How to Survive a HIPAA Security Audit
Overview:
Your organization's focus should be protecting the privacy and security of PHI and reducing the probability of a breach. Passing an OCR audit should be the result of an effective compliance culture, not your aim on goal.
Here are things you can do to ensure you're prepared for HIPAA compliance, and in turn, are ready for an audit:
- Document your security, privacy and breach policies and review and update those policies periodically.
- Regularly perform a security risk analysis to find any vulnerable areas and create an action plan to fix these possible vulnerable areas.
- Update your risk analysis and risk management plans if they haven't been updated in 2+ ye.
- Keep an organized archive of the business associates affiliated with your organization. Update your agreements with them when changes are made.
- Train your staff so they understand the importance of maintaining a culture of HIPAA compliance and know the required steps to take to protect the PHI your organization handles.
Why is OCR cracking down with their audits? According to David Holtzman, a former senior advisor at OCR, "the healthcare industry is a generation behind banking in safeguarding information." In 2013, the healthcare industry saw a 138% increase in the exposure of sensitive records, as well as a 20% increase with medical identification theft.
No one looks forward to an audit. Audits are time-consuming and can be uncomfortable to endure. But no one wants to experience a security breach either, and the effects of a breach are much worse to endure than an audit. If you're already HIPAA compliant, then you're already prepared to survive an OCR audit.
Why should you attend: In 2012, the Department of Health and Human Services Office for Civil Rights (OCR) conducted on-site pilot audits during its first round of their HIPAA compliance audit program. A consulting firm OCR hired performed 115 pilot audits during that year. Starting the end of this year or beginning of 2015, OCR is resuming their HIPAA compliance audit program with its second round of audits - performed by OCR staff this time - that will address some red flags OCR found with security issues during 2012.
This time around, OCR's random audit of 350 covered entities and 50 business associates will assess the selected organizations' compliance with the HIPAA privacy, security and breach notification rules. If you're a covered entity, OCR's focus is going to be on risk analysis and risk management (security rule part), the material and timeliness of breach notifications (the breach notification rule part) and the notification of privacy practices updates to changes in the HIPAA Omnibus Rule and access to rights (the privacy rule part). If you're a business associate, their focus is on security risk analysis and risk management and breach reporting to your covered entities.
A desk audit involves you submitting certain content and documentation demonstrating the scope and timeliness of your efforts to comply with HIPAA and its rules. Only send the information asked for and send it on time! Auditors won't ask you for clarifications or for more information. They're only going to work with what they have and make their compliance decision off that. If you don't respond with a submission, you'll most likely receive a more formal review from the OCR.
Areas Covered in the Session:
- Introduction to Speaker
- Industry events and trends
- Risk Management methodology
- HIPAA Basics
- Risk Analysis Documentation
- Progress Documentation
- Reporting Requirements
- The Fire-Drill-what to do when the OCR letter arrives
- How Meaningful Use and Figliozzi audits process
- Case studies
Who Will Benefit:
- HIPAA Privacy and Security Officers
- Business Associates & Subcontractors
- Healthcare Business Insurers
- Health Information Management Professionals
- Healthcare In-house Legal Counsel
- Healthcare Risk Managers
- EHR & PHR Vendors
- State and Federal Government Policymakers
- Healthcare Attorneys
- Healthcare Consultants
- Medical Records/Health Information Managers (HIM)
- Clinic Owners & Operations Managers