In the coming weeks the Office of Civil Rights, the division responsible for HIPAA compliance, will begin conducting formal HIPAA audits. Originally the plan was to conduct 400 desk audits and a large number of on-site audits. However, OCR has decided to reduce the number of desk audits to less than 200 and has not provided information on whether the number of site audits for business associates and covered entities will be reduced.
How organizations will be selected for an audit has not been detailed formally but OCR will look for patterns illustrating a lack of infrastructure or process where data braches have occurred.
Whether or not your organization has been the victim of a breach, it’s essential to prepare for an audit in the event you get selected. To help clients, prospects and others understand essential preparation, Holtzman Partners has provided a list of steps to take outlined below.
HIPAA Audit Preparation
Below are a few steps organizations should take to ensure compliance with HIPAA regulations.
- Review Applicable Requirements – The first step is to ensure there is a solid understanding of organizational requirements under the new rules. While this may seem like a common sense item hardly worth mentioning, it’s important to note that many organizations are not completely aware of their new responsibilities under HIPAA. During the audit pilot program, OCR discovered that 30% of organizations flagged for noncompliance admitted to being totally unaware of the requirement. This is especially alarming considering the violations were directly related to explicit covered entity requirements. Many of the organizations were unaware of the privacy practice, access rights of individuals or media movement and monitoring requirements in the new security changes. As a result, every organization should have a clear understanding of what they are expected to do under the new regulations.
- Conduct a Comprehensive Risk Analysis – Ongoing risk analyses are the foundation of developing and implementing an effective and comprehensive HIPAA compliance plan. Regularly conducting these analyses provides critical information on how to protect Patient Healthcare Information and determine vulnerabilities. It is also necessary as an ongoing measurement tool to assess progress and areas for improvement. This is an essential step because if an organization is selected for an audit this is one of the first documents that will be requested and reviewed by the OCR. Despite the obvious importance, it was discovered during the pilot program that two-thirds of the participants did not have a completed or updated risk analysis study. If an organization waits until they are selected for a HIPAA audit, it will be too late to compile a proper analysis.
- Identify Where Your PHI is Stored and Transmitted – Many organizations do not know all of the locations where sensitive data such as PHI is stored or transmitted. Upon detailed analysis it is often uncovered that PHI is replicated to insecure servers or over insecure connections. Thoroughly examining your environment and documenting where PHI lives is important if a company plans to properly secure it. This can be accomplished through the use of a PHI Inventory and/or Data Flow Diagrams. It is obviously important that such documents are also updated on a regular basis.
- Review Data Encryption Measures – Under existing HIPAA regulations, organizations are required to implement data encryption to protect sensitive healthcare information. This is a security measure to protect essential data should a data breach occur. According to HIPAA, data encryption is an addressable requirement. This means that it is not a mandatory step and that if the situation warrants it, an organization may elect to find an alternative solution (that achieves the same objectives) or, in certain circumstances, not comply. However, it’s important to clearly document the reasons for not implementing encryption and deviating from the standard. Unfortunately, during the pilot audit program, OCR discovered that organizations either implemented encryption or did nothing at all to justify and document reasonable alternatives. As the formal HIPAA audit program begins, organizations need to review their plans to ensure they are in compliance with the implementation or documentation requirements. Simply doing nothing is a serious violation.