Taking steps to get ready for a HIPAA audit

Q: How should I prepare in case my family practice is ever audited for Health Insurance Portability and Accountability Act (HIPAA) compliance? What do the auditors generally look for? 

A: To answer that question, it helps to understand that audits are conducted under the HIPAA security rule. The rule is designed to mandate risk management for electronic protected health information (ePHI). Organizations and businesses subject to HIPAA audits include:

• any provider of medical or other health services;

• suppliers who transmit health information in electronic form where the U.S. Department of Health and Human Services has established a transaction standard;

• any individual or group plan that provides or pays the cost of medical care, such as health insurance companies and Medicare and Medicaid programs;

• public or private entities that transmit another’s healthcare transactions from one format to another; and any nongovernmental entity that offers discount drug programs under the Medicare Modernization Act.

As a physician, you are responsible for safeguarding the confidentiality, integrity, and availability of ePHI. You must protect against reasonably anticipated threats to the security or reliability of ePHI, including unauthorized uses or disclosures.

In addition, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 establishes breach notification requirements, new penalty levels, compliance requirements for business associates, and enforcement authority for state attorneys general. It also mandates performance of privacy and security audits. 

Information security auditors want to know whether you’ve identified the appropriate risks in your organization and have a plan for responding to specific incidents of breaches of privacy.  The National Institute of Standards and Technology, the International Organization for Standardization’s “270002 policy” or the Health Information Trust Alliance’s common security framework are all good guidelines on which to base your standards.

The procedures and policies must be up-to-date and relevant to your business. Individual employees should be assigned specific security responsibilities and be ready to communicate these procedures and policies and demonstrate compliance with them when responding to security incidents. You must maintain documentation of how the incident was evaluated and addressed.

Be prepared to explain why you’re not following HIPAA guidelines that are “addressable,” such as encrypting data at rest (a technical way of saying that if protected information is taken off of your premises, it cannot be read without a key).

It’s important to demonstrate that every employee, as well as independent physicians with admitting privileges, volunteers, consultants, contractors, and anyone else with access to PHI or ePHI have received HIPAA compliance training,

Risks of non-compliance include:

• loss of contracts,

• criminal and civil investigations,

• federal penalties and state fines,

• reputational risk,

• legal fees,

• cost of notification, and

• loss of business as a result of any of the above.

How should you prepare? Start by determining which areas of your practice business are affected by HIPAA and PHI. Map ePHI movement within your organization, as well as activities to and from third parties. Know where your PHI is stored. Conduct a vigorous security review and assessment. Use outside professionals if you’re unsure of how to accomplish these tasks.

Compliance guidance also is available from professional organizations and the federal government. (See “Resources for HIPAA compliance.”) By taking advantage of the information on their Web sites and the knowledge of their experts, you can improve your chances of coming through a HIPAA audit unscathed.     

Resources for HIPAA compliance

• www.hhs.gov/ocr/office

• www.nist.gov

• www.27000.org/iso-27002.htm

• www.hitrustalliance.net/commonsecurityframework

• www.sans.org/security-resources

• www.himss.org

• www.ahima.org

The author is principal consultant and chief executive officer of Sorensen Informatics in Lombard, Illinois. Please send your technology-related questions to medec@advanstar.com. Also engage at www.twitter.com/MedEconomics andwww.facebook.com/MedicalEconomics.