What Does Real Audit Preparedness Look Like?

Link to our recent press release: http://bit.ly/2qfTMgI

For many members of the healthcare community, the word “audits” was overheard more than a few times last year. In March 2016, Health and Human Services’ Office for Civil Rights (OCR) announced their Phase 2 HIPAA Audit Program was underway and Covered Entities (CE) and Business Associates (BA) alike were put on notice – the days of “flying under the radar” were over.

Last year, 167 random CEs were selected for desk audits and upon contact, were given 10 days to submit their documentation via the OCR portal. Not surprisingly, the tight timelines and wide array of requested information left many CEs scrambling to meet the deadline. Being that we have no indication the audits will slow down any time soon, now is the time for CEs and BAs to get their ducks in a row.

Early Adopters

In the summer of 2016, our HIPAA Security Risk Analysis and Privacy and Breach Notification Risk Analysis software solutions along with our policies and procedure tool-kits were fully-updated to meet the guidance of the Phase 2 Audit program. Since then, we have been continuing to emphasize the critical work of completing a Security Risk Analysis using software that ensures compliance in an audit.

The updates needed to meet the Phase 2 audit requirements were significant and included 708 updates to privacy and 880 updates to security risk analysis. Additionally, more policies and procedures (with supporting documentation) were added, health plans were instructed to have additional assurances from their plan sponsors, and all companies were asked to retain “satisfactory assurances” of HIPAA compliance from their business associates, vendors and subcontractors.

Our President, Steve Marco understood the importance of getting ahead of the game and worked diligently to make HIPAA One the first HIPAA compliance software vendor to be fully updated.  Being that the updates contained so many changes, he felt it was crucial to ensure our clients had the guidance necessary to not only respond to an audit in timely fashion, but also pass.

4 Steps to Take Now

What’s the secret to passing an audit and how can we prepare in advance? To be truly ready if/when an email from OCR shows up in your inbox, you’ve got to do the work now. Although there are no instant hacks or magic wands to wave to ensure compliance in an audit, there are tasks your organization can do now to make the process easier and produce the necessary documentation if an OCR emails hit our inbox:

  1. Conduct an accurate and thorough HIPAA Security Risk Analysis. Be sure to include Privacy and Breach notification assessments since these are often overlooked. Also, ensure if your organization uses a Security Risk Analysis software to complete this work, that it has been updated to comply with the Phase 2 Audit Program.
  2. Review your organization’s policies and procedures along with the associated processes, compliance programs and other supporting documentation proving compliance. For gaps, update processes, policies and procedures to address identified issues.
  3. Address risks found in previous risk analysis efforts. This requires documented progress of gaps in compliance and associated vulnerabilities (e.g. installing enterprise-wide encryption, implementing a training and awareness program, updating policies and procedures).  This also includes having supporting documentation tracking these updates.
  4. Identify who your business associates (BA) are and/or subcontractors a BA would give PHI to in order to facilitate a particular service for the upstream BA. Get a copy of each signed BA Agreement, ensure your agreements are updated per the HIPAA Omnibus update (after March, 2013), and collect proof (e.g. reasonable assurances) that the BA or subcontractor actually has a HIPAA Security, Privacy and Breach Notification assessment and/or other proof of compliance (e.g. proof of encryption, training and awareness, policies and procedures).
Going Forward

With the rest of the industry still catching up and the audit program in full swing, prioritize your peace of mind and leave nothing to chance. For a free demo or review of your last Security Risk Analysis, contact us.

Need to Access the LADMF? We can help!

In the world of HIPAA compliance, sometimes the only constant is change. It is not out of the norm for one of our clients to come to us with a question or request that at times, takes us by surprise.  This occurred recently when a client contacted us … [Continue reading]

Removing Extra Clicks and Saving You Time

Today, healthcare is bloated with administrative processes and complex regulations. At HIPAA One, we are passionate about disrupting this trend by striving to keep our Security Risk Analysis (SRA) tool as simple as possible. We take our user's … [Continue reading]

Man-in-the-Middle Attacks

In their April Cybersecurity Newsletter, Office for Civil Rights (OCR) addressed an emerging threat known as “Man-in-the-Middle” (MITM) attacks. A MITM attack occurs when a third party secretly intercepts and relays the message between two parties … [Continue reading]

What is HR’s Role in HIPAA Compliance?

In recent years, many healthcare organizations have faced the same question: Which department should be tasked with Health Insurance Portability and Accountability Act (HIPAA) compliance? More times than not, the finger points to IT. However, in … [Continue reading]

OCR Provides Guidance for Reporting and Monitoring Cyber Threats

The U.S. healthcare community has endured a seemingly constant string of data breaches and cyber threats in recent years. Unfortunately, cyber attacks show no indication of slowing down and most likely, will increase in number and severity for the … [Continue reading]

Debunking the Myth: Is Windows 10 HIPAA Compliant?

We’ve collaborated with Microsoft on a new whitepaper and we want you to be one of the first to receive a copy. Our whitepaper, HIPAA Compliance with Microsoft Windows 10 Enterprise, provides guidance on how to leverage Microsoft Windows 10 as … [Continue reading]

2016 Meaningful Use Deadline Extended Again

Calling all procrastinators! If your organization has put off attesting for Modified Stage 2 Meaningful Use (MU), you’re in luck! Initially, the Centers for Medicare & Medicaid Services extended the deadline to February 28, 2017 as the cut … [Continue reading]

Delivering Greater Control: Recent Software Enhancements

What is something all healthcare professionals want more of? If you answered TIME, you’re probably right. In an industry driven by quality service and quick turnarounds, it is easy to find ourselves desperately short on time. As healthcare … [Continue reading]

Recent HIPAA Settlement Warns: Safeguard Your ePHI

In what seems to be customary these days, The U.S. Department of Health and Human Services, Office for Civil Rights (OCR), has announced another HIPAA settlement based on the impermissible disclosure of unsecured electronic protected health … [Continue reading]