The Health Insurance Portability and Accountability Act (HIPAA) was introduced to safeguard sensitive patient data. As expected, a good number of covered entities and business associates are yet to implement the safeguards fully. Most of these healthcare providers, business associates, and organizations that are struggling to implement the compliance guidelines, think that they might not be audited. It might not happen today, but eventually, the Office of Civil Rights (OCR) will get to you.
Since you’ve no idea when the OCR will decide to audit your business, the best decision is to prepare for the audit. When the OCR decides to audit your business, they’ll send you an email, and you’ll have 10 business days to compile and provide the relevant documents. Here is how you do it:
1. Understand the HIPAA Audit Protocols
HIPAA audit protocols consist of 169 modules, but they don’t all apply to the covered entities. This should be a good reason to familiarize yourself with the audit protocols and modules applicable to your business. The modules that apply are based on the nature of your business.
The HIPAA audit will focus on three main areas; the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. Most of these are easy to comply with except the HIPAA Security Rule, which seeks to prevent unauthorized access to protected health information (PHI).
You can use a checklist to ensure that all the relevant modules are adhered to. It will also help you determine the documentation that’s needed in case of an audit. You only have 10 business days to prepare once you receive the notification, which is not enough time to compile everything needed. The auditors will note down their observations, including any missing elements and severe compliance issues.
2. Update documentation
Since you have the audit protocols and a checklist to guide you through the audit preparation, you can prepare the relevant documentation with ease. Update these documentations as the auditor will assume that your lack of documentation means that your business isn’t compliant.
3. Train your employees
HIPAA compliance goes beyond the complicated security systems, two-step verification codes, and security measures. It also includes employee training as they’re responsible for handling PHI. The law stipulates that you should protect this sensitive information and what better way to protect it than to train those who handle this information.
Every employee who handles healthcare information requires HIPAA compliance training. According to the HIPAA training rules, your employees should undergo training periodically, but they don’t specify the period. However, the recommended period is annually to keep the employees updated on the latest rules. Also, don’t forget to document the training.
4. Risk analysis and management
These two are standard information security practices that help organizations detect and deal with security risks. They are also provisions of the Security Rule, and thus you’ll be required to document the approaches implemented.
Before you implement a risk analysis and risk management program, you might want to limit your scope for efficiency. Start by segmenting the systems that handle electronically protected health information (ePHI). This will allow you to focus your risk analysis and risk management program on the systems that handle ePHI data. However, if you’re not sure which systems handle the data, you’ll need to broaden your scope to cover all systems.
Once you’ve identified the systems and the flow of ePHI, you’ll have an easier time identifying potential threats and vulnerabilities. Don’t forget to document these processes for references when needed and for review during the HIPAA audit.
When you’re performing the risk analysis, don’t just use a checklist to confirm that you meet the stipulated requirement. Instead, perform a thorough analysis that helps you better understand your systems and ePHI environment. You want to know the potential risks, vulnerabilities, and the likelihood of these threats materializing.
5. Internal audits
Instead of waiting for HIPAA audits to identify weaknesses in your organization’s privacy and security, you can embrace internal audits. These audits will help you identify issues with your system and HIPAA compliance better before the OCR audit. You will have ample time to remedy the problem before the audit.
If possible, hire an organization that conducts HIPAA audits to ensure that the audit is unbiased and thorough.
The OCR doesn’t have sufficient staff to conduct random compliance audits; thus, when they decide to audit your organization, there is always a trigger. Therefore, if your organization or business is earmarked for an audit, you might want to find out what triggered the audit. However, the best strategy is to be prepared because an audit can be triggered at any time by anyone. Are you confident that your organization will pass the HIPAA audit? If not, start preparing while you still have time.