Ten days to a HIPAA audit — two scenarios

Situation analysis:
You are a hospital compliance officer, and you’ve just received a call from an auditor with KPMG, a government contractor for HIPAA audits. “Did you get our letter?” he says. “You have 10 days before we conduct an audit.”

Scenario one:
You break out in a cold sweat. You had put a series of risk management processes in place, determined that the hospital had adequately safeguarded patients’ protected health information (PHI) and complied with HIPAA requirements, but that was six months ago. No formal internal audit had been conducted at the time, and no ongoing analysis and updating of information had been done since then.

You realize there is no way you can update and pull all the necessary information together in ten days to successfully weather the HIPAA audit, and the penalties will be severe.

Scenario two:
You take a deep breath and assess the situation. You realize immediately that the hospital will be able to respond in the 10-day time frame the auditors have given you. Your team regularly reviews the standards that your hospital has to adhere to, and you ensure the policies and procedures are all up to date and your security practices reflect your current risks.

You compile monthly reports with different data elements and pull those together quarterly, along with effectiveness metrics, to identify trends. Emerging risks are addressed immediately. You do a yearly review on the content of your education program based on the trends seen, and determine if you need to get more information to employees on specific topics. Software tracks complaints and investigations and you perform an annual risk assessment.

A check on the Office of Civil Rights’ site about HIPAA audits confirms that the information is accurate, and the first meeting with the auditors goes well.

Lessons learned:

  • Be committed to patient privacy.
  • You are the champion of the program.
  • Review yourself and your team regularly.
  • Apply the same requirements to your business associates.
  • Have an ongoing commitment to manage a huge amount of documentation before, during and after an on-site visit.
  • Continually establish policies, institute security procedures, review how they are working, find issues, fix them and go back and test.

For more information, please download: “Privacy & Security Audits: How to Prepare and Ensure Compliance” from the editors of FierceIT.

Leave a Reply