How healthcare organizations should prepare for a HIPAA audit

How healthcare organizations should prepare for a HIPAA audit

This post, How healthcare organizations should prepare for a HIPAA audit, first appeared on www.healthdatamanagement.com.


The time to prepare for a HIPAA audit is before the notification letter of a forthcoming audit hits a provider organization’s mailbox.

Absent preparation, an entity facing an audit will have to scramble to develop policies and procedures for protecting health information, and performing that through a rush job will look exactly like a rush job to regulators, who are not easily fooled.

It is much easier to expect that your organization will be audited and to have a plan in place, says Deborah Gersh, a partner and co-chair in the healthcare practice at the Ropes & Gray law firm in Chicago. “The key is to be prepared when you get that letter.”

Developing a new philosophy on dealing with breaches also will be beneficial if a breach does occur. If a laptop is stolen, don’t let people fall into the trap of thinking, “it wasn’t our fault,” Gersh counsels.

In cases in which devices are stolen, the HHS Office for Civil Rights expects healthcare organizations to file a police report; determine if the data on the device was encrypted and, if not, what data was compromised; mitigate the breach and protect affected individuals; and develop and implement an updated data protection plan.

Protection plans are not just about policies and procedures, but about employees understanding what specific roles they will play if a breach occurs, Gersh says.

Obviously, the chief information officer, chief information security officer and privacy officer know their overall job responsibilities, but they may not know what specific roles they must fulfill in the event of a breach. Gersh says they should be prepared to step into specific responsibilities and know the answers to the following questions:

  • Who contacts the police?
  • Who files a report?
  • Who shuts down the systems, and in what order?
  • Who determines which data was compromised?
  • Who compiles the data to determine who gets notified about the breach?

If hackers infiltrate data networks, healthcare organizations should have an existing plan for the specific type of breach, just as there should be for a stolen laptop or any other common type of breach, she adds.

This updated, well-documented plan will be an organization’s “lifeline of evidence” to present to OCR or the state if the organization experiences another incident in the future, according to Gersh. “Everyone on the team needs to know what the full game plan is.”

That plan should include increased breach and security awareness, through which everyone in the organization is constantly aware of suspicious behavior, and knowing who the privacy and security officers are when they want to report something.

Importantly, don’t think you’ll have 60 days to deal with a breach before reporting it, Gersh warns. That’s the federal timeline, but many states have shorter timelines, with some giving healthcare organizations only 10 days to make a report.

What most gets organizations in trouble during a HIPAA audit is lack of documentation, which negates efforts to demonstrate that they have a coherent plan in place.

Organizations sometimes are doing the right things, such as training all employees with access to protected health information, but they don’t have any documentation of the training and materials to show regulators. And often, they don’t have documentation of any certifications of privacy and security expertise, even if work on certifications were completed.

There also may not be documentation on the organization’s business associates and their responsibilities if a breach occurs. If a business associate has a breach and it is their fault, there should be documentation that that business associate will be responsible to pay for remediation, Gersh adds.

But the worst thing an organization can do is to not have a comprehensive risk analysis, because lacking an analysis is what gets an entity sanctioned by regulators. A comprehensive analysis can be overwhelming, but outside consultants can provide assistance.

The bottom line is to view all of the requirements, which are time-consuming and expensive, as essential activities because breaches will happen, and having meaningful policies and documentations in place will considerably ease an organization’s risk during an audit, Gersh says. “You’re going to do it one way or another.”


This post, How healthcare organizations should prepare for a HIPAA audit, first appeared on www.healthdatamanagement.com.

(Visited 4 times, 1 visits today)