How to Conduct an Internal HIPAA Audit

March 16, 2016

The OCR is doing more HIPAA audits this year, and you need to be ready. Here’s how to do your own internal audit.

You can make sure you are ready in case you’re randomly selected for a HIPAA audit by doing an internal audit now. John Meigs, president-elect of the American Academy of Family Physicians, recommends doing internal audits regularly, at least once a year. Here are a few tips for doing your own audit.

• Check the websites of professional organizations and the Office for Civil Rights (OCR) for checklists and risk assessment tools. “The OCR has a beautiful website with useful tools. The AMA and Healthcare Information and Management Systems Society also have privacy and security sections on their sites,” said Monica Moldovan, health information privacy and security manager for the University of California, Davis Health System.

• Practices often get sloppy about paperwork. Make sure you have organized and on file documentation of employee HIPAA training, policies, and procedures (recently updated), any business associate agreements that apply to your practice, and that risk assessment you just did. Moldovan advised being very specific in your training and policies. For example, don’t instruct employees to ‘protect patient privacy,’ but “shred all documents containing patient information” or “lock your workstation whenever you step away.”

• “You’ll need to get feedback from your EHR vendor that they are certified,” said Moldovan, “but that doesn’t get you off the hook [in case of a breach].” It does, however, let you know if you need to address a problem with your vendor. And will demonstrate to investigators, should you be audited, that you are double-checking your vendors.

•Electronic and hard copy data are common sources of data breaches, but employees can be, too. Conduct regular, documented training and have a written privacy policy that specifically outlines the consequences of violating that policy. Be sure, especially if you have young employees, that your policy addresses the use of social media, selfies in the office, and other increasingly common ways patient privacy is violated.

•Paperwork is important, but don’t forget to do a walk-through. Look for things like patient information visible on desks or computer screens or visible to delivery people who may occasionally have access to parts of the office that are normally restricted to employees. Make sure that passwords are not written on sticky notes posted to computer terminals (yes, it happens). These are the kinds of things that are easy to miss because you work in your office everyday and stop noticing them. Try to walk through your office with fresh eyes-pretend you are an OCR investigator looking for violations.

“The best way to make sure your office is always compliant,” said Moldovan, is to make patient privacy a part of your business practice, embed it into the workflow.” Do that, and your internal audit will be a breeze, and if the OCR does show up, you won’t even break a sweat.

Links to security and risk assessment tools:

https://www.healthit.gov/providers-professionals/security-risk-assessment

http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/security-standards.page

http://www.himss.org/library/healthcare-privacy-security/risk-assessment