I read that the Department of Health and Human Services has made periodic HIPAA-related audits a focus in 2014...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
after running into funding issues in 2013. My company handles personal health information (PHI) that falls under HIPAA guidance, but we've yet to go through such an audit from HHS. What preparations can we make before an auditor shows up at our door? Is there anything in particular that HHS will be looking for?
The Office for Civil Rights within the Department of Health and Human Services announced that it has initiated audits of HIPAA-covered entities and business associates in 2014. This audit program, initially started as a pilot in 2012, was not funded in the 2013 budget, but the department has now designated it as a priority.
Unlike the pilot program, regulators expect the 2014 audits to be narrow in scope but broad in application. This means that the audits will likely target more than the 115 organizations included in the pilot program, but they will be focused on specific issues rather than a sweeping review of compliance with the HIPAA Omnibus Rule. Details are not yet available on the specific issues that HHS will focus on, but expect them to center around areas that have been the subject of recent enforcement actions, such as permissible uses and disclosures of PHI, safeguards for PHI and patient access to PHI.
If you are the subject of a HIPAA audit, expect the process to run similarly to other audits that you've experienced. Companies will receive advance notification about the duration, timing and scope of the audit and possibly be asked to gather materials in advance to make the audit process run more smoothly. The more done to prepare the documentation requested by auditors in advance, the less time they will need to spend on-site -- that's a good thing!
Now would be a good time to dust off your HIPAA compliance plan and ensure that you have all of your i's dotted and t's crossed. The simple truth is that an organization that hasn't diligently planned, implemented and documented its HIPAA compliance strategy won't be able to "cram for the test" in order to pass an audit.
Assuming you're then satisfied that your organization is indeed HIPAA-compliant, turn your attention to organizing your HIPAA documentation in advance of an auditor's arrival. In terms of specific points of emphasis, make sure that you've documented your mandatory risk assessment and documented your compliance plan. Audits always go more smoothly when your paperwork is in order!
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Check out this HIPAA compliance manual
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.