Do you have a HIPAA compliance audit checklist? And are you using an updated version? Is your organization prepared for an audit by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR)? If you are subject to the Healthcare Insurance Portability and Accountability Act (HIPAA), the OCR may choose your organization for an OCR Compliance Audit. To be ready, you need to know your HIPAA compliance audit checklist is in order.
Why would the OCR audit your organization?
Random audits are rare; however, the OCR sometimes conducts random audits of covered entities and business associates.
Most commonly this is in response to a breach or complaint. Much more likely to occur is an audit triggered by a complaint or a disclosure of a breach.
Whatever the reason for the audit, your goal is to prove your HIPAA compliance efforts with thorough documentation and evidence.
What to include in your HIPAA compliance audit checklist.
There are many facets to a self-audit. Although this isn’t a complete list of everything you need to do, following these eight guidelines will get you started in the right direction.
- Are you conducting regular risk assessments? The first step to ensuring compliance is performing regular risk analyses. By identifying your vulnerabilities, you can stop breaches before they happen.
- What are your policies and procedures, and can you describe how you implement them? Your policies and procedures will be unique and based on your company culture. Auditors will want documentation and records that you have properly communicated implemented policies to your staff.
- Do you have up-to-date training programs and manuals for employees? When your practices update, you must also update your training manuals. For example, the pandemic created an increase in remote work. Your staff should be fully trained on how to keep ePHI secure when working from home.
- Do you have Business Associate Agreements for every vendor? Periodically review your agreements to be sure they are up to date and relevant.
- Are you keeping well-organized documentation? Document everything. Your thorough records can offer proof of your strong efforts to maintain HIPAA compliance.
- Are you keeping track of ePHI? You most likely are aware of ePHI in your main databases and programs, but are you aware of every spreadsheet, file transfer, or mobile device that may contain patient data? You can use technological tools to scan your entire network to locate any ePHI that may be hidden.
- Are you prepared to respond to incidents of noncompliance? It’s best to have your plan in place for disclosing a breach before it happens. Hopefully, you will never need it, but if you do, you will be able to disclose the proper information within the required timeframe to meet HIPAA requirements.
- How are you monitoring mobile devices? With new technologies and the need for remote work during the pandemic, more organizations are using mobile devices outside of the clinic. Is your mobile data encrypted? Have you trained your staff in how to keep it secure from unauthorized breaches or security hacks?
How can a HIPAA compliance audit checklist prepare you for a government audit?
When selected for an audit, you can expect to receive an email notification from the OCR. You must follow their instructions and respond within the timeframe they give you with proper documentation and data. Your audit will be either a desk audit or onsite.
One of the best defenses in case of a government audit is to complete your own audits BEFORE anyone else is asking for it! A self-audit can be either internal or with the help of a third-party consultant. Performing your own HIPAA compliance audit checklist can help your organization ready itself to pass an audit at any time.
Other benefits of a self-audit.
Aside from being primed if the OCR comes to call, there are some other reasons why you should regularly perform audits, either internally or with the help of a third party.
Avoid breaches. A HIPAA self-assessment will measure how you’re performing with regard to HIPAA standards. By examining each HIPAA regulatory requirement area, you can identify weaknesses and prevent violations before they happen.
Identify breaches when and if they do happen. If, despite your best efforts, you have a breach of patient data, performing a self-audit can help you catch the problem and resolve it quickly.
Best practices. A thorough HIPAA compliance audit checklist will help your organization follow all three elements of HIPAA regulations. It will keep you on top of the best practices for compliance, meaning fewer chances of breaches, violations, and triggered OCR audits.
What are the three components of HIPAA compliance?
The OCR requires that covered entities and business associates meet the requirements of the following rules:
- Privacy Rule. The HIPAA Privacy Rule sets the standards for how to share protected health information (PHI). It also gives patients the same rights to view their data as their healthcare providers and gives them authority over whom they allow to access their health information.
- Security Rule. The Security Rule addresses electronic PHI (ePHI.) It requires organizations to guard against unauthorized access to patient data.
- Breach Notification Rule. The Breach Notification Rule addresses how an organization discloses the findings of a breach to the affected parties, the HHS, and the media if the breach is severe.
Be thorough in your assessments.
The OCR expects organizations to self-assess procedures and determine their risk assessment with an objective eye. HIPAA compliance is not a one-and-done operation but must be an ongoing effort.
Nobody likes being caught off guard. Whether you choose to do it yourself or get help from an outside firm, assessing your risk with regular and comprehensive self-audits is critical to having a HIPAA-compliant organization and reducing your chance of an audit from the OCR. But if you do get that notification email, you will be ready with your HIPAA compliance audit checklist.