According to HIPAA’s HITECH ACT, the Department of Health and Human Services is required to provide periodic audits to ensure that covered entities and business associates are complying with the HIPAA Privacy and Security Rules as well as Breach Notification Standards.
The Department of Health and Human Services is currently conducting a pilot program auditing 150 Covered Entities between November 2011 and December 2012. Now I know that 150 Covered Entities is not a lot considering there are millions of health care providers in the country, but beginning in 2013, all the other Covered Entities will begin to be audited. Believe it or not, 2013 is only 11 months away.
The audit program is going to assess HIPAA compliance efforts by a range of Covered Entities (CE’s). These audits present a new opportunity to examine compliance, identify best practices and discover risks and vulnerabilities that may not have already been brought to light by the Office of Civil Rights (OCR) ongoing complaint investigations.
Who will be audited? Every Covered Entity (if you work in a dental practice that includes you!) and Business Associate is eligible for an audit. The initial round of audits will be designed to provide a broad assessment of complex and diverse health care providers (so this does not only apply to hospitals and physicians, dental practices will be included!!!)
If you are selected to be audited, the OCR will notify you 30-90 days prior to the onsite visit. Onsite visits may take between 3-10 business days depending on the size of the facility. After the audit you will receive a final audit report within 30 days.
What do they look for during the audit? They will be looking to see if you are in compliance with all of HIPAA’s components. Below are some examples:
- Do you have the current Notice of Privacy Practices available for your patients and is it on your website?
- Have you appointed a Privacy Officer and Security Officer?
- Do you conduct annual HIPAA trainings with the team?
- How are you protecting Protected Health Information (PHI)
- Do you have an inventory of all computer hardware, removable hard drives and copier/scanners that may contain PHI?
- Are your computers password protected? Do you limit employee access to electronic information only to that which is required to carry out assigned duties?
- Are you backing up your data? How are you backing up your data? Who is responsible for taking the backup “tape” home daily?
- Do you validate media destruction or sanitization when destroying PHI?
That is only a small sampling of what will be looked at during an audit. Do you have everything in place already or are you going to be scrambling if you get a letter stating you are going to be audited.
In closing, I would like to leave you with this quote from Linda Harvey (healthcare risk manager and compliance expert), “Just as you develop a comprehensive treatment plan for your patients, consider developing a comprehensive wellness plan for protecting electronic data against cyber risks and security breaches. Doing so protects your biggest asset—your practice.”
If you would like more information on HIPAA and the HITECH Act, please contact us at 508-697-7318 or firstname.lastname@example.org