Preparing for a HIPAA Audit: Tips and Resources

The HIPAA Audit Program under the Office for Civil Rights (OCR) is expanding and changing. Is your practice prepared?

If not, it's time to get started. Phase 2 of the HIPAA Audit Program, in which providers will be audited to determine compliance rates with the HIPAA privacy, security, and breach notification rules, will begin soon.

During his session at the 2014 Medical Group Management Association (MGMA) Annual Conference on Mon., Oct. 27, "OCR Audits – Lessons for the Small Practice," David Holtzman, a former OCR senior adviser for health information privacy and security, shared what practices need to know about Phase 2 of the audit program, as well as how they can prepare.

What Practices Should Know

Phase 2 will include a combination of on-site and desk audits. Ultimately, approximately 200 providers will be audited in the desk-audit process, in which they will need to submit requested information electronically, said Holtzman, who is vice president of compliance services at Cynergistek, an information security and regulatory compliance firm. The number of providers that will be selected for on-site audits is  unknown.

"What's important to understand about the desk audit is there is not going to be an opportunity for a conversation, there is not going to be an opportunity for a give and take," he said. "You are not going to have an opportunity to develop new policies and procedures or conduct a risk assessment in that short time in which you get the [audit] letter to when you must respond to the audit request."

For that reason, and to help ensure a successful outcome, practices need to start preparing now to ensure all of their privacy, security, and breach notification policies and procedures are compliant with the HIPAA rules.

What Practices Should Do 

A great place to start in preparing for a HIPAA audit is to know what areas auditors are likely to focus on most closely, and what areas have tripped up practices in the past. 

Since Phase 1 of the audit program indicated that many practices fall short when it comes to security rule compliance, that may be a good area for your practice to step up its compliance efforts, said Holtzman. For instance, consider whether your practice has recently conducted a security risk analysis and whether it has appropriate risk management procedures in place.

Also consider whether your practice has modified its policies and procedures to comply with the new breach notification rules, whether your practice has appropriate device and media controls systems in place, whether data is encrypted appropriately, and whether you have appropriate facility access controls, said Holtzman.

Don't forget to consider whether your staff and physicians have been trained appropriately on HIPAA rules, and make sure that training is documented. "[The OCR is] continually seeing examples in compliance reviews where organizations have trained individuals once when they were first hired, or when the HIPAA privacy rules first came into being in 2003, and they've done no or little training since," said Holtzman. "I have to tell you that that just really rubs them the wrong way. The expectation is that organizations are continually working with their staffs, their workforce members ... on what the organizations policies for safeguarding and keeping health information private are."

Helpful Resources

The above are just a few of the areas your practice should be focusing to ensure it is compliant with all of the HIPAA rules and prepared for a HIPAA audit. To gain a broader understanding of what your practice should be doing, consider the below resources:

• HIPAA risk assessment tool for small providers• HIPAA audit program protocol• HIPAAcow.org

Holtzman also recommended replicating the audit process internally at your practice to evaluate compliance measures and identify areas that need improvement. For instance, to evaluate your training policies and procedures, look at your documentation of training to see if it is up to date and whether everyone who should have been trained in that area of HIPAA compliance has been trained.

Also, make a plan to assess your privacy and security policies and procedures regularly. "What's really important is that this is a continuing effort," said Holtzman. "You can't do it just once; it's got to be on a regular or occasional schedule."