Post By: Riyan N. Alam
The enactment of changes to the Health Insurance Portability and Accountability Act (HIPAA) in March 2013, made it prudent for covered entities and other healthcare organizations to compile a HIPAA self-audit checklist. The objective of a HIPAA audit checklist is to identify and mitigate any potential vulnerabilities and risks to the integrity of electronic protected health information (ePHI).
The changes were made in response to the growing number of ePHI breach related incidents reported to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). And yet the number of ePHI breaches keeps increasing every year. The results from the first round of HIPAA audits conducted by the OCR in 2017, were a bit concerning from a compliance standpoint. Shockingly, many healthcare organizations, particularly the small ones did not meet the necessary requirements in the areas of privacy, security, and breach notification.
Unfortunately, many healthcare firms are still not fully prepared when it comes to HIPAA audits. The OCR might come knocking on your door saying that ‘you are next’. With that in mind, a few compliance experts from the HIPAAReady’s team have compiled a HIPAA self-audit checklist for organizations to overcome the fear of audits. A HIPAA self-audit checklist helps to ensure your organization can pass an audit at any time, which includes:
Performing regular risk assessments
The ideal way to start preparing for a HIPAA audit is to perform regular risk assessments within your organization. The objective of this is to identify risks or vulnerabilities to the integrity, confidentiality, and availability of all PHI and reduce the risks to a reasonable and acceptable level. With the growing number of cyber attack-related incidents, vulnerabilities may arise at any given moment. Therefore, healthcare firms should conduct risk assessments regularly.
Reviewing your Business Associate Agreements (BAA)
Prior to an official audit, you must gather and organize all the business associate agreements executed with vendors that have access to your PHI. The auditors will want to talk about your relationship with vendors or other entities that create, maintain, receive, or transmit PHI on your behalf. Keeping proper records of these agreements and reviewing them periodically will ensure that all the necessary information is up-to-date and relevant.
Conducting HIPAA training with effective training manuals
The training that you provide to your employees must be up-to-date and relevant to current policies and practices. For instance, COVID-19 pandemic has forced people to work from home. You must provide them with appropriate materials to ensure how to protect your client’s PHI when working from home while keeping up with HIPAA’s standard at the same time. In any case, providing HIPAA training is required by the HIPAA law and auditors will want to check how well your employees understand HIPAA. That is why you must maintain documentation of HIPAA training to prove that your organization is dedicated to education and proper compliance.
Reviewing your HIPAA policies and procedures
It goes without saying that organizations must implement policies and procedures that best suit their culture and practice. However, policies and procedures might change, therefore, organizations should review their current policies and procedures and update them accordingly. Auditors will also want to check if the implemented policies were distributed and communicated to the staff members throughout the organization.
Appointing privacy and security officers
Determining the person who will be in charge of privacy and security is essential for an effective HIPAA compliance program. Appointing privacy and security officers is also required by the HIPAA law. However, it is not required to hire someone new. These roles can be played by someone who is already working in the organization and is well familiar with HIPAA regulations.
The privacy officer will be effectively responsible for overseeing the efforts that are required to meet HIPAA standards in terms of the Privacy Rule. The security officer will be responsible for overseeing the security aspects that are required as per the Security Rule, for instance, are there appropriate technical, physical, and administrative safeguards in place to protect the integrity of ePHI.
Make and maintain documentation of everything
Auditors may request as many as hundreds of documents, including facility blueprints, training logs, password policies, incident management plans, contracts, employee access to PHI, and many more. It is imperative to maintain all the business-related documents in order to pass a HIPAA audit. Proper documentation can please the auditors and it can serve as a strong proof that your organization is making proper efforts to comply with HIPAA.
Simplify your compliance efforts
Many healthcare organizations are finding that maintaining HIPAA compliance is becoming more arduous and challenging as the number of healthcare data breaches keep increasing. Having said that, many organizations are quickly adapting to modern cloud-based software to streamline their compliance efforts. Cloud-based solutions are quickly becoming the new norm and changing the way businesses operate today. Like how big companies use software to delegate tasks and break down large projects into manageable chunks, similarly, many organizations are also using software for HIPAA compliance to reduce administrative burdens.
About the Author: Riyan N. Alam is currently working as a Digital Marketing Analyst for M2SYS Technology, a cloud-biometric company. As a heath-tech enthusiast, Riyan frequently blogs in RightPatient and CloudApper.