Conducting a phase two audit self-review
Briefings on HIPAA, October 1, 2016
This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.
Conducting a self-review based on the audit protocols can help BAs prepare for desk audits; it can also help BAs and CEs get ready for the more exhaustive on-site audits. And as OCR steps up investigations of breaches large and small—while cyberthreats continue to mount—the audit protocols offer a blueprint that can help an organization identify and address risks.
The phase two audit protocols were built on the phase one protocols and updated to include changes made by the 2013 HIPAA omnibus final rule. (For more information on the phase two audit protocols, see the July issue of BOH.) The updates also include information specifically for BAs. But the protocols are useful beyond simply checking boxes for audited organizations: Any CE or BA can use them to evaluate compliance.
"Every affected organization should be routinely conducting reviews of its regulatory compliance," says Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts. "Not only is this a good business practice, but it is explicitly required in the HIPAA Security Rule evaluation standard."
Some organizations may have put off these evaluations to deal with other compliance or business concerns, but privacy and security officers might see the tide finally turn in their favor. OCR's increased activity, as well as the rise in frequency and cost of data breaches, may put HIPAA compliance back in the spotlight. Privacy and security officers should revitalize efforts to conduct the gap analyses and mock audits CEs and BAs may have postponed, advises Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona.
"Now may be a good time to bring a review of the audit protocol, which essentially helps provide an overall indication of one's state of compliance with many of the key areas within the HIPAA privacy, security, and breach regulations, from the drawing board to the to-do list," he says.
This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.
Related Products
Most Popular
- Articles
-
- CMS seeks comment on quality measures
- Practice the six rights of medication administration
- Don't forget the three checks in medication administration
- Note similarities and differences between HCPCS, CPT® codes
- Nursing responsibilities for managing pain
- ICD-10-CM coma, stroke codes require more specific documentation
- OB services: Coding inside and outside of the package
- Q&A: Primary, principal, and secondary diagnoses
- Clearing up the confusion: CPT codes 76376 and 76377
- CMS creates web portal for questions about 1135 waivers, PHE
- E-mailed
-
- Coronavirus vaccination: 4 best practices for communicating with patients
- Grievances, Complaints, and Patients’ Rights
- Keyes Q&A: Generator lighting, fire dampers, eyewash stations, ISLM fire drills
- Including 46600 in E/M leveling systems
- How to get reimbursed for restorative nursing
- Fetal non-stress tests represent important part of maternal and fetal health
- Coding, billing, and documentation tips for teaching physicians, interns, residents, and students
- Coding tip: Know how to correctly code each procedure an otolaryngologist can perform on turbinates
- Coding Clinic reiterates guidelines for provider documentation
- CMS creates web portal for questions about 1135 waivers, PHE
- Searched