When it comes to HIPAA, two of the most troubling events that keep health care executives awake at night are reportable data breaches and failing an audit by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). Even with all the current publicity surrounding privacy and security, many organizations still fail to take the necessary steps to proactively manage compliance and better prepare for audits. The key to avoiding either event is proper, thorough and ongoing documentation.
Former OCR Director Leon Rodriguez has reported that badly documented risk analyses were one of the most common weaknesses seen in audits over the last couple years. Every entity covered by HIPAA within an organization should implement a comprehensive risk assessment to ensure patient privacy and data security is in accordance with HIPAA regulations. Yearly assessments are the minimum requirement, but a lot can happen in a year, so it’s important to keep the document current so emerging vulnerabilities can be identified and tracked on a regular basis.
Failure to provide the documentation requested by OCR, whether it exists or not, puts you at risk of failing some HIPAA security implementation obligations. Additionally, OCR gives just 15 days for the health care organization to produce the necessary documentation. With this in mind, keep all of your documentation for previous and current years conveniently located and well organized, ensuring it can be easily demonstrated that there is continuous improvement on a well-planned path to security.
For more information, please download: “Privacy & Security Audits: How to Prepare and Ensure Compliance” from the editors of FierceIT.