HIPAA Audits – Not as Bad as They Sound with the Right Healthcare IT Support Services
How to Show HIPAA Auditors Your Practice’s Good Faith Effort
Since the enactment of HIPAA in 2003, patient privacy has continued to be a priority for the federal government. To ensure compliance, the Office for Civil Rights (OCR) is performing a series of on-site and desk audits. Desk audits can be particularly tough, as auditors leave little time to comply with audit information and develop appropriate policies or conduct a comprehensive risk assessment. With entry-level HIPAA violations starting at $200,000, practices need to have policies in place is before an audit occurs.
What Auditors Want
Like their IRS counterparts, HIPAA auditors are looking for a good faith effort to follow the law. They’ll ask to see a comprehensive risk management procedure that outlines how each potential risk is handled. In addition, they’ll assess your breach policy, including how patients and the media will be advised of a potential data breach.
Finally, auditors will ask for complete documentation of all training for HIPAA compliance. HIPAA training, in their eyes, is not a single event, but continuing education.
Best Practices to Pass an Audit
Before you are notified of an audit, perform a risk analysis. Take into account all factors concerning HIPPA auditors—listed below—while performing your risk analysis.
Document the practice’s plans for data management, security training and notifying patients in the event of a data breach. These plans should be in writing and available for an auditor’s review.
Keep a secure password policy. Passwords should meet security standards and not be stored where they are easily accessible.
All Protected Health Information (PHI) must be encrypted. Scans and images must be encrypted when being sent or received, as well.
Use SSL for Electronic Health Records
All electronically-transmitted PHI or EHR data, like test results or scans, must use SSL when accessed via the internet. Since most practices can access patient data from hospitals, SSL is vital.
Designate a Security Manager
Each practice should have a point person who acts as the security manager and is responsible for the encryption techniques. One or two additional staff members should also be familiar with the encryption in case the security manager is unavailable.
Use VPNs to Access Patient Data Remotely
Any staff member who accesses patient data remotely must do so over VPN (Virtual Personal Network) to ensure security outside the office environment.
Make and Practice a Disaster Recovery Plan
A disaster recovery plan must be documented and should be practiced at regular intervals.
Comments are closed.