Tuesday, 10 September 2013

What to Expect When the HIPAA Auditors Arrive?



You think it’s an average, ordinary day and sit back as you go through the mail.  You pull an envelope out of the pile, read the return address and suddenly sit up straight.  You already know the contents of what is inside and your heart rate increases as you carefully slit open the top.  Despite telling yourself you could be wrong as you remove the letter, you discover  you are not.  It is the dreaded OCR audit notification letter.  Cue the panic.

When this letter arrives, there’s no need to hear the theme from “Jaws” in you head.  If you ensure you have made a good faith effort to comply with the HIPAA / HITECH requirements based on the final Omnibus rule, and have documented this as policy mandates, you can breath easier, and when the audit occurs you will not feel as if you are in shark infested waters.



Preparing for the Audit

 While preparing for the audit the first thing to do is to go to the OCR website which details the steps of the new HITECH compliance regulations, formalized by the OMNIBUS rule.  It also provides a timeline to help you stay on track as you prepare.

Staff training and documentation of training is a key component of HIPAA audits.  Make sure your staff is fully trained regarding federal, state and organizational privacy and security regulations as well as your organization’s policies and procedures.  Training should also include potential security risks, such protecting ePHI for malicious computer attacks and how to handle a potential breach.  Refresher training should be conducted regularly and if you haven’t done so to this point, schedule a refresher training before the audit date or at least have one on the calendar.

 Be sure to check your compliance software system to ensure it has been updated to the most recent version.  Also do a review of the market to determine if new software programs may have additional features that would improve your ability to remain HIPAA compliant.

What to Expect During the Audit

There are certain documents related to policies and procedures that HIPAA auditors will be looking for in all covered entities.  Additionally, they will want to interview employees regarding their knowledge of HIPAA compliance within the organization and key personnel whom they will also expect to be able to demonstrate functions of the organization’s compliance system.

They will examine all documentation of your organization’s security and privacy compliance efforts.  In addition to appropriate staff training, they will look for documentation of appropriate safeguards that have been put in place or actions that will be taken to protect ePHI from potential threats and risks.

Required and Supplemental Documentation

There are a number of specific documents that HIPAA auditors will want to examine.  It is always prudent to document everything related to a HIPAA compliance issue and keep this additional information organized to display the company-wide commitment to maintaining compliance.  Relevant documents to have available include:

Risk Analysis Related Documentation- It’s a good idea to hold meetings after conducting a risk analysis to discuss the results and plan any corrective action that is necessary.  Each task should be assigned to a specific individual or team and each should be clear on what action they need to take.  Keep minutes of these meetings, listing main discussion points, problems identified, the plan of action for each problem and personnel assignments.

 Each individual or team should document what they did to fix their problem, and if the risk could not be entirely eliminated, explain how the solution reduced the risk to a reasonable level.  For each completed correction, the procedures and policies must be updated.  Complete progress reports for each task that has not been completed in time for the audit.

You do not need to show that you have fully remediated everything identified in the risk assessment, but you must demonstrate awareness of each risk or threat and have a documented plan to address each one.  It should be clear in the documents which problems have been fixed along with the updated policy or procedure that has been put into place, and which problems are still in need of remediation with a clear plan and deadline for each problem that is currently unresolved.

Create a packet with the risk analysis, minutes, report on completed tasks, updated policies and procedures and progress reports on incomplete tasks.  This will provide auditors with a good idea of how your organization assesses and mitigates risk, and the comprehensive documentation will show you are committed to maintaining HIPAA / HITECH compliance.

Contracts and Documentation Related to Business Associates and Subcontractors - Auditors will want to examine all contracts between the covered entity and third party associates to make sure they include the required components.  They will also want to see documentation that these parties are following the physical, technical and administrative safeguards required in the HIPAAsecurity rule.

You Can Follow us on Facebook ! Twitter ! Linkedin 

0 comments:

Post a Comment