Surviving a HIPAA Audit
By Marie Ruettgers
The Department of Health and Human Services, Office of Civil Rights (“OCR”) will soon issue HIPAA audit notices to a small number of both covered entities and business associates who handle protected health information. To paraphrase Paul Revere, “The audits are coming, the audits are coming!”
The first step to surviving a HIPAA audit is, obviously, advance preparation.
The Audit Process
Phase 2 of OCR’s Audit Program was scheduled to start in the fall of 2014 and run through June 2015, but has been delayed and is expected to start as early as the fall of 2015.
Audits will be desk reviews using the OCR’s preparation protocol, found here. Use this as an outline to help prepare for an audit. Both covered entities and business associates are subject to audits. A covered entity or business associate that receives an audit notice will have just two weeks to respond with the documentation requested.
With only two weeks to gather and submit the requested information, the time to prepare for an audit is not when the audit notification arrives. How should you start preparations? Start with the OCR’s preparation protocol and organize your preparation into three key areas: Security, Privacy and Breach.
The Security module has at its primary focuses protected health information (PHI) contained
in Electronic Medical Records (EMR), and measures that must be taken to ensure the confidentiality, integrity and security of EMRs. OCR provides useful checklists for Security that correlate to the three subcategories. You can find them by clicking here.
Start with the following steps, and work through the audit protocol:
1. Confirm your organization has recently completed a Risk Assessment of potential security risks and vulnerabilities.
2. Confirm that the actions items identified in the Risk Assessment either have been completed or are on a reasonable timeline to achieve completion.
3. Confirm an IT asset inventory system is in place and up to date, including all BYODs.
4. Confirm a facility security plan has been adopted and is in place for each physical location with access to PHI.
5. Review the security plan to identify gaps in physical security plans, disaster recovery plans, as well as emergency access procedures.
6. Ensure all staff is routinely trained on policies relevant to their positions.
The Privacy module audit procedure will focus on the protection of medical records and other PHI, including (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
Start with the following common deficits identified in Phase 1 audits and work through the protocol:
1. Ensure a complaint Notice of Privacy Practices is in place, and conduct periodic reviews to confirm employees are operating consistently with the stated notice.
2. Confirm a complete listing of Business Associates exists and that each has an Agreement that limits the use and disclosure of PHI to that allowed by the standards and for specified purposes within those standards.
3. Know and understand when the use of a consent versus a specific authorization is required, and document policies that indicate appropriate use.
The Breach module audit will focus on the organization’s ability to notify individuals of a breach of their unsecured PHI within 60 days as required by HIPAA. Organizations must have a plan for breaches affecting fewer than 500 individuals, as well as a plan for breaches affecting more than 500 individuals. Organize your breach efforts into two subcategories: internal breaches, and BA breaches, and then cross-reference by the size of the breach for planning purposes.
Start with the following steps:
1. Ensure you have a process outlined in writing for how to roll out a breach communication within the 60 day period required by HIPAA.
2. Document the notification process used for past breaches.
3. Draft and review form letters for required notification content.
4. Determine if policies and procedures identify how and when HHS must be notified of a breach.
Do not wait until the arrival of a HIPAA audit letter before taking action. Take advantage of the additional time the OCR has provided and consult qualified legal counsel on HIPAA compliance issues now before Phase 2 is in full swing.
Marie Ruettgers is Managing Attorney at Goosmann Law Firm.