Preparing for a HIPAA Audit – Steps Employers Should Take

Benefit Comply Offers HIPAA Compliance Services for Employers and Business Associates. More Info >

A question we often receive from our current and prospective HIPAA clients is what they need to do to ensure that they’re prepared for a potential HIPAA audit. As a reminder, the Office of Civil Rights (OCR) has undertaken two phases of audits – Phase I took place in 2012, and Phase II took place in 2016-2017 (OCR issued its final report on Phase II audits in December 2020).

For its second phase of audits, which applied to both covered entities and business associates, OCR reviewed the policies and procedures associated with selected requirements of the HIPAA privacy and security rules. The analysis was conducted using a comprehensive audit protocol that OCR developed to address the various elements of the privacy, security, and breach notification rules.

So what did the audit protocol cover? Essentially, anything and everything. If there is a requirement in any of above-mentioned rules, it was likely addressed by the audit protocol. Here is an example of some of the topics included:

  • Proper uses and disclosures of protected health information (PHI)
  • Workforce Training
  • Designating a Privacy and Security Official
  • Safeguarding PHI
  • Documentation/Record Retention requirements
  • How the entity investigates and responds to known or suspected breaches of PHI
  • Whether a Privacy and Security Official have been named
  • What the process is for training workforce members on HIPAA requirements
  • What the process is for determining where PHI is stored, how it is accessed, and who it is accessed by
  • What the process is for entering into Business Associate Agreements with vendors

With this broad a scope, what can an employer do to help focus on the fundamentals of HIPAA compliance?

Perhaps first and foremost, a solid set of written policies and procedures goes a long way. And for this purpose, having a solid template is a good starting point. A good policies and procedures template will provide policies and guidance for key requirements, such as identifying where PHI is stored, who has access to it, and developing procedures for safeguarding this information. A good template will also address (among other things) naming a HIPAA Privacy Official; developing and distributing a Notice of Privacy Practices; entering into Business Associate Agreements with certain vendors; and complying with HIPAA’s breach identification and notification requirements. A solid set of written policies and procedures will provide a compliance roadmap for employers, helping them focus on the things that must be operationalized in order to meet HIPAA’s requirements.

Second, on the security side of things, employers should also complete a comprehensive security risk analysis to help identify potential gaps in their existing security controls with respect to electronic protected health information (PHI). The results of the security risk analysis will help inform an employer’s security efforts and related policies and procedures.

Third, in-depth training to key employees on those policies helps equip an employer with the knowledge necessary to adequately implement and operationalize them – i.e., to actually name a Privacy and Security Official, develop a Notice of Privacy Practices, enter into Business Associate Agreements with vendors, develop a process for analyzing and providing notification of breaches, etc.  A written set of policies is a good first step, but far from sufficient if they are not actually implemented! Ensuring that stakeholders who will be responsible for implementing and operationalizing HIPAA’s requirements have a solid understanding of these requirements is key to a successful compliance program.

Finally, employers should ensure that their employees who interact with PHI receive adequate training on key HIPAA principles, such as understanding what PHI is and understanding what the requirements are for its proper use and disclosure. This type of training provides a higher-level overview of HIPAA’s core requirements to the individuals who carry out plan administration on a day-to-day basis and need to understand the basics of HIPAA’s privacy and security requirements.

Compliance with HIPAA is an ongoing endeavor, but having a solid foundation in place with well-written policies and procedures, operational processes, and training helps ensure an employer is well positioned to avoid potential problems with respect to any PHI it maintains on behalf of its health plans. Benefit Comply offers a suite of HIPAA compliance products will help employers implement the framework necessary to ensure they are prepared for any audit that may come their way.

While every effort has been taken in compiling this information to ensure that its contents are totally accurate, neither the publisher nor the author can accept liability for any inaccuracies or changed circumstances of any information herein or for the consequences of any reliance placed upon it. This publication is distributed on the understanding that the publisher is not engaged in rendering legal, accounting or other professional advice or services. Readers should always seek professional advice before entering into any commitments.