HIPAA Audits – Not as Bad as They Sound with the Right Healthcare IT Support Services

How to Show HIPAA Auditors Your Practice’s Good Faith Effort

Since the enactment of HIPAA in 2003, patient privacy has continued to be a priority for the federal government. To ensure compliance, the Office for Civil Rights (OCR) is performing a series of on-site and desk audits. Desk audits can be particularly tough, as auditors leave little time to comply with audit information and develop appropriate policies or conduct a comprehensive risk assessment. With entry-level HIPAA violations starting at $200,000, practices need to have policies in place is before an audit occurs.

Healthcare IT Support Services HIPAA Compliance

What Auditors Want

Like their IRS counterparts, HIPAA auditors are looking for a good faith effort to follow the law. They’ll ask to see a comprehensive risk management procedure that outlines how each potential risk is handled. In addition, they’ll assess your breach policy, including how patients and the media will be advised of a potential data breach.

Finally, auditors will ask for complete documentation of all training for HIPAA compliance. HIPAA training, in their eyes, is not a single event, but continuing education.

Best Practices to Pass an Audit

Before you are notified of an audit, perform a risk analysis. Take into account all factors concerning HIPPA auditors—listed below—while performing your risk analysis.

Healthcare IT HIPAA Compliance Importance Infographic

Proper Documentation

Document the practice’s plans for data management, security training and notifying patients in the event of a data breach. These plans should be in writing and available for an auditor’s review.

Password Security

Keep a secure password policy. Passwords should meet security standards and not be stored where they are easily accessible.

Proper Encryption

All Protected Health Information (PHI) must be encrypted. Scans and images must be encrypted when being sent or received, as well.

Use SSL for Electronic Health Records

All electronically-transmitted PHI or EHR data, like test results or scans, must use SSL when accessed via the internet. Since most practices can access patient data from hospitals, SSL is vital.

Designate a Security Manager

Each practice should have a point person who acts as the security manager and is responsible for the encryption techniques. One or two additional staff members should also be familiar with the encryption in case the security manager is unavailable.

Use VPNs to Access Patient Data Remotely

Any staff member who accesses patient data remotely must do so over VPN (Virtual Personal Network) to ensure security outside the office environment.

Make and Practice a Disaster Recovery Plan

A disaster recovery plan must be documented and should be practiced at regular intervals.

The work to prepare for a HIPAA audit is necessary, not only to protect patient privacy but to ensure that your practice is protected during an audit. Set up your procedure now to save headaches later.
Contact Bay Computing and get your practice started today with a free network assessment with one of the Bay Computing IT Implementation Specialists!



Comments are closed.


San Francisco Office
315 Montgomery St., 9th Fl
San Francisco, CA 94104

P 415-759-8500

Concord Office
1800 Sutter St., Ste 680
Concord, CA 94520

P 925-459-8500