4 Essential Steps to a Successful HIPAA Audit. by Roman Diaz, Touchstone Compliance President. Assessment & solutions for meeting HIPAA standards

Transcription

1 4 Essential Steps to a Successful HIPAA Audit by Roman Diaz, Touchstone Compliance President Assessment & solutions for meeting HIPAA standards

2 Introduction There are certain steps a practice can take that will provide a solid starting point on the path to compliance Some nights I can t sleep, worrying about HIPAA, Dr. K. confessed. I m sure I haven t done everything I m supposed to do. But when it comes to getting a handle on exactly what that is, well, it s pretty overwhelming. Dr. K. is a successful professional who s been in private practice for 11 years. She enjoys her work, cares about her patients, and keeps up with the latest advances in her field. But concerns about HIPAA compliance have her waking up in a cold sweat, haunted by the thought of potential fines and possible lawsuits. She wants to do right by her patients when it comes to safeguarding their personal health information. She just isn t sure how. And she isn t alone. Complying with HIPAA, the law that provides national standards to protect the privacy of personal health information (PHI), has been a challenge since 1996 for hundreds of thousands of independent healthcare providers. And the most recent updates to HIPAA, known as the Omnibus Rule, haven t made it any easier. HIPAA compliance is a complex process, one that requires a serious commitment of time and effort. It s not fun. It s not sexy. And there are no quick fixes. That said, there are certain steps a practice can take that will provide a solid starting point on the path to compliance, help protect the practice from litigation, and make those nightmares of being chased by hordes of HIPAA auditors far less likely.

3 4 Major Must-Do s The HIPAA auditor from Health and Human Services will want to see documented proof that a practice is doing its best to comply. The HIPAA auditor from Health and Human Services will want to see documented proof that a practice is doing its best to comply. Providing an auditor with evidence that the following four things have been done increases the odds of passing the HIPAA audit. Big time. 1.) Identify who s in charge HIPAA requires that someone on staff be designated as the Privacy Officer and/or the Security Officer. Both roles can be filled by the same person or by two different people. Both the Privacy Officer and the Security Officer must know or quickly learn the ins-and-outs of implementing HIPAA in the office. The Privacy Officer is responsible for setting up and implementing compliance policies and procedures for the privacy of patient information. His or her duties go beyond creating, posting, and distributing the office s Notice of Privacy Practices. This individual also handles patient questions about HIPAA, along with requests for information, authorization, and health records. The duties of the Security Officer center around ephi (Electronic Protected Health Information). He or she must be able to evaluate the practice s risks when it comes to things like hacking, malware, and viruses, and see to it that measures are put in place to ensure that the practice s electronic information is and remains safe.

4 2.) Develop and document policies and procedures The place to start is with the existing policies and procedures for the day-to-day functioning of the office. In most practices, it will fall to the Privacy Officer and/or the Security Officer to make sure the policies and procedures part of the compliance process is in place. And the place to start is with the existing policies and procedures for the day-to-day functioning of the office. If none have ever been documented, they need to be. The policies and procedures required by HIPAA add a new dimension to the practice s basic P & P s. HIPAA requirements include things like data backup and recovery plans, security procedures, business associate agreements, processes for managing risk, procedures for reporting a breach, procedures for providing ongoing HIPAA training for staff -- to name a few. Each healthcare office needs to specifically define how it s going to deal with these issues. Accomplishing this takes more than talk. It requires documentation so that everyone who works in the office knows or can easily access information on how the practice handles matters related to HIPAA. It also requires an ongoing effort to keep the staff trained in the updated policies and procedures that reflect the most recent versions of the law.

5 3.) Perform a Risk Analysis regularly Recent HIPAA enforcement actions have cited a missing or old Risk Analysis as the basis for penalties and fines in excess of $1 million! A Risk Analysis is aimed at making sure that the way a practice handles ephi poses no risks to the confidentiality, integrity, or availability of that information. It starts with questions like these: Where does this office store data and how is that data transferred? What are the potential risks and vulnerabilities in the systems used? What is the likelihood of data being compromised? And if it is compromised, what impact would that have on the office and its patients? How important is it to do and document - a Risk Analysis regularly? Recent HIPAA enforcement actions have cited a missing or old Risk Analysis as the basis for penalties and fines in excess of $ 1 million! 4.) Create a Mitigation Plan The Risk Analysis identifies potential problems and vulnerabilities. A Mitigation Plan answers the question, So, what are we going to do about all that? Each risk should be evaluated as to the likelihood of it happening and the consequences to the practice if it does. A Mitigation Plan needs to include not only how the riskiest of the identified risks are going to be handled, but also the estimated dates when the problems will be fixed. Again, HIPAA auditors will want to see documented proof that an office has a plan like this in place.

6 Rest easier Visit our website today and rest easier when it comes to This list of Must Do s is by no means comprehensive, but it is a place to start. For each of the phases of the compliance process, Touchstone Compliance has an online tool to get you through it. Visit today and rest easier when it comes to HIPAA compliance. HIPAA compliance.