Are you wondering how to prepare for a HIPAA audit? Discover how the make it through with flying colors.
Q: How should I prepare in case my family practice is ever audited for Health Insurance Portability and Accountability Act (HIPAA) compliance? What do the auditors generally look for?
A: To answer that question, it helps to understand that audits are conducted under the HIPAA security rule. The rule is designed to mandate risk management for electronic protected health information (ePHI). Organizations and businesses subject to HIPAA audits include:
As a physician, you are responsible for safeguarding the confidentiality, integrity, and availability of ePHI. You must protect against reasonably anticipated threats to the security or reliability of ePHI, including unauthorized uses or disclosures.
In addition, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 establishes breach notification requirements, new penalty levels, compliance requirements for business associates, and enforcement authority for state attorneys general. It also mandates performance of privacy and security audits.
Information security auditors want to know whether you’ve identified the appropriate risks in your organization and have a plan for responding to specific incidents of breaches of privacy. The National Institute of Standards and Technology, the International Organization for Standardization’s “270002 policy” or the Health Information Trust Alliance’s common security framework are all good guidelines on which to base your standards.
The procedures and policies must be up-to-date and relevant to your business. Individual employees should be assigned specific security responsibilities and be ready to communicate these procedures and policies and demonstrate compliance with them when responding to security incidents. You must maintain documentation of how the incident was evaluated and addressed.
Be prepared to explain why you’re not following HIPAA guidelines that are “addressable,” such as encrypting data at rest (a technical way of saying that if protected information is taken off of your premises, it cannot be read without a key).
It’s important to demonstrate that every employee, as well as independent physicians with admitting privileges, volunteers, consultants, contractors, and anyone else with access to PHI or ePHI have received HIPAA compliance training,
Risks of non-compliance include:
How should you prepare? Start by determining which areas of your practice business are affected by HIPAA and PHI. Map ePHI movement within your organization, as well as activities to and from third parties. Know where your PHI is stored. Conduct a vigorous security review and assessment. Use outside professionals if you’re unsure of how to accomplish these tasks.
Compliance guidance also is available from professional organizations and the federal government. (See “Resources for HIPAA compliance.”) By taking advantage of the information on their Web sites and the knowledge of their experts, you can improve your chances of coming through a HIPAA audit unscathed.
Resources for HIPAA compliance
The author is principal consultant and chief executive officer of Sorensen Informatics in Lombard, Illinois. Please send your technology-related questions to firstname.lastname@example.org. Also engage at www.twitter.com/MedEconomics andwww.facebook.com/MedicalEconomics.