HIPAA Audits
The Health Insurance Portability and Accountability Act (HIPAA) is a federal act that ensures that all confidential information of patients is protected. Breaches of protected information of patients has been used to either steal identities of patients or used in employment for such things as hiring, firing, and promotions. There are many other reasons for HIPAA like coding and electronic submission of claims but let us focus on your organization and what you must do for HIPAA that will help in preventing such misuse.
With the onset of the Omnibus Rule there are categories of Healthcare entities; there is the covered entity and the Business Associate that will need to follow the rules and regulations of the Health Insurance Portability and Accountability Act. These organizations must perform an audit to determine whether all the provisions of HIPAA are being followed without any intentional or unintentional violation.
There are two types of Audits, the audit you perform on yourself and the audit HHS will perfrom on you if you lucky enough to be chosen or you have a significant breach that would require HHS to audit you. Therefore it is imperative that you perform a HIPAA audit following a defined process that will allow you to document your deficiencies and how your remediated them. This HIPAA Audit Process is very important. It must be well documented and well structured.
A systematic approach to your HIPAA Audit is exactly what will save your business in the long run.Like any audit, the more structured and systematic the process is, the less painful the process.
There are sides to a HIPAA Audit. Privacy - the protection of the release of data, policies and procedures surrounding how the data is used, and the tracking of certain aspects of the rule like breaches and authorization and disclosures. Security - or the technical side of HIPAA. This part is the physical protection of the data. A security audit would look at all areas of an organization where Protected Health information is stored, transmitted from, and accessed from, that would includes all computers, fax machines, email and employee policies, jump drives, phones, pagers, PDA's.
HIPAA regulations require an array of requirements when it comes to the technical side of an audit. A risk analysis of every device that stores electronic Protected Health Information (ePHI) data must be completed and a risk must be associated to it based on what is the likely hood that data could be compromised from the device.
At the very foundation of any organization's HIPAA Compliance Plan will be the Privacy and Security policies. These policies, that address every aspect of HIPAA will need to be created and attested to by all employees of an organization that comes in contact or used ePHI in their job role.
Every employee in an office should know exactly what they can and cannot do on a computer. Which website they are allowed to visit and what the limits of email are. Not only should every employee know what is required of them on the computer system, they need to know where they can find answers to questions they may have.
Your HIPAA Audit will have multiple layers, but the first layer, the gap analysis, the defining of what deficiencies you currently have is the foundation to a successful HIPAA audit. The HIPAA audit [http://compliancy-group.com/virtual-audit/] is not the final stage though, the documentation and the daily monitoring continues on everyday of every year you are dealing with ePHI.
Top 5 tasks for conducting a HIPAA Audit
1. Before starting with the HIPAA audit it is important you gain adequate knowledge about the recent amendments and changes that have taken place in the Act. This will help you be up to date with all the latest provisions of Health Insurance Portability and Accountability Act. This can be accomplished by self education or hiring someone to help.
2. All covered entities will need to have policies and procedures in place that will help them comply with the Health Insurance Portability and Accountability Act. This should be in accordance to the policies and procedures that have been stipulated by HIPAA [http://compliancy-group.com/hipaa/].
3. The audit should check to see how all information pertaining to the patients are handled by the different departments of the covered entities. As all the information pertaining to the patient is stored on electronic devices (computers, hard drives) it is necessary to ensure that these are password protected. Apart from this all files that hold protected information of patients will also need to have passwords to gain access to them.
4. If the information is stored physically in files then the audit will check to see whether they are kept in a secure place. If any patient information is destroyed there should be adequate safeguards to ensure that it is done properly. All the physical files will need to be properly locked and access to this place should be restricted only to authorized individuals.
5. If there have been reports of any violation of the Health Insurance Portability and Accountability Act, it needs to be examined. You will also need to determine what steps were taken after detection of the violation. If the violation has not been cleared within the stipulated period of time it will attract fines and imprisonment depending on whether the violation was intentional or unintentional.
The tracking of you compliance plan is critical during an audit for outside authorities, the more you have, the more accurate it is, the more current it is, the better off you will be if a the outcome is poor. Due Diligence it the name of the game, make a good faith effort, work on your compliance plan everyday so that you will not hear the words WILFULL NEGLECT which is the kiss of death when hearing the results of an audit from HHS.
With the onset of the Omnibus Rule there are categories of Healthcare entities; there is the covered entity and the Business Associate that will need to follow the rules and regulations of the Health Insurance Portability and Accountability Act. These organizations must perform an audit to determine whether all the provisions of HIPAA are being followed without any intentional or unintentional violation.
There are two types of Audits, the audit you perform on yourself and the audit HHS will perfrom on you if you lucky enough to be chosen or you have a significant breach that would require HHS to audit you. Therefore it is imperative that you perform a HIPAA audit following a defined process that will allow you to document your deficiencies and how your remediated them. This HIPAA Audit Process is very important. It must be well documented and well structured.
A systematic approach to your HIPAA Audit is exactly what will save your business in the long run.Like any audit, the more structured and systematic the process is, the less painful the process.
There are sides to a HIPAA Audit. Privacy - the protection of the release of data, policies and procedures surrounding how the data is used, and the tracking of certain aspects of the rule like breaches and authorization and disclosures. Security - or the technical side of HIPAA. This part is the physical protection of the data. A security audit would look at all areas of an organization where Protected Health information is stored, transmitted from, and accessed from, that would includes all computers, fax machines, email and employee policies, jump drives, phones, pagers, PDA's.
HIPAA regulations require an array of requirements when it comes to the technical side of an audit. A risk analysis of every device that stores electronic Protected Health Information (ePHI) data must be completed and a risk must be associated to it based on what is the likely hood that data could be compromised from the device.
At the very foundation of any organization's HIPAA Compliance Plan will be the Privacy and Security policies. These policies, that address every aspect of HIPAA will need to be created and attested to by all employees of an organization that comes in contact or used ePHI in their job role.
Every employee in an office should know exactly what they can and cannot do on a computer. Which website they are allowed to visit and what the limits of email are. Not only should every employee know what is required of them on the computer system, they need to know where they can find answers to questions they may have.
Your HIPAA Audit will have multiple layers, but the first layer, the gap analysis, the defining of what deficiencies you currently have is the foundation to a successful HIPAA audit. The HIPAA audit [http://compliancy-group.com/virtual-audit/] is not the final stage though, the documentation and the daily monitoring continues on everyday of every year you are dealing with ePHI.
Top 5 tasks for conducting a HIPAA Audit
1. Before starting with the HIPAA audit it is important you gain adequate knowledge about the recent amendments and changes that have taken place in the Act. This will help you be up to date with all the latest provisions of Health Insurance Portability and Accountability Act. This can be accomplished by self education or hiring someone to help.
2. All covered entities will need to have policies and procedures in place that will help them comply with the Health Insurance Portability and Accountability Act. This should be in accordance to the policies and procedures that have been stipulated by HIPAA [http://compliancy-group.com/hipaa/].
3. The audit should check to see how all information pertaining to the patients are handled by the different departments of the covered entities. As all the information pertaining to the patient is stored on electronic devices (computers, hard drives) it is necessary to ensure that these are password protected. Apart from this all files that hold protected information of patients will also need to have passwords to gain access to them.
4. If the information is stored physically in files then the audit will check to see whether they are kept in a secure place. If any patient information is destroyed there should be adequate safeguards to ensure that it is done properly. All the physical files will need to be properly locked and access to this place should be restricted only to authorized individuals.
5. If there have been reports of any violation of the Health Insurance Portability and Accountability Act, it needs to be examined. You will also need to determine what steps were taken after detection of the violation. If the violation has not been cleared within the stipulated period of time it will attract fines and imprisonment depending on whether the violation was intentional or unintentional.
The tracking of you compliance plan is critical during an audit for outside authorities, the more you have, the more accurate it is, the more current it is, the better off you will be if a the outcome is poor. Due Diligence it the name of the game, make a good faith effort, work on your compliance plan everyday so that you will not hear the words WILFULL NEGLECT which is the kiss of death when hearing the results of an audit from HHS.
