Slideshow 6 steps to surviving a HIPAA audit

Published
  • March 24 2016, 8:49am EDT

6 steps to surviving a HIPAA audit

The HHS Office for Civil Rights this year will conduct audits of HIPAA covered entities and business associates to assess organizations’ compliance with the privacy, security and breach notification rules. This includes about 200 desk audits and 24 more comprehensive on-site visits, according to Hayes Management Consulting. But there are ways providers can properly prepare, according to Hayes Management.

Prepare and practice

Before OCR knocks at the door, conduct a round of HIPAA compliance audits and risk assessments internally. Review findings, identify vulnerabilities and risks and deploy corrective action protocols promptly. Two-thirds of those audited in the Phase 1 program had not correctly completed a HIPAA risk assessment, Hayes Management says. To impress OCR, show proof of conducting such assessments on a regular schedule.

Content Continues Below


Evaluate your privacy and security policies

Perform an in depth assessment of your current privacy and security policies and procedures, or active HIPAA Compliance program. Designate a HIPAA Compliance Officer or Coordinator. HIPAA privacy compliance should focus on PHI access, administrative requirements, uses and disclosures (general rules and organizational requirements). For security compliance, concentrate on administrative physical and technical safeguards.

Perform an internal review of electronic files

Encrypting all electronic files is key, primarily patient sensitive data. Verify and validate which electronic files are being encrypted, and which are not. Be sure to perform this assessment before any external audits are done.

Assess organizational compliance risks

OCR Phase 1 HIPAA Audits revealed two-thirds of organizations could not demonstrate they were performing complete and accurate HIPAA security risk assessments. To ensure that your organization can meet compliance standards, start by inventorying all of the organization’s systems that handles ePHI, and develop some remediation action plans.

Content Continues Below


Compile a list of all vendors and business associates

OCR will ask to see all business associates that have access to your organization’s PHI. Include anyone that works behind the scenes with your hospitals, health plans or providers—for example, contractors, consultants, software vendors and data storage companies.

Evaluate, evaluate, evaluate

Inspect your HIPAA policies and procedures, most importantly employee access, new hire employee training, ePHI policies, eFILE sharing procedures, faxing, emailing, notice of privacy policies, data breach mitigation, disaster recovery, data backup and be sure to update policies and procedures regularly.