Recent Onslaught of HIPAA Audits Include Business Associates and Leave Organizations Scrambling To Comply
When the Department of Health and Human Services (HHS) started cranking out that second round of HIPAA audit emails back in April, many health organizations realized for the first time that being targeted for an HHS audit is not as unlikely as previously thought—and they are no longer limited to large scale corporations either. This time around, while HHS continues to tighten its grip on the ever-expanding healthcare industry, everyone from solo practices to SMB operations are fair game.
Audits Aren’t Just Targeting Large-Scale Operations—Business Associates Are Included in the Latest Round
If you are a Covered Entity (CE) or a Business Associate (BA), now is a good time to get your documentation in order for this latest round of HIPAA audits. According to HHS, this latest round of audits consists of two phases:
This latest round of HIPAA audits will involve familiar audit techniques: all initial documentation will be requested via email, and entities selected will be required to upload all documentation via a secure online portal. Auditors will review submitted information and compile their findings for collaboration with the audited entity. At this point, an audited entity can officially respond to any findings. Be sure to remember that all organization responses become part of the official report—so seek the advice of a reputable IT HIPAA security expert if you have questions or need guidance in your responses.
All auditees should be prepared for a site visit during the final phase.
This Isn’t a Dry Run—If You’re Audited, Your Preparations For a Real-Life Incident Will Be Evaluated
If you receive an email requesting your organization’s information, respond to it as quickly as possible. To prepare for the upcoming audit, you’ll want to be sure you have the following protocols in place:
1. Train Personnel in Proper Handling of ePHI
At this point, the way your organization handles electronic patient health information (ePHI) is under examination. Your first order of business should be to ensure the competence of any and all employees that might come into contact with ePHI at any level and on all platforms.
Since workforces often change, periodic training and evaluation planning is a required part of HIPAA compliance protocol. All personnel should be fluent in the organization’s policies and procedures and how each directive applies to the everyday exchange and use of sensitive patient information. Remember to carefully document all training as part of your organization’s compliance portfolio.
2. Make Sure All Business Associate Agreements Are Completed and On File
If your organization collaborates with business associates, you’ll want to be sure to have a well-structured Business Associate Agreement on file. An organization that distributes ePHI without a satisfactory, mutually agreed-upon Business Associate Agreement in place can expect heavy fines and strict sanctions.
3. Conduct a Periodic Security Analysis—and Document It Extensively
Be sure to have your periodic security analysis completed and documented in accordance with HIPAA security regulations.
4. Have a Plan In Place To Keep Track of Organizational ePHI Security Efforts
Review your organization’s current security policies against compliance and audit protocols to determine whether additional measures need to be taken. Remember, a periodic review of all training, compliance, and applicable procedures and policies is the best approach to a comprehensive compliance strategy. Again—document all organizational efforts to protect the security and privacy of ePHI.
Seek Professional Guidance
If you are concerned that your organization has been audited and you need assistance with your response, Global Data Systems, Inc. can help. Contact us at (888) 849-6818 or send us an email at info@GDSConnect.com for more information.