How to Prepare for a HIPAA Audit

Posted by Mark Jennings - June 08, 2015 - SymQuest Blog, Compliance

How to Prepare for a HIPAA Audit

The introduction of HITECH in 2009 gave the Office of Civil Rights (OCR) more muscle to enforce HIPAA and levy stiff penalties—up to $1.5 million per incident for some violations—for organizations failing to protect patient health information (PHI). In 2014 alone, OCR settled with seven entities for $8,065,220, an average of more than $1.15 million each. In 2012, OCR began a pilot audit program that is now in full swing.

Even if you’ve followed our tips for ensuring you are in HIPAA compliance, a notification that you’re being audited might involuntarily send a shiver up your spine. While you can find the full audit protocol here, a good place to start preparing for your audit is to assess your practice against the following areas, which were cited by OCR as the most common errors identified among data breach reports filed in 2011-12:

1. Risk analysis and management

Do you have a plan that identifies all potential risks for compromising electronic or printed PHI? When was the last time you reviewed it to ensure your policies and procedures address all the technology used by staff, from photocopiers to smart phones? Do you know how often PHI is transmitted outside of the practice on a typical day, and where it goes?

2. Security evaluation

Not taking proper precautions to safeguard PHI when moving to a new office, installing or upgrading equipment or software can put protected data at risk. A security evaluation can help identify problems before they occur.

3. Security and control of portable devices

Lost or stolen laptops, storage devices like memory sticks, and tablets containing unencrypted data are the single most frequent cause of data breaches.

4. Proper disposal of data

What happens with the patient data that no longer needs to be stored on a device? Your process for cleaning, purging and testing hard drives before they are recycled or transferred to a third party should be well documented.

5. Access control

Take a walk through your office to see how many workstations stay on all day, even when unattended. If you can see the screen, PHI on that computer may be visible to others.

6. Training

Training new employees right away on your policies and procedures for appropriate and improper uses of PHI, and the consequences of violating them for the organization and the individual.

The best news – you’re not alone. We can help you mitigate the risk of releasing PHI and ePHI by securing your technology workflow. To obtain a full assessment of your IT and print infrastructure email us at info@symquest.com or call 1-800-374-9900.

secure network infrastructure for healthcare

 

about the author

Mark Jennings

Mark Jennings is SymQuest’s Area Vice President of IT Sales. Jennings works with SymQuest’s sales and service teams to educate customers on current best practices around data protection, disaster recovery, security, and overall technology planning.

Mark Jennings
LinkedIn

Comments