The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that was primarily enacted in 1996 to ensure healthcare workers receive insurance coverage when they switch or leave a job. HIPAA is now more popularly known as the law that aims to protect the privacy and security of patients’ private healthcare data.
As part of its health information privacy and security compliance program, the Office for Civil Rights (OCR) through the HITECH Act requires HHS to conduct audits periodically to ensure hospitals are adhering to the rules and regulations set forth by the HIPAA. Over the past few years, numerous hospitals have been fined for non-compliance. Not only there are hefty penalties in place, but fines due to non-compliance have been increased to ensure enforcement.
Today, every covered entity, and that includes hospitals too is a potential audit candidate. Because many people have asked this common question “Is there a checklist to prepare for an audit” or “Where and how should I start preparing for an audit”?; this article will briefly discuss few steps that hospitals can follow to achieve success with a HIPAA audit.
Getting familiar with the audit protocols
Hospitals need to be familiar with the audit protocol, which is essentially a guideline of what documentation OCR will want during an audit. Today, the standard amount of time given to hospitals to prepare documents for an audit is 15 days. Generally, during an audit, officials will analyze controls, processes, and policies of hospitals in accordance with the HITECH Act. The OCR’s standard audit protocol requirement has 168 performance criteria – 78 for security, 81 for privacy, and 10 for breach – all of which are essential to ensure compliance with HIPAA.
Documentation is arguably the most important aspect of HIPAA compliance and is essential for proving your compliance efforts. Very recently, a health information exchange (HIE) company was audited, and the OCR supposedly had asked and collected a total of 127 documents. According to them, the OCR collected documents for all their policies and procedures, lists, diagram, workflows, including work desk procedures, training logs, password policies, contracts, and many more. One challenge that most hospitals face is that paper-based systems are prone to damage, have a higher maintenance cost, limits communication and collaboration, and have many other security issues. To overcome these problems, hospitals can use various HIPAA compliance software tools where they can not only streamline all the processes but also maintain documentation from one single place.
Conduct internal audits
Performing mock audits yourself can help you uncover areas that could be improved and where compliance is weak. Hospitals should not just be conducting audits when they know that they will be audited. Hospitals can perform mini audits at regular intervals can help them keep on top of various rules and regulations. And sometimes OCR can choose to randomly show up at your doorstep, therefore, it is always best to stay prepared. Here are a few areas that hospitals should carefully assess and where usually significant weaknesses can be found:
- User Activity Monitoring
- Contingency Planning
- Authentication and Integrity
- Media reuse and destruction
- Risk assessment
Thorough risk analysis
Risk analysis is an essential component of HIPAA compliance and it requires putting in a great deal of attention because it is one of the most challenging areas for hospitals to accomplish. Thorough risk analysis involves identifying potential threats and vulnerabilities and documenting them, determining the likelihood and the consequences of a threat occurrence, collecting data to understand the flow of patient health information across the hospital, and assessing current security measures.
Changing the mindset
Ticking off a checklist as completed is easy, but when a hospital’s goal is to just be compliant, they may overlook strong security safety measures. There is a huge difference between compliance and security. Security is the mechanism to ensure privacy and when hospitals solely concentrate on compliance with HIPAA, the score of their assessment may be limited and they may miss out on important security elements. Hospitals should be focusing on the spirit of the audits, i.e., privacy and security of patient information, and they should go through the audit protocol with a broader picture in mind.
Understanding the elements that apply to your practice
The implementation specifications outlined in the HIPAA Security Rule can be confusing as all the elements are categorized as either “required” or “addressable”. The term required is pretty much self-explanatory, and here the term “addressable” does not mean optional. Hospitals should carefully assess their practice and understand which addressable components apply to their practice. If a hospital does not implement an addressable component, they should explain and fully document why they chose not to either implement it, used a partial solution, or used a different method.
Discuss the process with other organizations
If you are confused or are unsure about a process, you should discuss it with other hospitals and health systems and reach out to the OCR as well. There is no shame in asking for help from others, and collaborating and communication benefits everyone. Sharing information about how hospitals approached compliance and solved security problems can establish industry best practices. If you still haven’t started preparing for a HIPAA audit, go through this article, and start preparing now. The key to passing a HIPAA audit is to prepare ahead of time.