Part of being HIPAA compliant is making sure that you’re ready at all times for the possibility of a HIPAA audit from the HHS Office for Civil Rights (OCR), or a State Attorney General.
By nature, an audit can feel a bit intrusive, but if you stay ready, you’ll be able to move through it with a lot more peace of mind. Here are five tips to make sure you’re ready for a HIPAA audit.
1. Train your employees
The foundation of any good compliance program is a well-trained workforce that is prepared to constantly monitor HIPAA compliance. Any member of your staff who comes into contact with PHI (Protected Health Information) must be prepared to secure it in storage, in transit, and at rest. This may include contractors, part-time employees, and Business Associates. You are required to document all training completed by employees and to train new employees soon after their start date. Annual retraining is mandatory under HIPAA and will help you keep up to date with changes in the law and best practices for keeping your information safe. Auditors will typically ask to see the last 3-4 years of training records. This is why having an annual training program is so important.
2. Conduct a Risk Assessment
A Risk Assessment is the first document you will be required to show an auditor during a random HIPAA audit or following a breach. Your Risk Assessment will reveal gaps and weaknesses in your business and allow you to mitigate them before they become an issue. This way, you won’t be left with unaddressed vulnerabilities which may be unearthed by an auditor. Conducting an annual Risk Assessment should be considered a standard part of your HIPAA compliance procedure.
3. Appoint a Privacy and Security Officer
The Privacy Officer (PO) is the individual appointed to maintain documentation and enforcement of your HIPAA compliance program. He or she is assisted by the Information Security Officer (ISO), who oversees the company’s security program. At a small company, one person may hold both of these titles. The PO and ISO should be managers or officers within the company who have the authority to sanction employees who are non-compliant with HIPAA. This will help ensure that there is accountability within your organization. The Privacy Officer is also responsible for delegating compliance activities to employees, reviewing and updating Policies and Procedures, and overseeing their implementation.
4. Implement a HIPAA compliance plan
Documenting Policies and Procedures is required under HIPAA, but if they aren’t implemented, they will make little difference when a breach or HIPAA audit arises. This process will include implementing administrative, physical, and technical safeguards, per the HIPAA Security Rule. These will give staff clear guidelines on how to protect information, make physical systems secure, and keep cybersecurity protections in place. Taking a proactive stance against breaches will help you prevent them before they happen. This approach will also go a long way towards passing an audit successfully.
5. Review and update your compliance plan regularly
Having a plan in place does you no good if it doesn’t reflect the current state of your business. If an auditor sees you haven’t retrained your staff in several years or your Policies and Procedures refer to outdated systems or people who have long since left the company, you could be in trouble. It’s important not only to document and implement your compliance plan but also to periodically assess the effectiveness of current procedures and whether anything can be done to improve them. If you stay on your toes and treat compliance as an ongoing process, you won’t be caught off guard.
Have you performed a Risk Assessment in the past year? Do you have updated HIPAA Policies and Procedures in place? Our HIPAA Prime™ program does all this and more! We create customized compliance documents and provide your staff with easy online training, ensuring compliance for your business.
Want to know more about how you can become HIPAA compliant?
Email us at firstname.lastname@example.org to learn more about how we can help your organization become (and stay!) HIPAA Compliant. Or, get started here.