There are many different types of “audits”, so when we refer to audits, we are referring to a “HIPAA audit”. When anyone mentions HIPAA audit, most practices think it won’t happen to them. I hear so often; I have never seen the “HIPAA Police” come around and do an audit. Well, they don’t just walk in off the street, but it only takes one patient complaint, a disgruntled employee, or a data breach to trigger an investigation. I have said this MANY times… and I feel the need to repeat it one more time! HIPAA has changed a few times over the years, one thing that has not changed since 1996 – HIPAA compliance is here to stay, and it is not optional.
When an investigation is opened, depending on the documentation you provide will determine whether a desk audit is conducted. For example, many OCR (Office for Civil Rights) investigations find systemic noncompliance with the HIPAA Security Rule, including failures to conduct an enterprise-wide risk analysis, implement risk management and audit controls, and maintain documentation of HIPAA Security Rule policies and procedures. With the “recognized security practices”, the OCR may review a minimum of 12 months of your documentation. The good news is, if you have documented your compliance efforts, you may not be fined or penalized! The OCR is trying to incentivize practices to step up their data security practices. Keep in mind, this must be documented. Just another reason why our clients are moving to our online compliance platform!
Employee mistakes are the typical cause of a security incident or data breach. Someone clicks on a link, opens an infected website, or falls for a phishing scam. This is a HUGE problem; all you have to do is go to the OCR breach portal and you can see for yourself the number of breaches reported for hacking. Educating your staff is #1, along with good data security practices that are documented.
Lost or stolen devices are also a problem unless they are encrypted. Security incidents must be reviewed, and the outcome documented. If a device is lost or stolen and it is encrypted (and documented as such) it is not a reportable breach!
Another area that the OCR reviews (depending on the complaint or violation) is employee training. HIPAA training requires periodic updates, and it is recommended that all staff including physicians attend annual HIPAA training. Again, this must be documented.
To continue reading this article click here:
https://arismedicalsolutions.com/would-your-practice-survive-an-audit/
Tuesday, February 15, 2022
