I read that the Department of Health and Human Services has made periodic HIPAA-related audits a focus in 2014...
after running into funding issues in 2013. My company handles personal health information (PHI) that falls under HIPAA guidance, but we've yet to go through such an audit from HHS. What preparations can we make before an auditor shows up at our door? Is there anything in particular that HHS will be looking for?
The Office for Civil Rights within the Department of Health and Human Services announced that it has initiated audits of HIPAA-covered entities and business associates in 2014. This audit program, initially started as a pilot in 2012, was not funded in the 2013 budget, but the department has now designated it as a priority.
Unlike the pilot program, regulators expect the 2014 audits to be narrow in scope but broad in application. This means that the audits will likely target more than the 115 organizations included in the pilot program, but they will be focused on specific issues rather than a sweeping review of compliance with the HIPAA Omnibus Rule. Details are not yet available on the specific issues that HHS will focus on, but expect them to center around areas that have been the subject of recent enforcement actions, such as permissible uses and disclosures of PHI, safeguards for PHI and patient access to PHI.
If you are the subject of a HIPAA audit, expect the process to run similarly to other audits that you've experienced. Companies will receive advance notification about the duration, timing and scope of the audit and possibly be asked to gather materials in advance to make the audit process run more smoothly. The more done to prepare the documentation requested by auditors in advance, the less time they will need to spend on-site -- that's a good thing!
Now would be a good time to dust off your HIPAA compliance plan and ensure that you have all of your i's dotted and t's crossed. The simple truth is that an organization that hasn't diligently planned, implemented and documented its HIPAA compliance strategy won't be able to "cram for the test" in order to pass an audit.
Assuming you're then satisfied that your organization is indeed HIPAA-compliant, turn your attention to organizing your HIPAA documentation in advance of an auditor's arrival. In terms of specific points of emphasis, make sure that you've documented your mandatory risk assessment and documented your compliance plan. Audits always go more smoothly when your paperwork is in order!
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
Check out this HIPAA compliance manual
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ...continue reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ...continue reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.