Preparing for a HIPAA Audit

A question we often receive from our current and prospective HIPAA clients is what they need to do to ensure that they’re prepared for a potential HIPAA audit. As a reminder, the Office of Civil Rights (OCR) has undertaken two phases of audits – Phase I took place in 2012, and Phase II commenced in 2016. For its second phase of audits, which applies to both covered entities and business associates, OCR reviews the policies and procedures associated with selected requirements of the HIPAA privacy and security rules. The analysis is conducted using a comprehensive audit protocol (last updated in July of 2018) that OCR developed to address the various elements of the privacy, security, and breach notification rules.

So what does the audit protocol cover? Essentially, anything and everything. If there is a requirement in any of above-mentioned rules, it is likely addressed by the audit protocol. Here is an example of some of the topics addressed by the protocol:

  • Proper uses and disclosures of PHI
  • Workforce Training
  • Designating a Privacy and Security Official
  • Safeguarding PHI
  • Documentation/Record Retention requirements
  • How the entity investigates and responds to known or suspected breaches of PHI
  • Whether a Privacy and Security Official have been named
  • What the process is for training workforce members on HIPAA requirements
  • What the process is for determining where PHI is stored, how it is accessed, and who it is accessed by
  • What the process is for entering into Business Associate Agreements with vendors

With this broad a scope, what can an employer do to help focus on the fundamentals of HIPAA compliance?

Perhaps first and foremost, a solid set of policies and procedures goes a long way. A good template will provide policies and guidance for key requirements, such as identifying where PHI is stored, who has access to it, and developing procedures for safeguarding this information. A good template will also address (among other things) naming a HIPAA Privacy Official; developing and distributing a Notice of Privacy Practices; entering into Business Associate Agreements with certain vendors; and complying with HIPAA’s breach identification and notification requirements. A solid set of written policies will provide a compliance roadmap for employers, helping them focus on the things that must be operationalized in order to meet HIPAA’s requirements.

On the security side of things, employers should also complete a comprehensive security risk analysis to help identify potential gaps in their existing security controls with respect to electronic protected health information (PHI). The results of the security risk analysis will help inform an employer’s security efforts.

Second, in-depth training to key employees on those policies helps equip an employer with the knowledge necessary to adequately implement and operationalize them – i.e., to actually name a Privacy and Security Official, develop a Notice of Privacy Practices, enter into Business Associate Agreements with vendors, develop a process for analyzing and providing notification of breaches, etc.  A written set of policies is a good first step, but far from sufficient if they are not actually implemented!

Third, employers should ensure that their employees are adequately trained on key HIPAA principles, such as understanding what PHI is and understanding what the requirements are for its proper use and disclosure.

Compliance with HIPAA is an ongoing, but having a solid foundation in place with well-written policies and procedures, operational processes, and training helps ensure an employer is well positioned to avoid potential problems with respect to its plans’ PHI. Benefit Comply offers a suite of HIPAA compliance products will help employers implement the framework necessary to ensure they are prepared for any audit that may come their way.