Health Information Management

Prepare for a HIPAA audit

HIM-HIPAA Insider, September 27, 2011

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

How can organizations begin to prepare for a possible HIPAA audit? Recognize that it's all about protecting patients' PHI, ­advises Susan McAndrew, JD, deputy director of health ­information privacy at the Office for Civil Rights (OCR).
 
"The goal of this audit program, and OCR's investigations and compliance reviews, is to improve compliance with the HIPAA Privacy Rule and Security Rule requirements to better protect and secure the information covered entities hold on behalf of individuals," McAndrew says.
 
McAndrew recommends the following steps to prepare for an OCR audit:
  • Review policies and procedures to ensure they are up to date and comprehensive.
  • Review your files and documentation to ensure that ­appropriate patient information safeguards exist.
  • Assess your organization's general management style to determine its effectiveness, specifically with respect to safeguarding information.
  • With respect to the Security Rule, review your risk analysis process, risk management plan, incident response plan, emergency backup plan (if any), and breach response plan.
  • Conduct regular internal audits. Many organizations have incorporated this approach, which includes a systemic review of operations from a HIPAA perspective, in their compliance programs, McAndrew says. "Self-evaluation should be standard practice," she adds.
  • Build and maintain a culture of compliance within your organization. This includes a regular review of policies and procedures to ensure full compliance with HIPAA. OCR strongly recommends this measure for both CEs and BAs.
  • Provide regular training sessions for staff members.
  • Create an action plan for prompt response to incidents.
"The audit program is a tool for uncovering compliance issues faced by covered entities and best practices for implementation of effective health information privacy and security programs," says McAndrew.
 
Editor’s note: For more advice, access the article in its entirety in the September issue of Briefings on HIPAA.



Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

Most Popular