2016 HIPPA Audits: What to Expect and How to Prepare

HIPAA regulated Healthcare organizations and business associates are under pressure to ensure they’re prepared for the upcoming US Department of Health and Human Services Office for Civil Rights audits.  Selected Health organizations will need show their compliance with HIPPA security, privacy and breach notification requirements. This is the second phase of HIPAA auditing but it still leaves many organizations uncertain of what it will mean for the performance of their business if they are selected. Many are concerned about the ramifications of not satisfying the audit requirements.

The OCR is set to review a selection of HIPAA covered entities which include small medical practices, midsize and large integrated delivery networks, and business associates. Those that are selected must provide documentation and details on their current processes, controls and policies to confirm they are in line with HIPAA requirements. The evaluation can be done in a few different ways. Some covered entities may be required to meet face-to-face with the third-party auditors selected by OCR, while others will be requested to provide all required documentation electronically and receive remote interactions.

Getting your organization ready for the potential audits is crucial. Here are some suggestions on what to expect and how to prep your organization.

What to expect:
The Department of Health and Human Services (HHS) has published the protocol to be used during HIPAA audits on its website. The quantity of listed requirements may seem overwhelming, especially for small to midsize physician practices.

How to prepare:
Take time to learn and understand what’s required of your organization by HIPAA. A third-party compliance consultant can help interpret some of the more complex HIPAA regulations and reduce stress on internal employees. By understanding what the guidelines are, an organization can then ensure they have prepped the proper documentation to prove their HIPAA-compliant status and, more importantly, taken steps to secure protected health information.

Potential challenges:
There are some critical processes and procedures that must be documented and reviewed to demonstrate how an organization is protecting patient data, from both administrative and technical standpoints. Large healthcare entities generally have dedicated security and compliance resources available to them.
Smaller medical groups are challenged by their lack of resources in comparison to their larger counterparts. Many smaller groups are aided by third-party technology vendors that may not have sufficient understanding of HIPAA protocols to establish that appropriate documentation is kept and staff members receive ample training.

Stay Ready:
Healthcare groups, business associates and covered entities should ensure that their ongoing HIPAA compliance efforts stay updated and in line with HHS and OCR requirements. Create a long term, continuous plan because even when their systems and industry regulations change, organizations must protect all of their patients’ data. For those that have not recently evaluated their HIPAA compliance, it is highly recommended that they do so soon and make it a recurring task.

HIPAA covered entities should always be aware of their compliance status, not just when auditors are knocking at their door. HIPAA audits are here to stay, and this year is likely to be a preview of future rounds of audits to happen in the next few years. While some are confident about facing their auditors, others will be forced to address gaps in their compliance and be hit with financial penalties. On top of the penalty they’ll have to pay for remedying the issues identified during the review process. In the meantime, all covered entities should pay close attention to what some of the groups audited before them have to say about their experience.