“We’re being audited!”
Those words strike fear and uncertainty in most of us – especially if you are in healthcare. But what actually happens in a HIPAA audit? Will a government official show up unannounced with a briefcase and ask for you to produce every bit of your business’s HIPAA documentation while sequestering your team in a conference room? Not quite. Take a deep breath, and we will walk you through what to expect if you are audited.
How It Starts
The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is the government agency that is responsible for enforcing the Privacy and Security Rules of HIPAA. They do that by investigating complaints, conducting compliance reviews, and overseeing education and outreach programs that foster compliance. A data breach can also trigger an audit or investigation into your compliance program. If you are selected for an audit, you will be notified and then asked to provide specific documentation and data regarding your HIPAA program. This will all be in the notification. You will then submit the information via a secure portal to the OCR where they will then review what you have sent and provide you with a final audit report. You will have an opportunity to comment during the audit in response to any questions. All of this is contained in the final report.
Audits Will Vary
Depending on the specific issue or violation that has been raised with regard to your business, you will provide the corresponding documentation. Key factors will be assessed. You can find more details about the audit protocol on the HHS website, however, there are eight general instruction protocols that are in place for all audits:
- Where the document says “entity,” it means both covered entities and business associates unless identified as one or the other
- Management refers to the appropriate privacy, security, and breach notification official(s) or person(s) designated by the covered entity or business associate for the implementation of policies and procedures and other standards
- Entities must provide only the specified documents, not compendiums of all entity policies or procedures. The auditor will not search for relevant documentation that may be contained within such compilations
- Unless otherwise specified, all document requests are for versions in use as of the date of the audit notification and document request
- Unless otherwise specified, selected entities should submit documents via OCR’s secure online web portal in PDF, MS Word or MS Excel formats
- If the requested number of documentation of implementation is not available, the entity must provide instances from equivalent previous time periods to complete the sample. If no documentation is available, the entity must provide a statement to that effect.
- Workforce members include entity employees, on-site contractors, students, and volunteers; and,
- Information systems include hardware, software, information, data, applications, communications, and people.
Preparation is Key
Being unprepared will undoubtedly increase your risk of being fined if you are audited. And this lack of preparation with HIPAA compliance is often accompanied by a weak cybersecurity infrastructure, placing your business at high risk for cybercrime attacks. One of these would be dangerous to a business, lacking in both is irresponsible to both your business and your patients.
Once you know what to expect, you can best prepare. And being proactive in your approach to HIPAA and cybersecurity can pay off in a big way should an incident or investigation occur.
This article was originally published on HIPAA Secure Now! and is republished here with permission.