How to Show HIPAA Auditors Your Practice’s Good Faith Effort
Since the enactment of HIPAA in 2003, patient privacy has continued to be a priority for the federal government. To ensure compliance, the Office for Civil Rights (OCR) is performing a series of on-site and desk audits. Desk audits can be particularly tough, as auditors leave little time to comply with audit information and develop appropriate policies or conduct a comprehensive risk assessment. With entry-level HIPAA violations starting at $200,000, practices need to have policies in place is before an audit occurs.
What Auditors Want
Like their IRS counterparts, HIPAA auditors are looking for a good faith effort to follow the law. They’ll ask to see a comprehensive risk management procedure that outlines how each potential risk is handled. In addition, they’ll assess your breach policy, including how patients and the media will be advised of a potential data breach.
Finally, auditors will ask for complete documentation of all training for HIPAA compliance. HIPAA training, in their eyes, is not a single event, but continuing education.