ComplianceOnline

How to Prepare for HIPAA Audits


If your organization is FDA regulated, it's important to be prepared for the OCR HIPAA Audit by reviewing your HIPAA compliance measures to ensure that all the required policies and procedures have been documented. While reviewing your organization's practices, the Audit will also review how business associates work toward keeping Patient Health Information (PHI) secure.

The audit will consist of 3 phases

HIPAA Phases

Audit Preparatory checklist for organizations

HIPAA Audit Checklist

Don't overlook physical safeguards

  • Ensure papers such as older files are physically secure
  • Lock it up appropriately
  • Educate workforce members about when it's permissible to take them outside of the office. Also, educate individuals who are allowed to take them outside about how to appropriately protect them in that context.
  • Ensure proper documentation
  • Review if you have added any new systems, such as EHR systems for example
  • Review if you have new affiliations, such as a new outpatient center

Ensure Risk Assessments are done right and clearly tracked

  • Perform risk assessment through your internal resources if they are sufficiently trained and have experience in the area or through an independent third party to assist you in identifying any gaps that leave you vulnerable. Risk assessment frameworks such as ISO-27000 series can be beneficial.
  • The risk analysis must be an ongoing process. Regularly review records and track access to ePHI and identify security incidents
  • Periodically, evaluate the effectiveness of security measures that are in place, and regularly reevaluate potential risks to e-PHI.
  • Document the chosen security measures and also explain why these measures were adopted.
  • Keep a copy of the risk assessment handy

The HHS states "Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data." HHS requires organizations to "maintain continuous, reasonable, and appropriate security protections."

Have appropriate privacy and security measures with all mobile devices and connected medical devices

  • Connecting devices to systems, adds a layer of complexity. That might be essential for the business. However there are many solutions to address those problems from a technology perspective. What's important is to identify where the information is flowing and implementing privacy and security measures.
  • Whether you have implemented a BYOD strategy, distributed devices to personnel, or connected medical devices, thoroughly review it and document the process.
  • When a new technology is introduced, perform and enterprise-wide risk analysis
  • Train personnel to ensure they are aware of the requirements and follow them.

Attend the Seminar HIPAA Privacy Rule Compliance-Understanding New Rules and Responsibilities of Privacy Officer to understand audits and enforcement in detail, and how privacy regulations relate to security and breach regulations, as well as responding to privacy and security breaches and ways to prevent them.

The speaker Jim Sheldon-Dean has more than 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. He serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the WEDI 2011 Award of Merit.