The American Health Information Management Association has released a new toolkit to help covered entities prepare for a HIPAA compliance audit.
The Department of Health and Human Services’ Office for Civil Rights commenced the much delayed second phase of the Health Insurance Portability and Accountability Act audit program in the last quarter of 2016. Those audits started with ‘desk audits’ of HIPAA-covered entities. The desk audits involved documentation checks to determine whether HIPAA Rules were being followed.
The audits of covered entities have now been completed and the results are now starting to be sent to the audited healthcare organizations for comment. OCR has now moved on to desk audits of HIPAA business associates. When those audits are completed, and the results of both sets of audits have been analyzed, OCR will start the final phase of the audit program – on-site audits.
The on-site audits will be more in-depth and will involve a comprehensive analysis of the compliance efforts of covered entities and business associates. Some of those audits will be conducted on organizations that have not been subjected to a desk audit. However, if HIPAA violations have been uncovered during the desk audits, covered entities may be selected for an onsite audit and auditors will look more closely at their compliance program.
The good news for covered entities is the final phase of the HIPAA compliance audits has been delayed. This gives covered entities more time to ensure that they are ready for a full compliance audit. Last month, OCR’s Deven McGraw explained that while the on-site audits were initially scheduled to take place in the first quarter of 2017, OCR will not be conducting those audits until much later this year, possibly Q4, 2017 or even Q1 2018. The results of the desk audits will first be analyzed and new HHS secretary Tom Price will be consulted and asked for his input on how the on-site audits should be conducted.
Now is the Time to Prepare for a HIPAA Compliance Audit
OCR will not be announcing which covered entities will be subjected to a compliance audit until a few days before the audits take place. It is therefore important for all covered entities and business associates to prepare for a HIPAA compliance audit.
This week, the American Health Information Management Association (AHIMA) released a new toolkit to help covered entities prepare for a HIPAA compliance audit.
The new toolkit can be used by covered entities to check whether they have all the necessary documentation in place to provide to OCR if its auditors come knocking. The toolkit also details industry best practices that can be adopted to not only ensure compliance with HIPAA Rules, but also to better protect ePHI.
The AHIMA HIPAA audit toolkit covers the legal requirements of a HIPAA audit and includes detailed guidance for covered entities on how to prepare for a HIPAA compliance audit. The toolkit contains checklists covering the forms, policies, and documentation that auditors are likely to ask to see and a master template for the privacy and security compliance program.
One of the best ways to prepare for a HIPAA compliance audit is to conduct a dummy audit in house. Self-auditing is likely to uncover areas where compliance efforts have been weak, which will allow covered entities to take action. According to Kathy Downing, senior director at AHIMA, “If OCR finds something and they start to dig deeper, they’re probably going to find other things.” It is far better for covered entities to find weaknesses and take action to address them before the OCR auditors arrive.
It is not clear whether OCR will be issuing financial penalties for non-compliance issues discovered during the HIPAA audits; however, OCR will not turn a blind eye to serious compliance failures. Heavy fines are a possibility.
To reduce risk Downing says, “Every organization should be investing time in self-auditing.”
AHIMA’s toolkit can be downloaded free of charge by AHIMA members. Nonmembers are required to pay $99 for the toolkit.