• E-mail
• Print
• RSS

Healthcare entities to face random OIG security audits

HIPAA Training Advisor, November 15, 2007

Although HIPAA privacy and security investigations by the OCR or CMS are typically compliance-based, the OIG audits are random and could last for an extended period of time, says Chris Apgar, CISSP, president of Apgar & Associates in Portland, OR. But there are steps healthcare providers can take to ease the pain of a HIPAA security compliance audit or an audit conducted by another federal or state entity, says Apgar.

Apgar says providers should assume that the OIG will audit their organizations and warns them not to wait before analyzing and revising existing policies, procedures, and practices. "It is not a question of if healthcare facilities will be audited, but when it will happen," he adds.

Audits generally begin with a demand for copies of policies, procedures, a disaster recovery plan, training materials, patch management documentation, internal audit findings, and risk analysis findings, says Apgar.

Some common problems include the following:

• Ineffective, incomplete, or out-of-date policies and procedures
• Inadequate disaster recovery plans and emergency operations plans
• Incomplete or nonexistent audit programs
• Unsatisfactory risk analysis
• Insufficient compliance training for staff members

Staff training is one of the most important components of an effective compliance plan, but it is often last on the list of priorities because management's focus is usually on the day-to-day operations of running a facility. However, facilities that perceive intensive training as a distraction are being extremely shortsighted.

Some organizations are wary of existing training materials. They might not trust the accuracy of the training material that is available from commercial companies. Organizations considering the outsourcing of their training programs need to research the sources of the information and verify the reliability of those who contribute to that material. Apgar says that training cannot be a onetime event. Instead, facilities need to make it part of their corporate culture.

The staff training program needs to include instruction for new employees, which should occur as soon as new staff members are hired, but healthcare organizations also need to schedule regular training sessions for all staff members. Train the entire staff whenever you revise policies and procedures or when relevant federal and state regulations are updated.

Healthcare facilities can use a variety of methods to train staff. Online training that provides information and contains a final quiz can be effective. Staff members can participate in this type of training at any time during the workday.

Brown-bag lunches and other gatherings are an effective way to prompt employee dialogue. Organizations can designate certain days or weeks as "Security and Privacy Day/Week" and host various activities for staff members at the specified time.

• E-mail to a Colleague
• Print
• RSS
• Archive