everythingpossible - Fotolia
What do organizations need to know about privacy in a HIPAA audit?
A HIPAA audit covers privacy compliance, and organizations need to be prepared. Expert Mike Chapple discusses privacy in the audits.
The HHS Office for Civil Rights (OCR) plans to begin a random audit program this year to assess compliance with the HIPAA privacy, security and breach notification rules. What are the main takeaways from this new program? What should my organization be aware of in terms of HIPAA privacy compliance?
OCR plans to resume their HIPAA audit program later this year as a follow-on to a 2012 pilot program conducted by KPMG auditors. In this new program, OCR will select an undisclosed number of covered entities and business associates for HIPAA compliance audits.
The most important thing to know about the program is that the HIPAA audits will most likely be narrow in scope, focusing on a handful of specific issues OCR identifies as compliance problems. You might turn to the issues covered by recent HIPAA enforcement actions for some clues on audit subject matter. It would not be surprising to see audits focus on impermissible disclosures of protected health information, patient access to records and appropriate security controls.
Narrowing the scope of audits does allow OCR to cover a larger number of organizations, so expect audit notices to go out in greater quantities than during the pilot program. If you receive one of those notices, you should prepare just as you would for any other audit. Assuming your HIPAA compliance program is up to snuff, it would be a good idea to take a pass through your compliance plan and ensure all of your controls remain in tip-top shape.
Collect documentation in advance and be ready to provide quick answers to any auditor questions. The more put together your response is, the more likely the auditors will simply review your documentation and move on. When an organization struggles to provide answers and offers sloppy documentation, they're waving a red flag in front of the bull.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Check out more great ways to prepare for HIPAA audits and have compliance plans at the ready
Dig Deeper on Compliance
Related Q&A from Mike Chapple
Stateful vs. stateless firewalls: Understanding the differences
Examine the important differences between stateful and stateless firewalls, and learn when each type of firewall should be used in an enterprise ... Continue Reading
Wired vs. wireless network security: Best practices
Explore the differences between wired and wireless network security, and read up on best practices to ensure security with or without wires. Continue Reading
The difference between AES and DES encryption
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading