Okay. So you got this phone call from one of your clients who had a data breach that was reported to OCR. They said expect a call from X company, they will be contacting you to schedule a HIPAA audit. You’ve never been audited before and you have no idea what to expect or have for them when they show up on your doorstep. What can you do? Do as much pre-digging as you can.
Remember how serious this is. OCR (Office of Civil Rights) can fine you up to $15 million per year for any violation whether it was your fault or not.
Things you need that are helpful
Internal Risk Analysis & Remediation program
Before someone on the outside looks to audit you, it’s always best to audit yourself first. There are great online products out there that help you perform your own risk assessments and remediate any vulnerabilities you might find. Also they can help you present information to the auditors coming in not to mention knowing you have audited yourself will definitely put you more at ease when they arrive. If you have had a 3rd party risk assessment performed, break out all of your documentation.
Policy and Procedure Documentation
All of these areas should have good documentation as to policies regarding and procedures explaining how to handle them:
General Privacy Practices
Privacy notices need to be distributed to patients in order to cover the different ways in which your personal information will be handled. Both your website privacy policy and privacy notice should instruct patients on how their data is used and what kind of contact they will receive if they consent.
Breach Notifications
Anytime there is a breach of security, notifications must be sent to the proper people and within a reasonable time. These policies and procedures must contain the requirements specified in the Breach Notification Rule
Decommissioning hardware and disposing of sensitive data (PHI)
When electronic hardware expires and will no longer be used, it’s vital to erase the data securely and permanently as well as to make sure physical records are destroyed securely and properly.
Password management
Have policies and procedures in place that handle these scenarios: creating passwords, changing them periodically (but not too often), preventing password sharing, and the writing down and storing physical captures of passwords.
Termination of employees
Written documentation of procedures handling employee termination as well as any employee leaving for any reason.
List of all Business Associates
You will need to compile a list of all business associates. Make sure all contact information is up to date. The OCR will use your list to select BAs for audits depending on data they share with you.
Hardware Inventory
You are also required to maintain an inventory of all electronic hardware that is used to store, transmit, access or copy data. Any equipment with a hard drive or other data storage device must be included. This includes all PCs, laptops, portable storage devices, printers, copiers, fax machines, etc.
Documentation on staff training
All of your staff needs proper training regarding HIPAA’s Privacy and Security Rules and how they are responsible for keeping these standards. This must be documentated for each employee and signed off on that is has been received and understood.
Tips for Completing HIPAA Audits on-time and without any major issues
Documentation Documentation Documentation. Preparation ahead of time is number key. Make relevant staff aware that an audit is happening soon and make sure they are available to answer questions if needed. Get their brains in the right mindset. They could help remind you of things that you forget.
Conclusion
If you don’t know much about HIPAA before an audit you will certainly know a lot more after the auditors leave. If you stay on top of your vulnerabilities and policy and procedure documentation, you will certainly breathe easier while they are auditing and feel confident when they leave that you won’t see them for a long time.