I read that the Department of Health and Human Services has made periodic HIPAA-related audits a focus in 2014 after running into funding issues in 2013. My company handles personal health information (PHI) that falls under HIPAA guidance, but we've yet to go through such an audit from HHS. What preparations can we make before an auditor shows up at our door? Is there anything in particular that HHS will be looking for?
The Office for Civil Rights within the Department of Health and Human Services announced that it has initiated audits of HIPAA-covered entities and business associates in 2014. This audit program, initially started as a pilot in 2012, was not funded in the 2013 budget, but the department has now designated it as a priority.
Unlike the pilot program, regulators expect the 2014 audits to be narrow in scope but broad in application. This means that the audits will likely target more than the 115 organizations included in the pilot program, but they will be focused on specific issues rather than a sweeping review of compliance with the HIPAA Omnibus Rule. Details are not yet available on the specific issues that HHS will focus on, but expect them to center around areas that have been the subject of recent enforcement actions, such as permissible uses and disclosures of PHI, safeguards for PHI and patient access to PHI.
If you are the subject of a HIPAA audit, expect the process to run similarly to other audits that you've experienced. Companies will receive advance notification about the duration, timing and scope of the audit and possibly be asked to gather materials in advance to make the audit process run more smoothly. The more done to prepare the documentation requested by auditors in advance, the less time they will need to spend on-site -- that's a good thing!
Now would be a good time to dust off your HIPAA compliance plan and ensure that you have all of your i's dotted and t's crossed. The simple truth is that an organization that hasn't diligently planned, implemented and documented its HIPAA compliance strategy won't be able to "cram for the test" in order to pass an audit.
Assuming you're then satisfied that your organization is indeed HIPAA-compliant, turn your attention to organizing your HIPAA documentation in advance of an auditor's arrival. In terms of specific points of emphasis, make sure that you've documented your mandatory risk assessment and documented your compliance plan. Audits always go more smoothlywhen your paperwork is in order!
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Check out this HIPAA compliance manual
Related Q&A from Mike Chapple, Enterprise Compliance
The HHS security risk assessment tool is designed to help healthcare providers meet the HIPAA security requirement. Expert Mike Chapple explains how ...continue reading
PCI DSS requirement 6.6 demands application security compliance through one of two options: an application firewall or a code review. Expert Mike ...continue reading
Are HIPAA-compliant hosting services a better option for compliance than a secure storage API? Expert Mike Chapple analyzes.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.