Later this year, the Department of Health and Human Services is expected to begin its permanent HIPAA Audit Program. One of the most important things that you can do to prepare for a HIPAA Audit is to review the effectiveness of your current HIPAA compliance program. Consider the following list of activities to help you get started:
• Review HIPAA policies and procedures – All covered entities should have formal policies and procedures in place to ensure compliance with new HIPAA privacy, security and breach notification requirements. Policies and procedures should be clearly communicated to your staff. Plan documents should be reviewed regularly and necessary changes made to your policies or current business practices.
• Assign a Compliance Officer – The Compliance Officer will be responsible for the development and implementation of the organization’s HIPAA privacy compliance efforts. Does your Compliance Officer have any concerns with current practices? Are they prepared for a HIPAA Audit?
• Review Notice of Privacy Practices – Notices should be updated to include the 2013 final omnibus rule and displayed in a prominent location. Records should be kept if notices have been distributed by mail or electronically.
• Evaluate HIPAA Training – Your entire staff should be HIPAA trained. Training should be an ongoing activity, not just at the time of hire. Records should be kept of all training.
• Conduct a risk analysis – Regulations and standards are being updated and technology is ever-changing. Since new vulnerabilities and threats change the risk environment, it’s recommended that a risk analysis be conducted annually. Any issues discovered and improvements made should be documented to demonstrate the high level of commitment on securing protected health information.
In short, covered entities and business associates should spend time to create an effective compliance program with regular evaluation. Regularly reviewing HIPAA compliance efforts will allow you to consider whether opportunities exist to reduce risks prior to an audit. If you need assistance in conducting a risk analysis of your practice, please contact Precision Practice Management. We can help!