Preparing for a successful HIPAA audit
In Practice
Faiza Wasif, MPH, is the AAD's practice management manager. Her column offers tips on an area she commonly receives questions about from members.
By Faiza Wasif, MPH, April 1, 2019
Typically, when the word audit’ comes up, it brings feelings of anxiety and fear. However, it does not have to be that way and audits don’t always have to result in a negative outcome. If you have an effective compliance plan in place, you can not only avoid damaging consequences but can use the outcome of the audit to make improvements to your compliance practices. Use the strategies below to ensure you have a successful HIPAA audit.
Be aware of current regulations and protocols.
Be sure you know all the current regulations and requirements. Knowing what the requirements are will help you prepare for what will be examined during an audit.
Have a compliance plan.
Set up a sound compliance program that includes policies and procedures that are clearly written and understood by all practice staff including “real-life” examples based on current practice performance and past experiences. Assign a compliance project leader who is responsible for ensuring the implementation and ongoing maintenance of this program. Check out the Academy’s HIPAA Manual for help in setting up a compliance plan.
Measure effectiveness.
Have a compliance plan that has measurable goals and benchmarks. For example, set a policy on how often passwords for logins need to change, and make sure your staff abide by the policy. It’s imperative that you involve the practice team in creating these goals and assessing them on a regular basis. Investigate goals that are not being met and determine ways to improve them for the future.
Document. Document. Document.
The cornerstone of any audit is documentation. The better documentation you have, the greater the likelihood of avoiding common audit pitfalls. This is not just patient documentation but also documentation of all the details of your compliance program and staff meetings. Use the Academy’s HIPAA manual templates to document effectively and make sure your documentation is centralized somewhere in your office.
Train regularly.
Make compliance training a job requirement for all clinical and non-clinical staff as HIPAA requires this of all medical practices. But, don’t stop there. Regularly review and update training programs and periodically test employees’ knowledge and understanding. This can be achieved by ensuring all staff are up to date on their annual HIPAA certification.
HIPAA-covered entities
Use the flowchart below to determine if you are a HIPAA-covered health care entity.
Conduct a risk analysis and management plan.
Part of your compliance plan should include a risk analysis and management plan. Identify the risks and determine how to mitigate them. Where appropriate, do all you can to eliminate the risk altogether. Completing the required security risk analysis is an easy way of accomplishing this. Check out the mobile compliance checklist too!
Maintain and review business associate agreements.
HIPAA requires written agreements between a practice and its business associates (vendors with access to protected health information such as electronic health record companies, billing companies, etc.). Make sure you have an agreement on file for all covered entities.
Keep open lines of communication.
Have an easy and confidential method for anyone in the practice to report concerns or violations, and with it enforce a non-retaliation policy. Remember: You are required to report breaches to the U.S. Department of Health and Human Services.
A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individuals, or fewer than 500 individuals.
-
If a breach of unsecured protected health information affects 500 or more individuals, you must notify the Secretary of the breach without unreasonable delay, and in no case later than 60 calendar days from the discovery of the breach.
-
If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. You do not have to wait until the end of the calendar year you should try to report it as close to the time of the breach as possible. You may report all the breaches on one date, but you must complete a separate notice for each breach incident.
-
Submit the notifications electronically at https://ocrportal.hhs.gov/ocr/breach/wizard_breach.jsf?faces-redirect=true.
If the number of individuals affected by a breach is uncertain at the time of submission, you should provide an estimate, and if you discover additional information, submit updates via the same electronic notification process.
Conduct an internal audit.
This is the best way to catch your errors before the auditors catch them for you. Perform proactive reviews to identify risk areas and create a corrective action plan. Some practices even utilize their malpractice carrier to help with this audit and purchase cybersecurity risk insurance to protect themselves from future HIPAA audit penalties.
Being proactive and arming yourself with the right information can help make your next audit less problematic!
