The HIPAA Audits Are Coming! | Healthcare Compliance Training

Описание: The HIPAA Audits Are Coming! Here Are 12 Things The Government Will Be Looking At And Seven Things You Need to Do Right Now…http://starcomplianceservices.com

Modified transcript: A few weeks ago, the National Law Review reported that “covered entities” under HIPAA (health providers, health plans or clearinghouses) are now receiving pre-audit screening surveys from the Department of Health and Human Services’ Office of Civil Rights (OCR). These surveys are part of the selection process for which organizations will be targeted for upcoming audits on their compliance with the HIPAA Privacy, Security and Breach Notification Standards.

Should you be concerned?
There are two good reasons why health care providers should be concerned. Back in 2011 and 2012, OCR hired KPMG, one of the world’s largest audit, tax and advisory firms, to develop an audit tool and conduct onsite audits of 115 organizations.
KPMG found:
1. 90% of the audited entities were not fully compliant.
2. Health care providers made up 65% of the total organizations audited.
3. Almost 80% of audited health care providers lacked complete or accurate risk assessments.

These audits highlighted the fact that smaller organizations struggled with complying with HIPAA, with some organizations totally unaware of some or all of the HIPAA requirements.

These new audits will differ in many aspects from the first audit. While the older audit focused on covered entities only, Phase 2 Audits will include business associates and be a combination of comprehensive onsite inspections and “desk audits,” where OCR will determine an organization’s level of HIPAA compliance based on its review of requested documents.

If you receive a letter from OCR telling you that your organization has been selected for an audit, you will have only two weeks to respond to the document request. The documents must be current and on time. Late submissions will not be considered. OCR will assess HIPAA compliance solely on the submitted documents.

What OCR will request from YOU

1. Recently completed comprehensive risk assessment.
2. Recent management action plan with a reasonable timeline for completion as well as documented remediation activities.
3. A complete inventory of business associates.
4. Documentation that supports the organization’s decision to not implement addressable HIPAA Security implementation standards.
5. An implemented breach notification policy that accurately reflects the Breach Notification Standards and requirements.
6. A compliant and revised Notice of Privacy Practices BEYOND the usual website privacy notice and that reflects the HIPAA Omnibus Final Rule changes.
7. Documentation that demonstrates reasonable and appropriate safeguards for protected health information (PHI) regardless of its form.
8. Documentation that demonstrates that workforce members have received HIPAA training that is necessary or appropriate to perform his/her job duties.
9. An inventory of information system assets, including mobile devices (whether corporate-owned or personal) that have access to PHI.
10. Appropriate encryption technology for systems and software that transmit electronic PHI or a risk assessment that supports the organization's choice not to use encryption.
11. A facility security plan for each physical location that stores or has access to PHI, as well as a security policy that requires a physical security plan.
12. HIPAA privacy and security policies.

If OCR identifies major compliance issues, it will open an investigation which may result in settlements and financial penalties.

WHAT YOU SHOULD DO NOW!
In order to prepare for the possibility of a HIPAA audit, you must assess your organization’s HIPAA compliance posture and include the following activities as part of that assessment:
1. Review your organization’s most recently completed comprehensive risk assessment.
2. Ensure that issues identified in your organization’s most recent risk assessment and prioritized in its management action plan have been addressed and documented.
3. Maintain a complete inventory of business associates.
4. Ensure that your organization documents its decision to not implement addressable Security implementation standards.
5. Demonstrate that your organization has tested its incident response and breach notification processes.
6. Ensure that your organization has up-to-date and recently reviewed HIPAA Privacy, Security and Breach Notification policies and procedures that reflect the latest HIPAA Omnibus Final Rule changes.
7. Engage experts to ensure your organization’s compliance.

To not do the above is playing with fire.