alphaspirit - Fotolia
2014 proved to be a big year in HIPAA violations and health data breaches. As a result, the U.S. Department of Health and Human Services (HHS) intends to perform random audits of health organizations that are supposedly stricter than ever before. How should my health organization prepare for such an audit? What is the HHS getting stricter about?
The biggest change in the upcoming HIPAA audits is they are increasing dramatically in scope. The audit program began in 2012 as a pilot program and was supposed to roll out to a broader array of covered entities the following year. Unfortunately for the HHS -- and fortunately for covered entities -- a series of budget cuts and operational problems delayed the broader rollout of the program. The word from HHS is that the implementation of the audit program will begin in earnest in 2015.
What should you expect if you are among those covered entities selected for a HIPAA audit? The HHS Office for Civil Rights, which is responsible for the audit program, publishes detailed audit guidance on its website. A full audit includes three elements, but items may be eliminated depending upon the nature of the audited entity. The elements of a HIPAA audit focus on protected health information (PHI) and include:
- Privacy Rule requirements around the notice of privacy practices, the right to request privacy protection, individuals' access to PHI, administrative requirements, uses and disclosures of PHI, amendment of PHI and accounting of disclosures;
- Security Rule requirements for administrative, technical and physical safeguards; and
- Breach Notification Rule requirements.
How should organizations prepare for HIPAA audits? The most important thing is to make sure compliance with each HIPAA requirement is documented. If your organization implemented a required or addressable control, what are the specific measures it's taken to comply? Where are the records related to that control that proves compliance? In cases where the organization has opted not to implement an addressable control, what is the process it followed to reach the conclusion that the control is not necessary in its environment?
A HIPAA audit is a very serious matter. The HHS OCR has a history of issuing substantial fines against covered entities who fail to comply with HIPAA. Taking the time now to prepare for an audit may save a lot of heartache down the road.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Check out more expert advice to help prepare your company for HIPAA audits.
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.