What is a HIPAA Audit?

What you need to know about a HIPAA audit:  The Health Insurance Portability and Accountability Act (HIPAA) is a federal act that ensures that all confidential information of patients is protected.  Breaches of protected information of patients has been used to either steal identities of patients or used in employment for such things as hiring, firing, and promotions.  There are many other reasons for HIPAA, such as coding and electronic submission of claims, however let us focus on your organization and what you must do for HIPAA that will help in preventing such misuse.

With the onset of the Omnibus Rule, there are categories of Healthcare entities. There is the covered entity and the Business Associate, both of which will need to follow the rules and regulations of the Health Insurance Portability and Accountability Act. These organizations must perform an audit to determine whether all the provisions of HIPAA are being followed without any intentional or unintentional violation.

There are two types of Audits, the audit you perform on yourself and the audit HHS will perform on you. HHS will either choose you at random or you have had a significant breach that would require HHS to audit you.  Therefore it is imperative that you perform a HIPAA audit following a defined process that will allow you to document your deficiencies and how you remediate them.  This HIPAA Audit Process is very important.  It must be well documented and well structured.

A systematic approach to your HIPAA Audit is exactly what will save your business in the long run.  Like any audit, the more structured and systematic the process is, the less painful the process.

There are sides to a HIPAA Audit

There are two sides to a HIPAA audit: Privacy and Security. First is Privacy, or the protection of the release of data, policies and procedures surrounding how the data is used, and the tracking of certain aspects of the rule like breaches, authorization and disclosures.  The other is Security, or the technical side of HIPAA.  This part is the physical protection of the data.  A security audit would look at all areas of an organization where Protected Health Information (PHI) is stored, transmitted from, and accessed from, that would includes all computers, fax machines, emails, employee policies, jump drives, phones, pagers, and PDA’s.

HIPAA regulations require an array of requirements when it comes to the technical side of an audit.  A risk analysis of every device that stores electronic Protected Health Information (ePHI) data must be completed and a risk must be associated to it based on what is the likelyhood that data could be compromised from the device.

At the very foundation of any organization’s HIPAA Compliance Plan will be the Privacy and Security policies.  These policies, that address every aspect of HIPAA will need to be created and attested to by all employees of an organization that comes in contact or used ePHI in their job role.

Every employee in an office should know exactly what they can and can’t do on a computer.  They should know which websites they are allowed to visit and what the limits of their email are.  Not only should every employee know what is required of them on the computer system, they need to know where they can find answers to questions they may have.

Your HIPAA Audit will have multiple layers, but the first layer is the gap analysis. This is the defining of what deficiencies you currently have, and this is the foundation to a successful HIPAA audit.  The HIPAA audit is not the final stage though. The documentation and the daily monitoring continues on every day of every year you are dealing with ePHI.

Top 5 tasks for conducting a HIPAA Audit

1. Before starting with the HIPAA audit, it is important you gain adequate knowledge about the recent amendments and changes that have taken place in the Act. This will help you be up to date with all the latest provisions of the Health Insurance Portability and Accountability Act.   This can be accomplished by self education or hiring someone to help.

2. All covered entities will need to have policies and procedures in place that will help them comply with the Health Insurance Portability and Accountability Act. This should be in accordance to the policies and procedures that have been stipulated by HIPAA.

3. The audit should check to see how all information pertaining to the patients are handled by the different departments of the covered entities. As all the information pertaining to the patient is stored on electronic devices (computers, hard drives, etc.), it is necessary to ensure that these are password protected. Apart from this, all files that hold protected information of patients will also need to have passwords for access.

4. If the information is stored physically in files, the audit will check to see whether they are kept in a secure place. If any patient information is destroyed, there should be adequate safeguards to ensure that it is done properly. All the physical files will need to be properly locked and access to this place should be restricted only to authorized individuals.

5. If there have been reports of any violation of the Health Insurance Portability and Accountability Act, it needs to be examined. You will also need to determine what steps were taken after detection of the violation. If the violation has not been cleared within the stipulated period of time, it will attract fines and imprisonment depending on whether the violation was intentional or unintentional.

The tracking of your compliance plan is critical during an audit for outside authorities. Remember, the more you have, the more accurate it is and the more current it is, the better off you will be if the outcome is poor.  Due Diligence is the name of the game, so make a good faith effort and work on your compliance plan everyday so that you will not hear the words “WILLFUL NEGLECT,” which is the kiss of death when hearing the results of an audit from HHS.

The Guard Dashboard

The Guard Dashboard

What We Can Do To Help

Here at Compliancy Group, our aim is to make sure that your business goes through a simple and affordable program that ensures that you will be HIPAA compliant. Whether it be your self audit or an audit from HHS, we help you make sure that your good faith effort is put first, which will help prove that you are making an active effort to be compliant. A HIPAA Audit no longer needs to be a daunting word for your business and with our help, difficult audits will be a thing of the past.