Q

HIPAA audit preparation: Is your company ready?

HIPAA audits have increased in 2014. Expert Mike Chapple offers guidance to get your enterprise's compliance plan audit-ready.

I read that the Department of Health and Human Services has made periodic HIPAA-related audits a focus in 2014 after running into funding issues in 2013. My company handles personal health information (PHI) that falls under HIPAA guidance, but we've yet to go through such an audit from HHS. What preparations can we make before an auditor shows up at our door? Is there anything in particular that HHS will be looking for?

The Office for Civil Rights within the Department of Health and Human Services announced that it has initiated audits of HIPAA-covered entities and business associates in 2014. This audit program, initially started as a pilot in 2012, was not funded in the 2013 budget, but the department has now designated it as a priority.

Unlike the pilot program, regulators expect the 2014 audits to be narrow in scope but broad in application. This means that the audits will likely target more than the 115 organizations included in the pilot program, but they will be focused on specific issues rather than a sweeping review of compliance with the HIPAA Omnibus Rule. Details are not yet available on the specific issues that HHS will focus on, but expect them to center around areas that have been the subject of recent enforcement actions, such as permissible uses and disclosures of PHI, safeguards for PHI and patient access to PHI.

If you are the subject of a HIPAA audit, expect the process to run similarly to other audits that you've experienced. Companies will receive advance notification about the duration, timing and scope of the audit and possibly be asked to gather materials in advance to make the audit process run more smoothly. The more done to prepare the documentation requested by auditors in advance, the less time they will need to spend on-site -- that's a good thing!

Now would be a good time to dust off your HIPAA compliance plan and ensure that you have all of your i's dotted and t's crossed. The simple truth is that an organization that hasn't diligently planned, implemented and documented its HIPAA compliance strategy won't be able to "cram for the test" in order to pass an audit.

Assuming you're then satisfied that your organization is indeed HIPAA-compliant, turn your attention to organizing your HIPAA documentation in advance of an auditor's arrival. In terms of specific points of emphasis, make sure that you've documented your mandatory risk assessment and documented your compliance plan. Audits always go more smoothlywhen your paperwork is in order!

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Check out this HIPAA compliance manual

This was first published in August 2014
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

1 comment

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close