Gearing Up for OCR HIPAA Audits in 2015
Visit HealthPort at MGMA in Booth #808
OCR is ramping up their HIPAA privacy and security audit program for covered entities (CEs) and business associates (BAs). Delayed until 2015, the second round of HIPAA audits is expected to be more pragmatic and comprehensive. Their focus will be on everyday, real-world application of HIPAA policies and procedures across the entire organization. Staff must know the policies and procedures while also incorporating them into daily activities, workflows and interactions with protected health information (PHI). Everyone can take practical steps to tighten HIPAA compliance. During the first round of HIPAA audits in 2013, only 11 percent of those organizations audited were issue free. Everyone needs to be on their toes. However, preparation for potential HIPAA audits need not be complicated or costly. Here are three affordable steps that every CE and BA should take now, in 2014, to prepare for what’s ahead.
- Review, Refresh and Retrain OCR auditors will be looking to see if your HIPAA policies and procedures meet the latest privacy and security criteria. Now is the time to take your binders down from the shelf and crosswalk them, section by section, to the current OCR audit protocol. Identify gaps, update documents, and retrain staff on HIPAA policies and procedures. Don’t forget to thoroughly document your educational efforts.
- Round Up Your BAs If your practice hasn’t already done so, create a thorough list of all BAs and the services they provide to your organization. Ask each BA to provide your practice with an updated Business Associate Agreement (BAA) and list of all subcontractors they use. For BAs, preparation for 2015 HIPAA audits should focus on risk analysis, risk management, and updated policies procedures for breach notification to the CEs they serve.
- Conduct a Risk Assessment The third practical step to take in preparation for 2015 HIPAA audits is an internal self-assessment. While outside firms can be hired to conduct this assessment, it can also be performed by internal personnel. Key focus areas for 2015 audits have been identified and should be highlighted during your internal risk assessment: Security: device encryption, media controls, data transmission security protocols Privacy: safeguards, staff training (and day-to-day practice) on HIPAA policies and procedures
The OCR will be using a web portal for submitting your pre-audit survey data and to streamline audits. While the portal remains under development, physician practices should use the additional time to make sure the three tasks mentioned above are completed and documented. No CE or BA is exempt from a potential OCR privacy and security audit in the coming year. Physician practices need to know just as much as academic medical centers and integrated healthcare delivery systems about HIPAA compliance. The comparative cost of inadequate preparation simply isn’t worth the risk.
About the Author: Alisha R. Smith, RHIA, is the Health Information Management Compliance Educator for HealthPort Corporation in Alpharetta, Georgia. She has a Bachelor’s degree in Health Information Management from the Medical College of Georgia in Augusta, Georgia, and a diverse HIM background working in physician practices, insurance companies, and hospitals. She is active in the HIM community where she serves on the Health Informatics/Information Technology and Outreach/Alliance Builders workgroups and the program committee for the Tennessee Health Information Management Association, is the Past President for the Chattanooga Area Health Information Management Association, was a recipient of AHIMA’s merit leadership scholarship, and was recognized with the THIMA Rising Star award. She is also active with AHIMA on the Consumer Engagement Council, serves on Advance HIM Magazine’s Editorial Board, and is responsible for authored and co-authored publications.