A random audit program to gauge HIPAA compliance is expected to commence in early 2015. This round will include both on-site and off-site reviews. Your New Year will be happier if you start getting audit-ready now. We have provided you with tips below to make the process easier.
Off-site audits focus on documentation reviews. These audits typically focus on one of the three mail HIPAA provisions – breach notification, security, or data privacy protocols. Documentation cannot be created after you receive the audit request, so review your policies and procedural documents to ensure they are current and comprehensive.
Your documentation should cover the scope of your HIPAA compliance program and demonstrate how you have updated your policies and practices in response to the HIPAA Omnibus rule implemented in 2013
On-site audits tend to involve a more in-depth investigation. Federal investigators will review documentation here too, but may also ask staff about how policies are actually implemented on a day-to-day basis. It’s not enough to be perfectly compliant on paper; you will have to demonstrate consistent implementation. Do make sure that everyone on staff understands and implements your data privacy and protection policies. On-site audits are expected to be conducted throughout 2015 and into 2016.
What to Expect Off and On-Site
The Round 2 audits will likely focus on looking at the maturity of HIPAA compliance. Auditors will likely look at how a covered entity has remediated issues that surfaced in previous security risk analyses, as well as how they responded to the HIPAA Ominibus rule.
Areas that are likely to get special attention are an entity’s access and security breach management processes, audit controls, and their processes for securing data in transit, data retention and data destruction.
Obviously, you don’t want to focus your compliance efforts solely on what auditors are expected to look at – your audit team may surprise you. You may want to bring in a third-party vendor who can conduct a compliance gap analysis, review your processes, and give you an impartial view of your compliance profile.
New for 2015 – Business Associates
Round 2 is also expected to include, for the first time, checks on “business associates,” any entity or person that creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. Ensure that you have a list of your business associates, and documentation of each business associate’s compliance with HIPAA regulations.
About 300-400 business associates will be subject to audits this year, investigators will likely be gauging their risk analysis and risk management programs, as well as their breach reporting processes.