You received a HIPAA audit notification, now what?

The Department of Health and Human Service (HHS) has announced that they will perform 150 HIPAA audits by the end of 2012. The chance of you getting audited is very small but what if you open up your mail one day and found a notice that your medical practice has been select to be audited?

This article details some of the reporting requirements that you will have to comply with. Some of the items include:

HIPAA Policies and Procedures

• A copy of HIPAA policies and procedures related to the disclosure of and safeguarding of PHI and specifically EPHI.
• A copy of the policies and procedures implemented to safeguard the Covered Entity’s (CE) facility and equipment.

Physical Safeguards

• Evidence of physical safeguards implemented for computing devices to restrict access to PHI.
• Business Associate Agreements and/or policies and procedures implemented to ensure Business Associates have implemented the appropriate safeguards (if applicable).

Risk Assessment

• A copy of the most recent risk assessment performed by or for the CE, per Security Rule requirements.
• Evidence of security awareness training for involved workforce members including training on workstation security.
• Evidence of the implementation of a mechanism to encrypt EPHI stored on the workstations.

The questions to ask yourself are these:

• Do you have all of the items that are being requested?
• Have you performed a risk assessment?
• Do you have policies and procedures for both the HIPAA Privacy and Security Rules?
• Have all business associates signed agreements?
• If the audit notice gives you less than one month to produce all this information will you be able to?

Most organizations would be in for a rude awakening if they received an audit notification. There really isn’t enough time to get all of these items in place if you don’t have them already. Being selected for a HIPAA audit is a frightening scenario, but not having the required HIPAA items in place already would make it even worse. Facing the possibility of public notice of security concerns or looking at very large fines is not very appealing to anyone.

Now is the time to start looking at your compliance program and ensuring that you have all of the required items completed. If nothing else it might help you sleep better at night!