way a covered entity can show HHS/OCR that it already is organized, Walsh advises. The lasting impression that the team hopes to leave: “There’s a lot of work to be done.”
The random HIPAA audits actually are only one of three types of privacy/security audit programs. OCR conducts an investigation following breaches of protected health information that includes assessing compliance with the HIPAA rules, including whether a formal risk assessment has been completed. Further, the emerging electronic health records meaningful use audits include showing documented proof of a risk assessment and the fixing of high-risk gaps.
Walsh is part of a team of four experts that will walk through OCR HIPAA audits during the day-long Privacy and Security Workshop on March 3, the day before HIMSS13 formally starts in New Orleans. He’ll be joined by Mark Dill, director of information security at Cleveland Clinic; Mary Brandt, vice president of health information management at Scott & White in Temple, Texas; and Lisa Gallagher, senior director of privacy and security at HIMSS.
The team will walk through the workflow of how protected health information gets into a system and is disclosed from the system; where the greatest risks are (think mobile devices) and prevailing best practices; three security components that must be part of meaningful use (risk assessment, gap analysis and a remediation plan); preparing for a random HIPAA audit and readying the body of evidence you will need to present; managing business associates (who are not covered under your cyber liability insurance and give you the bad press when a breach happens); and updates on regulatory initiatives.
The audits are officially called HIPAA Security Audits, but very much include privacy and breach notification rule compliance assessments, as well, Walsh notes. “You need to show documented compliance with all three.”
When an organization is notified that it has been selected for a random audit and, it has 15 days to respond to a request for documents. Having such documents ready and shipping them early is a good way a covered entity can show HHS/OCR that it already is organized, Walsh advises. The lasting impression that the team hopes to leave: “There’s a lot of work to be done.”
The random HIPAA audits actually are only one of three types of privacy/security audit programs. OCR conducts an investigation following breaches of protected health information that includes assessing compliance with the HIPAA rules, including whether a formal risk assessment has been completed. Further, the emerging electronic health records meaningful use audits include showing documented proof of a risk assessment and the fixing of high-risk gaps.