Conducting a phase two audit self-review
Briefings on HIPAA, October 1, 2016
This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.
Conducting a self-review based on the audit protocols can help BAs prepare for desk audits; it can also help BAs and CEs get ready for the more exhaustive on-site audits. And as OCR steps up investigations of breaches large and small—while cyberthreats continue to mount—the audit protocols offer a blueprint that can help an organization identify and address risks.
The phase two audit protocols were built on the phase one protocols and updated to include changes made by the 2013 HIPAA omnibus final rule. (For more information on the phase two audit protocols, see the July issue of BOH.) The updates also include information specifically for BAs. But the protocols are useful beyond simply checking boxes for audited organizations: Any CE or BA can use them to evaluate compliance.
"Every affected organization should be routinely conducting reviews of its regulatory compliance," says Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts. "Not only is this a good business practice, but it is explicitly required in the HIPAA Security Rule evaluation standard."
Some organizations may have put off these evaluations to deal with other compliance or business concerns, but privacy and security officers might see the tide finally turn in their favor. OCR's increased activity, as well as the rise in frequency and cost of data breaches, may put HIPAA compliance back in the spotlight. Privacy and security officers should revitalize efforts to conduct the gap analyses and mock audits CEs and BAs may have postponed, advises Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona.
"Now may be a good time to bring a review of the audit protocol, which essentially helps provide an overall indication of one's state of compliance with many of the key areas within the HIPAA privacy, security, and breach regulations, from the drawing board to the to-do list," he says.
This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.
Related Products
-
Briefings on APCs
Worried about the complexities of the new rules under OPPS and APCs? Briefings on APCs helps you understand the new rules...
-
HIM Briefings
Guiding Health Information Management professionals through the continuously changing field of medical records and toward a...
-
Briefings on Coding Compliance Strategies
Submitting improper Medicare documentation can lead to denial of fees, payback, fines, and increased diligence from payers...
-
Briefings on HIPAA
How can you minimize the impact of HIPAA? Subscribe to Briefings on HIPAA, your health information management resource for...
-
APCs Insider
This HTML-based e-mail newsletter provides weekly tips and advice on the new ambulatory payment classifications regulations...
Most Popular
- Articles
-
- Don't forget the three checks in medication administration
- Practice the six rights of medication administration
- Learn to dodge radiology coding trouble spots in 2006
- Skills of effective case managers
- Note similarities and differences between HCPCS, CPT® codes
- Q&A: Primary, principal, and secondary diagnoses
- ICD-10-CM coma, stroke codes require more specific documentation
- Complications from immobility by body system
- OB services: Coding inside and outside of the package
- Prevent dehydration with nursing interventions
- E-mailed
- Searched
