Conducting a phase two audit self-review
Briefings on HIPAA, October 1, 2016
This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.
Conducting a self-review based on the audit protocols can help BAs prepare for desk audits; it can also help BAs and CEs get ready for the more exhaustive on-site audits. And as OCR steps up investigations of breaches large and small—while cyberthreats continue to mount—the audit protocols offer a blueprint that can help an organization identify and address risks.
The phase two audit protocols were built on the phase one protocols and updated to include changes made by the 2013 HIPAA omnibus final rule. (For more information on the phase two audit protocols, see the July issue of BOH.) The updates also include information specifically for BAs. But the protocols are useful beyond simply checking boxes for audited organizations: Any CE or BA can use them to evaluate compliance.
"Every affected organization should be routinely conducting reviews of its regulatory compliance," says Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts. "Not only is this a good business practice, but it is explicitly required in the HIPAA Security Rule evaluation standard."
Some organizations may have put off these evaluations to deal with other compliance or business concerns, but privacy and security officers might see the tide finally turn in their favor. OCR's increased activity, as well as the rise in frequency and cost of data breaches, may put HIPAA compliance back in the spotlight. Privacy and security officers should revitalize efforts to conduct the gap analyses and mock audits CEs and BAs may have postponed, advises Frank Ruelas, MBA, principal of HIPAA College in Casa Grande, Arizona.
"Now may be a good time to bring a review of the audit protocol, which essentially helps provide an overall indication of one's state of compliance with many of the key areas within the HIPAA privacy, security, and breach regulations, from the drawing board to the to-do list," he says.
This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.
Related Products
Most Popular
- Articles
-
- Joint Commission creates new Sentinel Event Alert for violence against healthcare workers
- Practice the six rights of medication administration
- Joint Commission Urges Hospitals to Protect Workers from Abuse
- Note similarities and differences between HCPCS, CPT® codes
- Differentiate between types of wound debridement
- Don’t forget the three checks in medication administration
- Avoid Eyewash-Related Regulatory Compliance Issues
- CMS and Joint Commission clarify door-closing devices standards
- OB services: Coding inside and outside of the package
- Complications from immobility by body system
- E-mailed
-
- Joint Commission creates new Sentinel Event Alert for violence against healthcare workers
- Joint Commission now allows partially-used oxygen canisters in 'full' rack
- CMS and Joint Commission clarify door-closing devices standards
- Dig into the details of wound care documentation
- Differentiate between types of wound debridement
- The Hospital Guide to Contemporary Utilization Review
- Using the JCAHO's six competencies to evaluate MD performance
- HIPAA Q&A: Faxes to wrong number
- Examine documentation for clinical indicators that provide context for MCCs
- Do not append modifier -52 to procedures involving equipment failure
- Searched