6 Simple Steps To Avoid The HIPAA Wall Of Shame In 2016

Phase 2 HIPAA Audits: Coming In 2016 – Are You Prepared?

We’ve seen the headlines across the healthcare industry over the past several months, the Department of Health and Human Services’ Office for Civil Rights (OCR) is starting up the next round of HIPAA audits. While the date is not set in stone, it is predicted that the audits will begin by the end of the 1st Quarter of 2016. Now is the time for all practices to evaluate their current compliance level and implement changes in areas of deficiencies within the HIPAA regulations.

What Will The Phase 2 HIPAA Audits Look Like?

While the full plan of the Phase 2 HIPAA Audits has not been released in detail, we know key elements of the plan for the next round of HIPAA Audits. Phase 2 HIPAA audits will look and feel different than the HIPAA Pilot Audits that were conducted in 2011-2012. The first step in the Phase 2 HIPAA audits will be to conduct a pre-audit survey (Desk Based Audits) on up to 1,200 HIPAA covered entities and business associates. Practices of all sizes are on the radar for the next round of audits. The goal of the survey is to evaluate the organization’s readiness for a potential OCR HIPAA Audit, collect evidence of HIPAA compliance, and understand the organization’s size and structure. From the 1200 organizations surveyed, the OCR will determine how many will actually have a full on-site audit. It is unknown at this time how many of the organizations will receive a desk audit and how many will have a full on-site HIPAA Audit.

The goal of the OCR HIPAA audits is to focus on compliance with the HIPAA Privacy and Security Rule as well as the Omnibus Rule of 2013. The top area of focus for the audits will be the HIPAA Security Rule, specifically looking at compliance with risk assessment and risk mitigation requirements; Privacy Rule, specifically looking at the notice of privacy practices and patient’s access rights; and notification and timeliness of breach notification requirements. While this may be the initial focus, it doesn’t mean that the audit will not evaluate complete compliance of all requirements under the HIPAA Privacy, Security, and Breach Notification regulations. Some other top areas of focus are device and media control, encryption, training of the workforce, facility access controls and HIPAA policy and procedure compliance.

As healthcare is plagued with continued data breaches, the Office of Inspector General (OIG) stated that there has been a lack of HIPAA oversight and enforcement causing a potential lack of compliance. With Phase 2 of the HIPAA Audits beginning in early 2016, it creates the perfect time to change the lack of oversight and enforcement. The stage has been set, the world has been notified – there is going to be a change in the enforcement of HIPAA and NOW is the best time to prepare your organization.

What Can Your Practice Do To Prepare NOW For A HIPAA Audit?

Here are Six Simple Steps you can take to prepare your practice for success with the upcoming changes in enforcement and Phase 2 HIPAA Audits.

1. Conduct A Risk Assessment/Analysis

   If you haven’t conducted a risk analysis recently, it might be a great idea to conduct one again soon. Make sure to have a risk analysis report that provides information on how the audit was conducted, what systems were evaluated and what the identified risks were. Remember – don’t stop there. You must create a risk management plan and mitigate and/or address all the risks identified.

2. Review And Update All Policies And Procedures

   Create the foundation for success with HIPAA compliance. Conduct a gap analysis of your policies and procedures. Look for policies that you may be missing or policies that don’t meet minimum compliance. Then ensure that your organization is following the policies you have created. Look for evidence such as documents, logs and audit forms that can prove you are in compliance with your policies.

3. Know Who Your Business Associates Are

   Evaluate who you are paying as third-party contractors and what tasks they are performing for your organization. If they are creating, receiving, transmitting or storing any protected health information on your behalf – ensure that you have an updated business associate agreement in place with them. Consider creating an easily accessible list or spreadsheet of all your business associates within your organization.

4. Review And Become Familiar With The Audit Protocol

   Although the new HIPAA audit protocol hasn’t been officially published, it is good practice to review and become familiar with the HIPAA audit protocol that was used on the HIPAA audits of 2011-2012. This will help an organization understand what will be looked for as far as evidence of compliance with the regulations.

5. Conduct Internal HIPAA Audits

   Practicing audits and helping staff become comfortable with answering questions regarding HIPAA compliance should start now. During audits, look for evidence that you are following your policies and procedures. If it stated you will monitor EHR activity on a monthly basis, make sure the organization has evidence to support that. If an on-site HIPAA audit is conducted, the auditors will not only be talking to the HIPAA Privacy and Security Officers, but also all workforce members that take part in providing proper protection of patient information (A.K.A. – EVERYONE)

6. Educate All Staff And Leaders On The Importance Of HIPAA Compliance

   Education of your entire workforce becomes an essential step in HIPAA compliance. Your workforce should know and understand what HIPAA is and the processes and procedures that are established within your organization for proper HIPAA compliance!

While this isn’t a complete list of what an organization can do – it is a few simple steps that can definitely help create a solid HIPAA program and prepare for the increase in enforcement and Phase 2 HIPAA Audits. Don’t be one of the practices that state “We didn’t know that was a requirement” or “We thought we had more time to be compliant.” Be prepared and feel confident in the way that you are protecting your patient’s information. Your practice will benefit and your patients will be satisfied knowing that they are receiving great care and their information is properly protected and secured!