Without a doubt, passing the HIPAA audits is a great reason for an entire organization to celebrate. Due to the importance of ensuring the privacy and security of patients, HIPAA audits are incredibly stringent and demanding of healthcare institutions. Unfortunately, if your organization has successfully survived the first round of HIPAA audits, your organization is by no means off the hook yet.
Recently, the OCR of the U.S. Department of Health and Human Services announced that it has launched the second phase of the HIPAA audits. This wave of HIPAA audits is expected to be more comprehensive and far-reaching than the last. If you’re worried about the next wave of HIPAA audits coming your way, here are a few preparation tips that will help you ensure that your organization is ready to pass these evaluations with flying colors.
Review Your HIPAA Policies and Procedures
Chances are you need to make some major changes to your HIPAA policies and procedures if the last time you’ve reviewed and evaluated them is in preparation for the first stage of audits. If you don’t have clear HIPAA policies in the first place, you should take care of this issue now or expect to pay fines to the OCR. It has been shown time and time again that the OCR has a zero-tolerance policy for organizations who fail to meet this basic requirement.
Review and evaluate your HIPAA policies to ensure that they take into account the use of mobile devices like laptops, tablets, and smartphones. Your policies should also ensure the removal of PHI (protected health information) from your physical business. If PHI is transferred between mobile devices within your organization, encryption should be a mandatory policy for your organization.
Review Your Business Associate Agreements
According to the OCR, it is a huge no-no to disclose protected health information without a business associate agreement already in place. Therefore, you should review all your business associate agreements to ensure that you’re not disclosing PHI to business associates without an established agreement. Also, just because you have all the necessary business associate agreements doesn’t mean you’re completely off the hook. Agreements signed prior to January 2013 should be reviewed to ensure that they comply to the new and revised rules. Agreements that don’t comply should be updated as soon as possible.
Perform a Risk Assessment
During the first phase of HIPAA audits, the OCR discovered that more than 66% of audited organizations failed to meet their risk assessment requirement. Since the majority of organizations failed to have an accurate and complete risk assessment, the OCR was less stringent when it came to this requirement. However, in the second wave of evaluations, the OCR reports that it intends to scrutinize adherence to this requirement. The OCR recommends that organizations should conduct a risk assessment on an annual basis to ensure accuracy. All risk assessments need to be documented and these documents must be kept for at least six years.
Create an Audit Team
It is one thing to prepare for your HIPAA audit, but it is completely different to know exactly how you will respond to the HIPAA audit. To ensure your organization is ready and equipped to meet the sudden demand for the HIPAA audit, you should create an audit team to handle audit requests. This team will be responsible for monitoring for audit requests from the HIPAA and ensuring quick access to the required documents.
As you can see, there are quite a few things you can do to ensure that you are ready for the next round of HIPAA audits. Fortunately, if your organization was able to pass the last round of HIPAA audits, you can certainly pass this one with flying colors if you put in the thought and effort. For more information about HIPAA audit preparation, contact Apex by calling us at (800) 310-2739 or emailing us at firstname.lastname@example.org.